Edit tour

Windows Analysis Report
54Oa5PcvK1.exe

Overview

General Information

Sample name:	54Oa5PcvK1.exe renamed because original name is a hash value
Original sample name:	150bd33eb83e01bd26e6ea50fb7e1058e57855f8c50753f8a3b7401d712b8351.exe
Analysis ID:	1577418
MD5:	7779f97c3a704491e0b217ef536d225a
SHA1:	9f5943b644c8e694b3cb6296a450de5be369dcb9
SHA256:	150bd33eb83e01bd26e6ea50fb7e1058e57855f8c50753f8a3b7401d712b8351
Tags:	107-148-62-100exeuser-JAMESWT_MHT
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Found pyInstaller with non standard icon

Tries to harvest and steal browser information (history, passwords, etc)

Binary contains a suspicious time stamp

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

Process Tree

System is w10x64

54Oa5PcvK1.exe (PID: 6756 cmdline: "C:\Users\user\Desktop\54Oa5PcvK1.exe" MD5: 7779F97C3A704491E0B217EF536D225A)

conhost.exe (PID: 6724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

54Oa5PcvK1.exe (PID: 5216 cmdline: "C:\Users\user\Desktop\54Oa5PcvK1.exe" MD5: 7779F97C3A704491E0B217EF536D225A)

cmd.exe (PID: 5236 cmdline: C:\Windows\system32\cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 54Oa5PcvK1.exe

ReversingLabs: Detection: 28%

Source: 54Oa5PcvK1.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: k1k2k3X9_62_PENTANOMIALp.otherp.onBasisp.tpBasisp.ppBasismX9_62_CHARACTERISTIC_TWOp.primep.char_twofieldTypeX9_62_FIELDIDX9_62_CURVEfieldIDcurvebaseECPARAMETERSvalue.named_curvevalue.parametersvalue.implicitlyCAECPKPARAMETERSprivateKeyparameterspublicKeyEC_PRIVATEKEYec_asn1_group2fieldidcrypto\ec\ec_asn1.cec_asn1_group2curveEC_GROUP_get_ecparametersEC_GROUP_get_ecpkparametersEC_GROUP_new_from_ecparametersEC_GROUP_new_from_ecpkparametersi2d_ECPKParametersd2i_ECPrivateKeyi2d_ECPrivateKeyi2d_ECParametersd2i_ECParameterso2i_ECPublicKeyi2o_ECPublicKeycompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"3.3.2built on: Tue Sep 3 19:22:24 2024 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availablecrypto\init.cOPENSSL_init_cryptocrypto\bio\bio_lib.cBIO_new_exbio_read_internbio_write_internBIO_sendmmsgBIO_recvmmsgBIO_putsBIO_getsBIO_get_line BIO_ctrlBIO_callback_ctrlBIO_find_type source: 54Oa5PcvK1.exe, 00000002.00000002.1914321964.00007FFDFA9C7000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: 54Oa5PcvK1.exe, 00000002.00000002.1914898478.00007FFDFACC0000.00000002.00000001.01000000.0000001E.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb\| source: 54Oa5PcvK1.exe, 00000002.00000002.1916121808.00007FFDFB111000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: cryptography_rust.pdbc source: 54Oa5PcvK1.exe, 00000002.00000002.1914321964.00007FFDFA9C7000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: ossl_ec_GFp_simple_group_set_curvecrypto\ec\ecp_smpl.cossl_ec_GFp_simple_group_check_discriminantossl_ec_GFp_simple_point_set_affine_coordinatesossl_ec_GFp_simple_point_get_affine_coordinatesossl_ec_GFp_simple_make_affineossl_ec_GFp_simple_points_make_affineossl_ec_GFp_simple_field_invossl_ec_GFp_simple_blind_coordinatescrypto\buffer\buffer.cBUF_MEM_growBUF_MEM_grow_cleancompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specific.dllCPUINFO: crypto\initthread.cOPENSSL_ia32cap` source: 54Oa5PcvK1.exe, 00000002.00000002.1914321964.00007FFDFA9C7000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.13 30 Jan 20243.0.13built on: Mon Feb 5 17:39:09 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: 54Oa5PcvK1.exe, 00000002.00000002.1916121808.00007FFDFB079000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: 54Oa5PcvK1.exe, 00000002.00000002.1913568145.00007FFDFA3DC000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb source: 54Oa5PcvK1.exe, 00000002.00000002.1916121808.00007FFDFB111000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: cryptography_rust.pdb source: 54Oa5PcvK1.exe, 00000002.00000002.1914321964.00007FFDFA9C7000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python3.pdb source: 54Oa5PcvK1.exe, 00000002.00000002.1897937515.0000014E9A370000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: 54Oa5PcvK1.exe, 00000002.00000002.1914321964.00007FFDFA9C7000.00000002.00000001.01000000.0000001F.sdmp

Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 0_2_00007FF7887769E0 FindFirstFileExW,FindClose,	0_2_00007FF7887769E0
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 0_2_00007FF788786878 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF788786878
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 0_2_00007FF788786878 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF788786878
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 0_2_00007FF788790A34 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF788790A34
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 2_2_00007FF788786878 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	2_2_00007FF788786878
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 2_2_00007FF7887769E0 FindFirstFileExW,FindClose,	2_2_00007FF7887769E0
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 2_2_00007FF788790A34 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00007FF788790A34

Source: unknown

DNS traffic detected: query: ssh.0523qyfw.com replaycode: Name error (3)

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: ssh.0523qyfw.com

Source: 54Oa5PcvK1.exe, 00000002.00000002.1908369809.0000014E9DDE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.../back.jpeg
Source: 54Oa5PcvK1.exe, 00000002.00000002.1907799326.0000014E9D9E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://aka.ms/vcpython27
Source: 54Oa5PcvK1.exe, 00000002.00000003.1852623806.0000014E9C7B9000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1873917067.0000014E9D18E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1865545609.0000014E9D18E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853200890.0000014E9D1C7000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1880949550.0000014E9D2E6000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853692270.0000014E9D18A000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1866219661.0000014E9D6DD000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1888734287.0000014E9D2E9000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1907273070.0000014E9D6DF000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863644545.0000014E9D18E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852328372.0000014E9D169000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1889443843.0000014E9D6DD000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1875972947.0000014E9D2FA000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1876161672.0000014E9D1AD000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863115442.0000014E9D5A4000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1889741215.0000014E9D2F2000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1886446854.0000014E9D6DD000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1906653844.0000014E9D5CE000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1885346946.0000014E9D1DB000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863017558.0000014E9D6D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html
Source: 54Oa5PcvK1.exe, 00000002.00000002.1909500839.0000014E9DF50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://bugs.python.org/issue23606)
Source: 54Oa5PcvK1.exe, 00000002.00000002.1910595406.0000014E9E038000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cffi.readthedocs.io/en/latest/cdef.html#ffi-cdef-limitations
Source: 54Oa5PcvK1.exe, 00000002.00000003.1852623806.0000014E9C7B9000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1854227501.0000014E9D14A000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1860841559.0000014E9C4F0000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1864590621.0000014E9C810000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1866654711.0000014E9D14C000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853781333.0000014E9D144000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1811292233.0000014E9C509000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1861187734.0000014E9C4F6000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853847851.0000014E9C4EE000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862082830.0000014E9C50D000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1866886822.0000014E9C516000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: 54Oa5PcvK1.exe, 00000002.00000003.1870571831.0000014E9C5F8000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1816611807.0000014E9C5EC000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862706433.0000014E9C5EE000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1813483068.0000014E9C5CF000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1873186372.0000014E9C5FA000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1811920179.0000014E9C5C0000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1810919273.0000014E9C65A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577916/
Source: 54Oa5PcvK1.exe, 00000002.00000002.1905274470.0000014E9D300000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1888734287.0000014E9D2FD000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1875972947.0000014E9D2FA000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1889741215.0000014E9D300000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: 54Oa5PcvK1.exe, 00000002.00000003.1875170154.0000014E9D21E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853200890.0000014E9D1C7000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1858675566.0000014E9A7D0000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1893478553.0000014E9A7F5000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1861902157.0000014E9A7E0000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1899525494.0000014E9A7F5000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1860901451.0000014E9A7D0000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852328372.0000014E9D169000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863462473.0000014E9A7F0000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1866956762.0000014E9A7F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: 54Oa5PcvK1.exe, 00000002.00000003.1880949550.0000014E9D2E6000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862831881.0000014E9D527000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1888734287.0000014E9D2E9000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1864820472.0000014E9D538000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1887224183.0000014E9D2E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
Source: 54Oa5PcvK1.exe, 00000002.00000003.1862831881.0000014E9D527000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1864820472.0000014E9D538000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crlH$
Source: 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
Source: 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crlB
Source: 54Oa5PcvK1.exe, 00000002.00000002.1905274470.0000014E9D300000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1888734287.0000014E9D2FD000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1875972947.0000014E9D2FA000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1889741215.0000014E9D300000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crld
Source: 54Oa5PcvK1.exe, 00000002.00000003.1890109806.0000014E9D50A000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863298445.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1895072068.0000014E9D526000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl
Source: 54Oa5PcvK1.exe, 00000002.00000003.1876009699.0000014E9D364000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1860216079.0000014E9D35E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1891028384.0000014E9D365000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1871310960.0000014E9D363000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: 54Oa5PcvK1.exe, 00000002.00000003.1890109806.0000014E9D50A000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863298445.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1895072068.0000014E9D526000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crlK?(O
Source: 54Oa5PcvK1.exe, 00000002.00000003.1862831881.0000014E9D527000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: 54Oa5PcvK1.exe, 00000002.00000003.1876009699.0000014E9D364000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1860216079.0000014E9D35E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1891028384.0000014E9D365000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1871310960.0000014E9D363000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: 54Oa5PcvK1.exe, 00000002.00000003.1862831881.0000014E9D527000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl#
Source: 54Oa5PcvK1.exe, 00000002.00000003.1875170154.0000014E9D21E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853200890.0000014E9D1C7000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852328372.0000014E9D169000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: 54Oa5PcvK1.exe, 00000002.00000003.1862831881.0000014E9D527000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crlA
Source: 54Oa5PcvK1.exe, 00000002.00000003.1880949550.0000014E9D2E6000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1888734287.0000014E9D2E9000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1875972947.0000014E9D2FA000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1889741215.0000014E9D2F2000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1887224183.0000014E9D2E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/eax/eax-spec.pdf
Source: 54Oa5PcvK1.exe, 00000002.00000003.1852623806.0000014E9C7B9000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853200890.0000014E9D1C7000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852328372.0000014E9D169000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1885346946.0000014E9D1DB000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1888570375.0000014E9C854000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1878269326.0000014E9D1DB000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1875670444.0000014E9D1D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf
Source: 54Oa5PcvK1.exe, 00000002.00000003.1863115442.0000014E9D5A4000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1906653844.0000014E9D5CE000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863722379.0000014E9D5CA000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863195807.0000014E9D5B7000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1889287299.0000014E9D7C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
Source: 54Oa5PcvK1.exe, 00000002.00000002.1910595406.0000014E9DFE0000.00000004.00001000.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1880949550.0000014E9D2E6000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D3F6000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1890503693.0000014E9D3F6000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1890148299.0000014E9D616000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1908369809.0000014E9DDE0000.00000004.00001000.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1888734287.0000014E9D2E9000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1893623590.0000014E9D3F6000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1866747958.0000014E9D5BD000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863115442.0000014E9D5A4000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1889741215.0000014E9D2F2000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1906617128.0000014E9D5BF000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1909500839.0000014E9DF50000.00000004.00001000.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D3F6000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1886217826.0000014E9D615000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1908219521.0000014E9DCE0000.00000004.00001000.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1905649488.0000014E9D3F6000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863195807.0000014E9D5B7000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1912162059.0000014E9E0E0000.00000004.00001000.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
Source: 54Oa5PcvK1.exe, 00000002.00000002.1908369809.0000014E9DDE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: 54Oa5PcvK1.exe, 00000002.00000002.1908076763.0000014E9DBE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.kill
Source: 54Oa5PcvK1.exe, 00000002.00000002.1908076763.0000014E9DBE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode
Source: 54Oa5PcvK1.exe, 00000002.00000002.1907932601.0000014E9DAE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.terminate
Source: 54Oa5PcvK1.exe, 00000002.00000002.1903341157.0000014E9C9F0000.00000004.00001000.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1904289849.0000014E9CEE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/library/itertools.html#recipes
Source: 54Oa5PcvK1.exe, 00000002.00000003.1872084143.0000014E9D167000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852568956.0000014E9D153000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1865853165.0000014E9D167000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1893310173.0000014E9D168000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/library/unittest.html
Source: 54Oa5PcvK1.exe, 00000002.00000002.1903341157.0000014E9C9F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://github.com/ActiveState/appdirs
Source: 54Oa5PcvK1.exe, 00000002.00000002.1905095096.0000014E9D293000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1886368793.0000014E9D292000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852328372.0000014E9D265000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1858252843.0000014E9D276000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: 54Oa5PcvK1.exe, 00000002.00000003.1880543005.0000014E9D29A000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1905130914.0000014E9D29F000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852328372.0000014E9D265000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1858252843.0000014E9D276000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: 54Oa5PcvK1.exe, 00000002.00000003.1852623806.0000014E9C7B9000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863567043.0000014E9C878000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863928662.0000014E9D319000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: 54Oa5PcvK1.exe, 00000002.00000003.1889517854.0000014E9D55A000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1865696349.0000014E9D552000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es
Source: 54Oa5PcvK1.exe, 00000002.00000003.1889517854.0000014E9D560000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1864479647.0000014E9D55F000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1906320899.0000014E9D560000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: 54Oa5PcvK1.exe, 00000002.00000002.1903341157.0000014E9C9F0000.00000004.00001000.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1903198908.0000014E9C8F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://opensource.apple.com/source/CF/CF-744.18/CFBinaryPList.c
Source: 54Oa5PcvK1.exe, 00000002.00000003.1864820472.0000014E9D538000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: 54Oa5PcvK1.exe, 00000002.00000003.1862831881.0000014E9D527000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1864820472.0000014E9D538000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/O$
Source: 54Oa5PcvK1.exe	String found in binary or memory: http://schemas.micr
Source: 54Oa5PcvK1.exe, 00000002.00000002.1904289849.0000014E9CEE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://stackoverflow.com/questions/19622133/
Source: 54Oa5PcvK1.exe, 00000002.00000003.1853515667.0000014E9D3AC000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1860347372.0000014E9D401000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1890503693.0000014E9D3C7000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863264579.0000014E9D3AC000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D3F6000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D405000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc4880
Source: 54Oa5PcvK1.exe, 00000002.00000002.1912566111.0000014E9E220000.00000004.00001000.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1872432884.0000014E9D6CB000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1859025617.0000014E9D6CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc5297
Source: 54Oa5PcvK1.exe, 00000002.00000003.1853200890.0000014E9D1C7000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852328372.0000014E9D169000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1878269326.0000014E9D1CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc5869
Source: 54Oa5PcvK1.exe, 00000002.00000002.1908369809.0000014E9DDE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: 54Oa5PcvK1.exe, 00000002.00000003.1866219661.0000014E9D6D1000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852724640.0000014E9D738000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1872993264.0000014E9D73F000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1854847463.0000014E9D6D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://web.cs.ucdavis.edu/~rogaway/ocb/license.htm
Source: 54Oa5PcvK1.exe, 00000002.00000003.1889517854.0000014E9D560000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1889517854.0000014E9D55A000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1865696349.0000014E9D552000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1864479647.0000014E9D55F000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1906320899.0000014E9D560000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: 54Oa5PcvK1.exe, 00000002.00000003.1890109806.0000014E9D50A000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863298445.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1906166312.0000014E9D518000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1896550045.0000014E9D516000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl
Source: 54Oa5PcvK1.exe, 00000002.00000003.1889517854.0000014E9D560000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1864479647.0000014E9D55F000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1906320899.0000014E9D560000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm
Source: 54Oa5PcvK1.exe, 00000002.00000003.1889517854.0000014E9D560000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1864479647.0000014E9D55F000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1906320899.0000014E9D560000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: 54Oa5PcvK1.exe, 00000002.00000003.1889517854.0000014E9D560000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1864479647.0000014E9D55F000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1906320899.0000014E9D560000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es00
Source: 54Oa5PcvK1.exe, 00000002.00000002.1903198908.0000014E9C8F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: 54Oa5PcvK1.exe, 00000002.00000003.1873917067.0000014E9D18E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1865545609.0000014E9D18E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853692270.0000014E9D18A000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863644545.0000014E9D18E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852328372.0000014E9D169000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1876161672.0000014E9D1AD000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1881118801.0000014E9D1B3000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/
Source: 54Oa5PcvK1.exe, 00000002.00000003.1808235992.0000014E9C5D3000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1809151431.0000014E9C5E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
Source: 54Oa5PcvK1.exe, 00000002.00000003.1873917067.0000014E9D18E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1865545609.0000014E9D18E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853692270.0000014E9D18A000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1866219661.0000014E9D6DD000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1907273070.0000014E9D6DF000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863644545.0000014E9D18E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852328372.0000014E9D169000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1889443843.0000014E9D6DD000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1876161672.0000014E9D1AD000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1886446854.0000014E9D6DD000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863017558.0000014E9D6D6000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1854847463.0000014E9D6D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf
Source: 54Oa5PcvK1.exe, 00000002.00000002.1910595406.0000014E9E038000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dabeaz.com/ply)
Source: 54Oa5PcvK1.exe, 00000002.00000003.1890260960.0000014E9D665000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1907136780.0000014E9D669000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.dabeaz.com/ply)F
Source: 54Oa5PcvK1.exe, 00000002.00000003.1852623806.0000014E9C7B9000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1861816344.0000014E9C881000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863115442.0000014E9D5A4000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1871001126.0000014E9C886000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1906568571.0000014E9D5AA000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1867253506.0000014E9C882000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1903076365.0000014E9C897000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: 54Oa5PcvK1.exe, 00000002.00000003.1860841559.0000014E9C4F0000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1861187734.0000014E9C4F6000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1888694158.0000014E9C51D000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853847851.0000014E9C4EE000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862082830.0000014E9C50D000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1896587599.0000014E9C523000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1866886822.0000014E9C516000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1874209287.0000014E9C51C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: 54Oa5PcvK1.exe, 00000002.00000003.1808235992.0000014E9C5D3000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1808285799.0000014E9AA89000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1809151431.0000014E9C5E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
Source: 54Oa5PcvK1.exe, 00000002.00000003.1808235992.0000014E9C5D3000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1809151431.0000014E9C5E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
Source: 54Oa5PcvK1.exe, 00000002.00000003.1890109806.0000014E9D50A000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863298445.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1906166312.0000014E9D518000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1896550045.0000014E9D516000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: 54Oa5PcvK1.exe, 00000002.00000003.1853200890.0000014E9D1C7000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852328372.0000014E9D169000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1878269326.0000014E9D1CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: 54Oa5PcvK1.exe, 00000002.00000003.1890109806.0000014E9D50A000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863298445.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1906166312.0000014E9D518000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1896550045.0000014E9D516000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cpsQ
Source: 54Oa5PcvK1.exe, 00000002.00000003.1866219661.0000014E9D6D1000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852724640.0000014E9D738000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1872993264.0000014E9D73F000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1854847463.0000014E9D6D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rfc-editor.org/info/rfc7253
Source: 54Oa5PcvK1.exe, 00000002.00000003.1890431238.0000014E9D1A3000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1873917067.0000014E9D18E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1865545609.0000014E9D18E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853692270.0000014E9D18A000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863644545.0000014E9D18E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852328372.0000014E9D169000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1890577290.0000014E9D1A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tarsnap.com/scrypt/scrypt-slides.pdf
Source: 54Oa5PcvK1.exe, 00000002.00000003.1860216079.0000014E9D35E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1875420977.0000014E9D35E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1896410972.0000014E9D35E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwwsearch.sf.net/):
Source: 54Oa5PcvK1.exe, 00000002.00000002.1904289849.0000014E9CEE0000.00000004.00001000.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1903819690.0000014E9CC10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugs.python.org/issue44497.
Source: 54Oa5PcvK1.exe, 00000002.00000002.1914321964.00007FFDFA9C7000.00000002.00000001.01000000.0000001F.sdmp	String found in binary or memory: https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file
Source: 54Oa5PcvK1.exe, 00000002.00000003.1866360260.0000014E9AAEB000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1811024381.0000014E9AAF3000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1860593059.0000014E9AAE8000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1869127788.0000014E9AAF5000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1814471372.0000014E9AA89000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1809807777.0000014E9AAF3000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853924980.0000014E9AA89000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1859294660.0000014E9AA89000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1870867611.0000014E9AAFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: 54Oa5PcvK1.exe, 00000002.00000003.1860841559.0000014E9C4F0000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1895891104.0000014E9C4F5000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853847851.0000014E9C4EE000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1875390775.0000014E9C4F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/multiprocessing.html
Source: 54Oa5PcvK1.exe, 00000002.00000003.1862135699.0000014E9AABA000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1866360260.0000014E9AAE1000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853924980.0000014E9AA89000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1859294660.0000014E9AA89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/pprint.html
Source: 54Oa5PcvK1.exe, 00000002.00000003.1862135699.0000014E9AABA000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1866360260.0000014E9AAE1000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853924980.0000014E9AA89000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1859294660.0000014E9AA89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/pprint.html#pprint.pprint
Source: 54Oa5PcvK1.exe, 00000002.00000002.1902596491.0000014E9C704000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1854590119.0000014E9C6A9000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1859208920.0000014E9A98C000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1864133086.0000014E9C6C0000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1895552211.0000014E9A98F000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1858675566.0000014E9A7D0000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1859570149.0000014E9C6BF000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1866777303.0000014E9A7D0000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1860901451.0000014E9A7D0000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1872793967.0000014E9C6F4000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1869946544.0000014E9C6D1000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1860593059.0000014E9AAE8000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1900060979.0000014E9A98F000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1904289849.0000014E9CEE0000.00000004.00001000.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1816611807.0000014E9C6A9000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1864652551.0000014E9A7D0000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1870819223.0000014E9A98E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1865013694.0000014E9A98D000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853924980.0000014E9AA89000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1903819690.0000014E9CC10000.00000004.00001000.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1868207183.0000014E9C6C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/re.html
Source: 54Oa5PcvK1.exe, 00000002.00000002.1903561006.0000014E9CB00000.00000004.00001000.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1904289849.0000014E9CEE0000.00000004.00001000.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1816405751.0000014E9D0E1000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1816405751.0000014E9D139000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/re.html#re.sub
Source: 54Oa5PcvK1.exe, 00000002.00000002.1907932601.0000014E9DAE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: 54Oa5PcvK1.exe, 00000002.00000002.1903561006.0000014E9CB00000.00000004.00001000.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1904451164.0000014E9CFE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gist.github.com/lyssdod/f51579ae8d93c8657a5564aefc2ffbca
Source: 54Oa5PcvK1.exe, 00000002.00000003.1860216079.0000014E9D35E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1871310960.0000014E9D363000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: 54Oa5PcvK1.exe, 00000002.00000002.1899076898.0000014E9A788000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1858902955.0000014E9A733000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1867143009.0000014E9A788000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1860523938.0000014E9A788000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1898176407.0000014E9A700000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1798235570.0000014E9A779000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1796228223.0000014E9A741000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1859447132.0000014E9A787000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1892110731.0000014E9A788000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1858979814.0000014E9A769000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1796543016.0000014E9A761000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1796949117.0000014E9A772000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1864218112.0000014E9A788000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: 54Oa5PcvK1.exe, 00000002.00000002.1903341157.0000014E9C9F0000.00000004.00001000.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1904451164.0000014E9CFE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jaraco/jaraco.functools/issues/5
Source: 54Oa5PcvK1.exe, 00000002.00000002.1909500839.0000014E9DF50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/psf/requests/pull/6710
Source: 54Oa5PcvK1.exe, 00000002.00000002.1914321964.00007FFDFA9C7000.00000002.00000001.01000000.0000001F.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/issues
Source: 54Oa5PcvK1.exe, 00000002.00000002.1914321964.00007FFDFA9C7000.00000002.00000001.01000000.0000001F.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/issues/8996
Source: 54Oa5PcvK1.exe, 00000002.00000002.1914321964.00007FFDFA9C7000.00000002.00000001.01000000.0000001F.sdmp	String found in binary or memory: https://github.com/pyca/cryptography/issues/9253
Source: 54Oa5PcvK1.exe, 00000002.00000002.1903561006.0000014E9CB00000.00000004.00001000.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1904289849.0000014E9CEE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/packaging
Source: 54Oa5PcvK1.exe, 00000002.00000002.1903561006.0000014E9CB00000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/issues/1024.
Source: 54Oa5PcvK1.exe, 00000002.00000002.1901264108.0000014E9C3D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/issues/417#issuecomment-392298401
Source: 54Oa5PcvK1.exe, 00000002.00000003.1816611807.0000014E9C6A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyparsing/pyparsing/wiki
Source: 54Oa5PcvK1.exe, 00000002.00000002.1897780269.0000014E9A2F8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: 54Oa5PcvK1.exe, 00000002.00000003.1864218112.0000014E9A788000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: 54Oa5PcvK1.exe, 00000002.00000002.1899076898.0000014E9A788000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1858902955.0000014E9A733000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1867143009.0000014E9A788000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1860523938.0000014E9A788000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1898176407.0000014E9A700000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1798235570.0000014E9A779000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1796228223.0000014E9A741000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1859447132.0000014E9A787000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1892110731.0000014E9A788000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1858979814.0000014E9A769000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1796543016.0000014E9A761000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1796949117.0000014E9A772000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1864218112.0000014E9A788000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: 54Oa5PcvK1.exe, 00000002.00000003.1806002599.0000014E9AA05000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1876072137.0000014E9AA2F000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1859377252.0000014E9A9F1000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1809807777.0000014E9AA05000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1808505883.0000014E9AA05000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1814635111.0000014E9A9FF000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1861933634.0000014E9AA2E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1876360918.0000014E9AA3F000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1811024381.0000014E9AA05000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1858446761.0000014E9A9EE000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1860125534.0000014E9A9F2000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853924980.0000014E9A9EC000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1807487599.0000014E9AA05000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1807763706.0000014E9A9E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: 54Oa5PcvK1.exe, 00000002.00000002.1899076898.0000014E9A788000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1858902955.0000014E9A733000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1867143009.0000014E9A788000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1860523938.0000014E9A788000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1898176407.0000014E9A700000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1798235570.0000014E9A779000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1796228223.0000014E9A741000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1859447132.0000014E9A787000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1892110731.0000014E9A788000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1858979814.0000014E9A769000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1796543016.0000014E9A761000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1796949117.0000014E9A772000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1864218112.0000014E9A788000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: 54Oa5PcvK1.exe, 00000002.00000002.1907932601.0000014E9DAE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: 54Oa5PcvK1.exe, 00000002.00000002.1908219521.0000014E9DCE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: 54Oa5PcvK1.exe, 00000002.00000002.1908219521.0000014E9DCE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920v
Source: 54Oa5PcvK1.exe, 00000002.00000002.1908369809.0000014E9DDE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/3290
Source: 54Oa5PcvK1.exe, 00000002.00000003.1873917067.0000014E9D18E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1869030319.0000014E9AA5F000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853739475.0000014E9D180000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1865545609.0000014E9D18E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1860216079.0000014E9D35E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853692270.0000014E9D18A000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1859802176.0000014E9D184000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1879378094.0000014E9AA61000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863644545.0000014E9D18E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852328372.0000014E9D169000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863800025.0000014E9AA5F000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1865545609.0000014E9D184000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863484959.0000014E9D184000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1904744322.0000014E9D184000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1861794497.0000014E9AA5E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1860630937.0000014E9AA56000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853924980.0000014E9A9EC000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1854244947.0000014E9AA51000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1871310960.0000014E9D363000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: 54Oa5PcvK1.exe, 00000002.00000003.1873917067.0000014E9D18E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853739475.0000014E9D180000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1865545609.0000014E9D18E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853692270.0000014E9D18A000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1859802176.0000014E9D184000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863644545.0000014E9D18E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852328372.0000014E9D169000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1865545609.0000014E9D184000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863484959.0000014E9D184000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1904744322.0000014E9D184000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: 54Oa5PcvK1.exe, 00000002.00000003.1887224183.0000014E9D2E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: 54Oa5PcvK1.exe, 00000002.00000002.1905274470.0000014E9D300000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1888734287.0000014E9D2FD000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1875972947.0000014E9D2FA000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1889741215.0000014E9D300000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: 54Oa5PcvK1.exe, 00000002.00000003.1871310960.0000014E9D363000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: 54Oa5PcvK1.exe, 00000002.00000002.1908219521.0000014E9DCE0000.00000004.00001000.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1905649488.0000014E9D3F6000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1891028384.0000014E9D365000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D3CF000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1887224183.0000014E9D2E9000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1871310960.0000014E9D363000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/get
Source: 54Oa5PcvK1.exe, 00000002.00000003.1853200890.0000014E9D1C7000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852328372.0000014E9D169000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1875670444.0000014E9D1D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/post
Source: 54Oa5PcvK1.exe, 00000002.00000002.1901264108.0000014E9C3D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://importlib-resources.readthedocs.io/en/latest/using.html#migrating-from-legacy
Source: 54Oa5PcvK1.exe, 00000002.00000002.1904656791.0000014E9D139000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: 54Oa5PcvK1.exe, 00000002.00000003.1896789568.0000014E9D40A000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1860347372.0000014E9D401000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D3F6000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1905649488.0000014E9D40B000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D405000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mahler:8092/site-updates.py
Source: 54Oa5PcvK1.exe, 00000002.00000003.1858949459.0000014E9A70A000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1880733317.0000014E9A710000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853461840.0000014E9D6E5000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1861135005.0000014E9A70B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf
Source: 54Oa5PcvK1.exe, 00000002.00000003.1887641216.0000014E9D12C000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1904617411.0000014E9D12D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/declaring-project-metadata/
Source: 54Oa5PcvK1.exe, 00000002.00000002.1904451164.0000014E9CFE0000.00000004.00001000.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1903819690.0000014E9CC10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: 54Oa5PcvK1.exe, 00000002.00000002.1901128922.0000014E9C2D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0205/
Source: 54Oa5PcvK1.exe, 00000002.00000002.1903561006.0000014E9CB00000.00000004.00001000.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1904451164.0000014E9CFE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://refspecs.linuxfoundation.org/elf/gabi4
Source: 54Oa5PcvK1.exe, 00000002.00000003.1853200890.0000014E9D1C7000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852328372.0000014E9D169000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1875670444.0000014E9D1D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://requests.readthedocs.io
Source: 54Oa5PcvK1.exe, 00000002.00000002.1909500839.0000014E9DF50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://scrt.95271.pw/chrome.php
Source: 54Oa5PcvK1.exe, 00000002.00000002.1909500839.0000014E9DF50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://scrt.95271.pw/chrome.php0y
Source: 54Oa5PcvK1.exe, 00000002.00000003.1807946782.0000014E9AA89000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1858902955.0000014E9A733000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1808018899.0000014E9AAED000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1870468484.0000014E9A73A000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1896034640.0000014E9A73B000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1807707033.0000014E9C5DF000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1892419995.0000014E9A73B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/pkg_resources.html#basic-resource-access
Source: 54Oa5PcvK1.exe, 00000002.00000002.1903819690.0000014E9CC10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/userguide/declarative_config.html#opt-2
Source: 54Oa5PcvK1.exe, 00000002.00000002.1903819690.0000014E9CC10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/userguide/declarative_config.html#opt-2P
Source: 54Oa5PcvK1.exe, 00000002.00000002.1912566111.0000014E9E27C000.00000004.00001000.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1908219521.0000014E9DCE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ssh.0523qyfw.com/winscp
Source: 54Oa5PcvK1.exe, 00000002.00000002.1905095096.0000014E9D293000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1886368793.0000014E9D292000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852328372.0000014E9D265000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1858252843.0000014E9D276000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssh.0523qyfw.com/winscpz
Source: 54Oa5PcvK1.exe, 00000002.00000002.1902596491.0000014E9C704000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1854590119.0000014E9C6A9000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1859208920.0000014E9A98C000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1864133086.0000014E9C6C0000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1895552211.0000014E9A98F000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1858675566.0000014E9A7D0000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1859570149.0000014E9C6BF000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1866777303.0000014E9A7D0000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1860901451.0000014E9A7D0000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1872793967.0000014E9C6F4000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1869946544.0000014E9C6D1000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1860593059.0000014E9AAE8000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1900060979.0000014E9A98F000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1816611807.0000014E9C6A9000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1864652551.0000014E9A7D0000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1870819223.0000014E9A98E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1865013694.0000014E9A98D000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853924980.0000014E9AA89000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1868207183.0000014E9C6C0000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1816405751.0000014E9D0E1000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1816405751.0000014E9D139000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/267399/how-do-you-match-only-valid-roman-numerals-with-a-regular
Source: 54Oa5PcvK1.exe, 00000002.00000003.1853200890.0000014E9D1C7000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852328372.0000014E9D169000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1887870392.0000014E9D1E3000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1885346946.0000014E9D1DB000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1890366997.0000014E9D208000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1878269326.0000014E9D1DB000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1875670444.0000014E9D1D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: 54Oa5PcvK1.exe, 00000002.00000003.1852623806.0000014E9C7B9000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853200890.0000014E9D1C7000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852328372.0000014E9D169000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1885346946.0000014E9D1DB000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1888570375.0000014E9C854000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1878269326.0000014E9D1DB000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1875670444.0000014E9D1D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc3610
Source: 54Oa5PcvK1.exe, 00000002.00000003.1873917067.0000014E9D18E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1865545609.0000014E9D18E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853692270.0000014E9D18A000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1866219661.0000014E9D6DD000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1907273070.0000014E9D6DF000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863644545.0000014E9D18E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852328372.0000014E9D169000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1889443843.0000014E9D6DD000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1876161672.0000014E9D1AD000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1886446854.0000014E9D6DD000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863017558.0000014E9D6D6000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1854847463.0000014E9D6D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc5297
Source: 54Oa5PcvK1.exe, 00000002.00000003.1869030319.0000014E9AA5F000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1860216079.0000014E9D35E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1879378094.0000014E9AA61000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863800025.0000014E9AA5F000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1861794497.0000014E9AA5E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1860630937.0000014E9AA56000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853924980.0000014E9A9EC000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1854244947.0000014E9AA51000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1871310960.0000014E9D363000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: 54Oa5PcvK1.exe, 00000002.00000002.1903198908.0000014E9C8F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://upload.pypi.org/legacy/
Source: 54Oa5PcvK1.exe, 00000002.00000002.1908219521.0000014E9DCE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: 54Oa5PcvK1.exe, 00000002.00000002.1908219521.0000014E9DCE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: 54Oa5PcvK1.exe, 00000002.00000003.1858949459.0000014E9A70A000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1871410302.0000014E9A718000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1861135005.0000014E9A70B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wiki.debian.org/XDGBaseDirectorySpecification#state
Source: 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D3F6000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1890503693.0000014E9D3F6000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1893623590.0000014E9D3F6000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D3F6000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1905649488.0000014E9D3F6000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1872432884.0000014E9D6CB000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1859025617.0000014E9D6CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ietf.org/rfc/rfc2898.txt
Source: 54Oa5PcvK1.exe, 00000002.00000003.1853200890.0000014E9D1C7000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852328372.0000014E9D169000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1875670444.0000014E9D1D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org
Source: 54Oa5PcvK1.exe, 00000002.00000003.1860347372.0000014E9D401000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D3F6000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D405000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/
Source: 54Oa5PcvK1.exe, 00000002.00000003.1792466627.0000014E9A749000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1897780269.0000014E9A270000.00000004.00001000.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1792195668.0000014E9A749000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: 54Oa5PcvK1.exe, 00000002.00000002.1905095096.0000014E9D293000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1886368793.0000014E9D292000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852328372.0000014E9D265000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1858252843.0000014E9D276000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
Source: 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/
Source: 54Oa5PcvK1.exe, 00000002.00000002.1905274470.0000014E9D300000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1888734287.0000014E9D2FD000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1875972947.0000014E9D2FA000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1889741215.0000014E9D300000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/~
Source: 54Oa5PcvK1.exe, 00000002.00000003.1873917067.0000014E9D18E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853739475.0000014E9D180000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1865545609.0000014E9D18E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853692270.0000014E9D18A000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1859802176.0000014E9D184000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863644545.0000014E9D18E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852328372.0000014E9D169000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1865545609.0000014E9D184000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863484959.0000014E9D184000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1904744322.0000014E9D184000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 0_2_00007FF788795DEC	0_2_00007FF788795DEC
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 0_2_00007FF788794EA0	0_2_00007FF788794EA0
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 0_2_00007FF7887758E0	0_2_00007FF7887758E0
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 0_2_00007FF788786878	0_2_00007FF788786878
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 0_2_00007FF788786878	0_2_00007FF788786878
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 0_2_00007FF7887821DC	0_2_00007FF7887821DC
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 0_2_00007FF78878D1F8	0_2_00007FF78878D1F8
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 0_2_00007FF78879511C	0_2_00007FF78879511C
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 0_2_00007FF788780150	0_2_00007FF788780150
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 0_2_00007FF788782A18	0_2_00007FF788782A18
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 0_2_00007FF788790A34	0_2_00007FF788790A34
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 0_2_00007FF78879324C	0_2_00007FF78879324C
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 0_2_00007FF78878FA88	0_2_00007FF78878FA88
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 0_2_00007FF788798BE8	0_2_00007FF788798BE8
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 0_2_00007FF78878132C	0_2_00007FF78878132C
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 0_2_00007FF788780354	0_2_00007FF788780354
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 0_2_00007FF788788D00	0_2_00007FF788788D00
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 0_2_00007FF788777420	0_2_00007FF788777420
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 0_2_00007FF788792DB0	0_2_00007FF788792DB0
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 0_2_00007FF78878FA88	0_2_00007FF78878FA88
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 0_2_00007FF788782614	0_2_00007FF788782614
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 0_2_00007FF78877FD40	0_2_00007FF78877FD40
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 0_2_00007FF78878CD64	0_2_00007FF78878CD64
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 0_2_00007FF788780560	0_2_00007FF788780560
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 0_2_00007FF7887816C4	0_2_00007FF7887816C4
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 0_2_00007FF7887866C4	0_2_00007FF7887866C4
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 0_2_00007FF788784FC0	0_2_00007FF788784FC0
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 0_2_00007FF78877FF44	0_2_00007FF78877FF44
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 0_2_00007FF788780764	0_2_00007FF788780764
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 0_2_00007FF7887958A0	0_2_00007FF7887958A0
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 0_2_00007FF7887870FC	0_2_00007FF7887870FC
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 0_2_00007FF78878D878	0_2_00007FF78878D878
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 2_2_00007FF788795DEC	2_2_00007FF788795DEC
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 2_2_00007FF788794EA0	2_2_00007FF788794EA0
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 2_2_00007FF788786878	2_2_00007FF788786878
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 2_2_00007FF7887821DC	2_2_00007FF7887821DC
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 2_2_00007FF78878D1F8	2_2_00007FF78878D1F8
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 2_2_00007FF78879511C	2_2_00007FF78879511C
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 2_2_00007FF788780150	2_2_00007FF788780150
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 2_2_00007FF788782A18	2_2_00007FF788782A18
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 2_2_00007FF788790A34	2_2_00007FF788790A34
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 2_2_00007FF78879324C	2_2_00007FF78879324C
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 2_2_00007FF78878FA88	2_2_00007FF78878FA88
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 2_2_00007FF788798BE8	2_2_00007FF788798BE8
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 2_2_00007FF78878132C	2_2_00007FF78878132C
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 2_2_00007FF788780354	2_2_00007FF788780354
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 2_2_00007FF788788D00	2_2_00007FF788788D00
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 2_2_00007FF788777420	2_2_00007FF788777420
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 2_2_00007FF788792DB0	2_2_00007FF788792DB0
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 2_2_00007FF78878FA88	2_2_00007FF78878FA88
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 2_2_00007FF788782614	2_2_00007FF788782614
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 2_2_00007FF78877FD40	2_2_00007FF78877FD40
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 2_2_00007FF78878CD64	2_2_00007FF78878CD64
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 2_2_00007FF788780560	2_2_00007FF788780560
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 2_2_00007FF7887816C4	2_2_00007FF7887816C4
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 2_2_00007FF7887866C4	2_2_00007FF7887866C4
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 2_2_00007FF788784FC0	2_2_00007FF788784FC0
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 2_2_00007FF78877FF44	2_2_00007FF78877FF44
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 2_2_00007FF788780764	2_2_00007FF788780764
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 2_2_00007FF7887958A0	2_2_00007FF7887958A0
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 2_2_00007FF7887758E0	2_2_00007FF7887758E0
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 2_2_00007FF7887870FC	2_2_00007FF7887870FC
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 2_2_00007FFDFABB18A0	2_2_00007FFDFABB18A0

Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: String function: 00007FF788771CB0 appears 38 times
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: String function: 00007FF788771C50 appears 89 times

Source: unicodedata.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: _overlapped.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: python3.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found

Source: 54Oa5PcvK1.exe	Binary or memory string: OriginalFilename vs 54Oa5PcvK1.exe
Source: 54Oa5PcvK1.exe, 00000002.00000002.1897937515.0000014E9A370000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenamepython3.dll. vs 54Oa5PcvK1.exe
Source: 54Oa5PcvK1.exe, 00000002.00000002.1915272815.00007FFDFACC5000.00000002.00000001.01000000.0000001E.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs 54Oa5PcvK1.exe
Source: 54Oa5PcvK1.exe, 00000002.00000002.1913681479.00007FFDFA40F000.00000002.00000001.01000000.00000022.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs 54Oa5PcvK1.exe

Source: classification engine

Classification label: mal56.spyw.winEXE@6/149@1/0

Source: C:\Users\user\Desktop\54Oa5PcvK1.exe

Code function: 0_2_00007FF788776670 GetLastError,FormatMessageW,WideCharToMultiByte,

0_2_00007FF788776670

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6724:120:WilError_03
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\MyUniqueProgramMutexName12345

Source: C:\Users\user\Desktop\54Oa5PcvK1.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI67562

Jump to behavior

Source: 54Oa5PcvK1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\54Oa5PcvK1.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 54Oa5PcvK1.exe, 00000002.00000002.1913568145.00007FFDFA3DC000.00000002.00000001.01000000.00000022.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 54Oa5PcvK1.exe, 00000002.00000002.1913568145.00007FFDFA3DC000.00000002.00000001.01000000.00000022.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: 54Oa5PcvK1.exe, 00000002.00000002.1913568145.00007FFDFA3DC000.00000002.00000001.01000000.00000022.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: 54Oa5PcvK1.exe, 00000002.00000002.1913568145.00007FFDFA3DC000.00000002.00000001.01000000.00000022.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: 54Oa5PcvK1.exe, 54Oa5PcvK1.exe, 00000002.00000002.1913568145.00007FFDFA3DC000.00000002.00000001.01000000.00000022.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: 54Oa5PcvK1.exe, 00000002.00000002.1913568145.00007FFDFA3DC000.00000002.00000001.01000000.00000022.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: 54Oa5PcvK1.exe, 00000002.00000002.1913568145.00007FFDFA3DC000.00000002.00000001.01000000.00000022.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: 54Oa5PcvK1.exe

ReversingLabs: Detection: 28%

Source: C:\Users\user\Desktop\54Oa5PcvK1.exe

File read: C:\Users\user\Desktop\54Oa5PcvK1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\54Oa5PcvK1.exe "C:\Users\user\Desktop\54Oa5PcvK1.exe"
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Process created: C:\Users\user\Desktop\54Oa5PcvK1.exe "C:\Users\user\Desktop\54Oa5PcvK1.exe"
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Process created: C:\Users\user\Desktop\54Oa5PcvK1.exe "C:\Users\user\Desktop\54Oa5PcvK1.exe"	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"	Jump to behavior

Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Section loaded: libssl-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: 54Oa5PcvK1.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 54Oa5PcvK1.exe

Static file information: File size 23470644 > 1048576

Source: 54Oa5PcvK1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 54Oa5PcvK1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 54Oa5PcvK1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 54Oa5PcvK1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 54Oa5PcvK1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 54Oa5PcvK1.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 54Oa5PcvK1.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: 54Oa5PcvK1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: k1k2k3X9_62_PENTANOMIALp.otherp.onBasisp.tpBasisp.ppBasismX9_62_CHARACTERISTIC_TWOp.primep.char_twofieldTypeX9_62_FIELDIDX9_62_CURVEfieldIDcurvebaseECPARAMETERSvalue.named_curvevalue.parametersvalue.implicitlyCAECPKPARAMETERSprivateKeyparameterspublicKeyEC_PRIVATEKEYec_asn1_group2fieldidcrypto\ec\ec_asn1.cec_asn1_group2curveEC_GROUP_get_ecparametersEC_GROUP_get_ecpkparametersEC_GROUP_new_from_ecparametersEC_GROUP_new_from_ecpkparametersi2d_ECPKParametersd2i_ECPrivateKeyi2d_ECPrivateKeyi2d_ECParametersd2i_ECParameterso2i_ECPublicKeyi2o_ECPublicKeycompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"3.3.2built on: Tue Sep 3 19:22:24 2024 UTCplatform: VC-WIN64AOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availablecrypto\init.cOPENSSL_init_cryptocrypto\bio\bio_lib.cBIO_new_exbio_read_internbio_write_internBIO_sendmmsgBIO_recvmmsgBIO_putsBIO_getsBIO_get_line BIO_ctrlBIO_callback_ctrlBIO_find_type source: 54Oa5PcvK1.exe, 00000002.00000002.1914321964.00007FFDFA9C7000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: 54Oa5PcvK1.exe, 00000002.00000002.1914898478.00007FFDFACC0000.00000002.00000001.01000000.0000001E.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb\| source: 54Oa5PcvK1.exe, 00000002.00000002.1916121808.00007FFDFB111000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: cryptography_rust.pdbc source: 54Oa5PcvK1.exe, 00000002.00000002.1914321964.00007FFDFA9C7000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: ossl_ec_GFp_simple_group_set_curvecrypto\ec\ecp_smpl.cossl_ec_GFp_simple_group_check_discriminantossl_ec_GFp_simple_point_set_affine_coordinatesossl_ec_GFp_simple_point_get_affine_coordinatesossl_ec_GFp_simple_make_affineossl_ec_GFp_simple_points_make_affineossl_ec_GFp_simple_field_invossl_ec_GFp_simple_blind_coordinatescrypto\buffer\buffer.cBUF_MEM_growBUF_MEM_grow_cleancompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specific.dllCPUINFO: crypto\initthread.cOPENSSL_ia32cap` source: 54Oa5PcvK1.exe, 00000002.00000002.1914321964.00007FFDFA9C7000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.13 30 Jan 20243.0.13built on: Mon Feb 5 17:39:09 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: 54Oa5PcvK1.exe, 00000002.00000002.1916121808.00007FFDFB079000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: 54Oa5PcvK1.exe, 00000002.00000002.1913568145.00007FFDFA3DC000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb source: 54Oa5PcvK1.exe, 00000002.00000002.1916121808.00007FFDFB111000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: cryptography_rust.pdb source: 54Oa5PcvK1.exe, 00000002.00000002.1914321964.00007FFDFA9C7000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python3.pdb source: 54Oa5PcvK1.exe, 00000002.00000002.1897937515.0000014E9A370000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: 54Oa5PcvK1.exe, 00000002.00000002.1914321964.00007FFDFA9C7000.00000002.00000001.01000000.0000001F.sdmp

Source: 54Oa5PcvK1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 54Oa5PcvK1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 54Oa5PcvK1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 54Oa5PcvK1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 54Oa5PcvK1.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: api-ms-win-crt-multibyte-l1-1-0.dll.0.dr

Static PE information: 0xC6B9A1B8 [Mon Aug 26 14:12:08 2075 UTC]

Source: 54Oa5PcvK1.exe	Static PE information: section name: _RDATA
Source: mfc140u.dll.0.dr	Static PE information: section name: .didat
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: fothk
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA
Source: libcrypto-3.dll.0.dr	Static PE information: section name: .00cfg
Source: libssl-3.dll.0.dr	Static PE information: section name: .00cfg
Source: python311.dll.0.dr	Static PE information: section name: PyRuntim

Persistence and Installation Behavior

Found pyInstaller with non standard icon

Source: C:\Users\user\Desktop\54Oa5PcvK1.exe

Process created: "C:\Users\user\Desktop\54Oa5PcvK1.exe"

Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\_cffi_backend.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\win32\win32evtlog.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\win32\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\win32\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\pywin32_system32\pythoncom311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\zstandard\backend_c.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\markupsafe\_speedups.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\pywin32_system32\pywintypes311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\Pythonwin\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\charset_normalizer\md__mypyc.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\win32\win32crypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\charset_normalizer\md.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\python311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\win32\win32api.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\win32com\shell\shell.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\Pythonwin\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\tinyaes.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\zstandard\_cffi.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file

Source: C:\Users\user\Desktop\54Oa5PcvK1.exe

Code function: 0_2_00007FF788772F20 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00007FF788772F20

Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\_cffi_backend.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\win32\win32evtlog.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\win32\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\win32\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\pywin32_system32\pythoncom311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\zstandard\backend_c.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\markupsafe\_speedups.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\cryptography\hazmat\bindings\_rust.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\pywin32_system32\pywintypes311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\Pythonwin\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\charset_normalizer\md__mypyc.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\charset_normalizer\md.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\win32\win32crypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\python311.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\win32\win32api.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\win32com\shell\shell.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\Pythonwin\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\tinyaes.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\zstandard\_cffi.cp311-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file

Source: C:\Users\user\Desktop\54Oa5PcvK1.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-16384

Source: C:\Users\user\Desktop\54Oa5PcvK1.exe

API coverage: 6.5 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 0_2_00007FF7887769E0 FindFirstFileExW,FindClose,	0_2_00007FF7887769E0
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 0_2_00007FF788786878 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF788786878
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 0_2_00007FF788786878 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	0_2_00007FF788786878
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 0_2_00007FF788790A34 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF788790A34
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 2_2_00007FF788786878 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,	2_2_00007FF788786878
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 2_2_00007FF7887769E0 FindFirstFileExW,FindClose,	2_2_00007FF7887769E0
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 2_2_00007FF788790A34 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	2_2_00007FF788790A34

Source: 54Oa5PcvK1.exe, 00000002.00000003.1859208920.0000014E9A98C000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1895552211.0000014E9A98F000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1808505883.0000014E9A982000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1900060979.0000014E9A98F000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1870819223.0000014E9A98E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1865013694.0000014E9A98D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\54Oa5PcvK1.exe

Code function: 0_2_00007FF78877AA2C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF78877AA2C

Source: C:\Users\user\Desktop\54Oa5PcvK1.exe

Code function: 0_2_00007FF788792620 GetProcessHeap,

0_2_00007FF788792620

Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 0_2_00007FF78877A180 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF78877A180
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 0_2_00007FF78877AA2C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF78877AA2C
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 0_2_00007FF78877ABD4 SetUnhandledExceptionFilter,	0_2_00007FF78877ABD4
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 0_2_00007FF788789C44 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF788789C44
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 2_2_00007FF78877A180 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF78877A180
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 2_2_00007FF78877AA2C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF78877AA2C
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 2_2_00007FF78877ABD4 SetUnhandledExceptionFilter,	2_2_00007FF78877ABD4
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 2_2_00007FF788789C44 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF788789C44
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 2_2_00007FFDFABB2A90 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FFDFABB2A90
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Code function: 2_2_00007FFDFABB3058 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFDFABB3058

Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Process created: C:\Users\user\Desktop\54Oa5PcvK1.exe "C:\Users\user\Desktop\54Oa5PcvK1.exe"			Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"			Jump to behavior

Source: C:\Users\user\Desktop\54Oa5PcvK1.exe

Code function: 0_2_00007FF788798A30 cpuid

0_2_00007FF788798A30

Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\cryptography-43.0.1.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\cryptography-43.0.1.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\cryptography-43.0.1.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\cryptography-43.0.1.dist-info\license_files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\cryptography-43.0.1.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\cryptography-43.0.1.dist-info\license_files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\pyreadline3-3.5.4.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\pyreadline3-3.5.4.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\pyreadline3-3.5.4.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\ucrtbase.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\tinyaes.cp311-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\tinyaes.cp311-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\tinyaes.cp311-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\pyexpat.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\pywin32_system32\pywintypes311.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\pywin32_system32\pythoncom311.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\win32\win32api.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\win32com VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\win32com VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\win32com VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\cryptography-43.0.1.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\pyreadline3-3.5.4.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\cryptography-43.0.1.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\cryptography-43.0.1.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\pyreadline3-3.5.4.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\pyreadline3-3.5.4.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\cryptography-43.0.1.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\pyreadline3-3.5.4.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\cryptography-43.0.1.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\cryptography-43.0.1.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562\pyreadline3-3.5.4.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI67562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	Queries volume information: C:\Users\user\Desktop\54Oa5PcvK1.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\54Oa5PcvK1.exe

Code function: 0_2_00007FF78877A910 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF78877A910

Source: C:\Users\user\Desktop\54Oa5PcvK1.exe

Code function: 0_2_00007FF788794EA0 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF788794EA0

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\54Oa5PcvK1.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	11 Process Injection	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	1 Data from Local System	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	22 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
54Oa5PcvK1.exe	29%	ReversingLabs	Win32.Ransomware.Generic

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_ARC4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_Salsa20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_chacha20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_pkcs1_decode.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_aes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_aesni.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_arc2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_blowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_cast.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_cbc.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_cfb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_ctr.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_des.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_des3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_ecb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_eksblowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_ocb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_ofb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_BLAKE2b.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_BLAKE2s.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_MD2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_MD4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_MD5.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_RIPEMD160.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_SHA1.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_SHA224.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_SHA256.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_SHA384.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_SHA512.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_ghash_clmul.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_ghash_portable.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_keccak.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_poly1305.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Math\_modexp.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Protocol\_scrypt.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\PublicKey\_ec_ws.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\PublicKey\_ed25519.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\PublicKey\_ed448.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\PublicKey\_x25519.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Util\_cpuid_c.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Util\_strxor.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\Pythonwin\mfc140u.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\Pythonwin\win32ui.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\VCRUNTIME140_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\_asyncio.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\_cffi_backend.cp311-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\_multiprocessing.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\_overlapped.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\_sqlite3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-console-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-datetime-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-debug-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-errorhandling-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-file-l1-1-0.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://setuptools.pypa.io/en/latest/userguide/declarative_config.html#opt-2P	0%	Avira URL Cloud	safe
http://www.dabeaz.com/ply)F	0%	Avira URL Cloud	safe
http://www.dabeaz.com/ply)	0%	Avira URL Cloud	safe
https://scrt.95271.pw/chrome.php	0%	Avira URL Cloud	safe
http://bugs.python.org/issue23606)	0%	Avira URL Cloud	safe
https://setuptools.pypa.io/en/latest/userguide/declarative_config.html#opt-2	0%	Avira URL Cloud	safe
https://wwww.certigna.fr/autorites/~	0%	Avira URL Cloud	safe
https://scrt.95271.pw/chrome.php0y	0%	Avira URL Cloud	safe
http://cffi.readthedocs.io/en/latest/cdef.html#ffi-cdef-limitations	0%	Avira URL Cloud	safe
http://repository.swisssign.com/O$	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ssh.0523qyfw.com	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf	54Oa5PcvK1.exe, 00000002.00000003.1858949459.0000014E9A70A000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1880733317.0000014E9A710000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853461840.0000014E9D6E5000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1861135005.0000014E9A70B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.dabeaz.com/ply)F	54Oa5PcvK1.exe, 00000002.00000003.1890260960.0000014E9D665000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1907136780.0000014E9D669000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dabeaz.com/ply)	54Oa5PcvK1.exe, 00000002.00000002.1910595406.0000014E9E038000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/pyca/cryptography/issues/8996	54Oa5PcvK1.exe, 00000002.00000002.1914321964.00007FFDFA9C7000.00000002.00000001.01000000.0000001F.sdmp	false		high
https://setuptools.pypa.io/en/latest/userguide/declarative_config.html#opt-2P	54Oa5PcvK1.exe, 00000002.00000002.1903819690.0000014E9CC10000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://aka.ms/vcpython27	54Oa5PcvK1.exe, 00000002.00000002.1907799326.0000014E9D9E0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://docs.python.org/library/unittest.html	54Oa5PcvK1.exe, 00000002.00000003.1872084143.0000014E9D167000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852568956.0000014E9D153000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1865853165.0000014E9D167000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1893310173.0000014E9D168000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	54Oa5PcvK1.exe, 00000002.00000002.1899076898.0000014E9A788000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1858902955.0000014E9A733000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1867143009.0000014E9A788000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1860523938.0000014E9A788000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1898176407.0000014E9A700000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1798235570.0000014E9A779000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1796228223.0000014E9A741000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1859447132.0000014E9A787000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1892110731.0000014E9A788000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1858979814.0000014E9A769000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1796543016.0000014E9A761000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1796949117.0000014E9A772000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1864218112.0000014E9A788000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.dhimyotis.com/certignarootca.crlB	54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc2388#section-4.4	54Oa5PcvK1.exe, 00000002.00000003.1853200890.0000014E9D1C7000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852328372.0000014E9D169000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1887870392.0000014E9D1E3000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1885346946.0000014E9D1DB000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1890366997.0000014E9D208000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1878269326.0000014E9D1DB000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1875670444.0000014E9D1D7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	54Oa5PcvK1.exe, 00000002.00000003.1866360260.0000014E9AAEB000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1811024381.0000014E9AAF3000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1860593059.0000014E9AAE8000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1869127788.0000014E9AAF5000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1814471372.0000014E9AA89000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1809807777.0000014E9AAF3000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853924980.0000014E9AA89000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1859294660.0000014E9AA89000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1870867611.0000014E9AAFA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pypa/packaging	54Oa5PcvK1.exe, 00000002.00000002.1903561006.0000014E9CB00000.00000004.00001000.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1904289849.0000014E9CEE0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://stackoverflow.com/questions/19622133/	54Oa5PcvK1.exe, 00000002.00000002.1904289849.0000014E9CEE0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://refspecs.linuxfoundation.org/elf/gabi4	54Oa5PcvK1.exe, 00000002.00000002.1903561006.0000014E9CB00000.00000004.00001000.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1904451164.0000014E9CFE0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://cffi.readthedocs.io/en/latest/cdef.html#ffi-cdef-limitations	54Oa5PcvK1.exe, 00000002.00000002.1910595406.0000014E9E038000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	54Oa5PcvK1.exe, 00000002.00000002.1907932601.0000014E9DAE0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://docs.python.org/3/library/subprocess#subprocess.Popen.kill	54Oa5PcvK1.exe, 00000002.00000002.1908076763.0000014E9DBE0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc3610	54Oa5PcvK1.exe, 00000002.00000003.1852623806.0000014E9C7B9000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853200890.0000014E9D1C7000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852328372.0000014E9D169000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1885346946.0000014E9D1DB000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1888570375.0000014E9C854000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1878269326.0000014E9D1DB000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1875670444.0000014E9D1D7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://peps.python.org/pep-0205/	54Oa5PcvK1.exe, 00000002.00000002.1901128922.0000014E9C2D0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.dhimyotis.com/certignarootca.crl	54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp	false		high
http://curl.haxx.se/rfc/cookie_spec.html	54Oa5PcvK1.exe, 00000002.00000002.1908369809.0000014E9DDE0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://ocsp.accv.es	54Oa5PcvK1.exe, 00000002.00000003.1889517854.0000014E9D55A000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1865696349.0000014E9D552000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode	54Oa5PcvK1.exe, 00000002.00000002.1908076763.0000014E9DBE0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	54Oa5PcvK1.exe, 00000002.00000002.1908219521.0000014E9DCE0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/pprint.html	54Oa5PcvK1.exe, 00000002.00000003.1862135699.0000014E9AABA000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1866360260.0000014E9AAE1000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853924980.0000014E9AA89000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1859294660.0000014E9AA89000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	54Oa5PcvK1.exe, 00000002.00000002.1897780269.0000014E9A2F8000.00000004.00001000.00020000.00000000.sdmp	false		high
https://httpbin.org/get	54Oa5PcvK1.exe, 00000002.00000002.1908219521.0000014E9DCE0000.00000004.00001000.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1905649488.0000014E9D3F6000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1891028384.0000014E9D365000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D3CF000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1887224183.0000014E9D2E9000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1871310960.0000014E9D363000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.xrampsecurity.com/XGCA.crlA	54Oa5PcvK1.exe, 00000002.00000003.1862831881.0000014E9D527000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp	false		high
https://setuptools.pypa.io/en/latest/pkg_resources.html#basic-resource-access	54Oa5PcvK1.exe, 00000002.00000003.1807946782.0000014E9AA89000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1858902955.0000014E9A733000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1808018899.0000014E9AAED000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1870468484.0000014E9A73A000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1896034640.0000014E9A73B000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1807707033.0000014E9C5DF000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1892419995.0000014E9A73B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/0m	54Oa5PcvK1.exe, 00000002.00000002.1905274470.0000014E9D300000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1888734287.0000014E9D2FD000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1875972947.0000014E9D2FA000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1889741215.0000014E9D300000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/~	54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	54Oa5PcvK1.exe, 00000002.00000002.1899076898.0000014E9A788000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1858902955.0000014E9A733000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1867143009.0000014E9A788000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1860523938.0000014E9A788000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1898176407.0000014E9A700000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1798235570.0000014E9A779000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1796228223.0000014E9A741000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1859447132.0000014E9A787000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1892110731.0000014E9A788000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1858979814.0000014E9A769000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1796543016.0000014E9A761000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1796949117.0000014E9A772000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1864218112.0000014E9A788000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/issues/86361.	54Oa5PcvK1.exe, 00000002.00000003.1806002599.0000014E9AA05000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1876072137.0000014E9AA2F000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1859377252.0000014E9A9F1000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1809807777.0000014E9AA05000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1808505883.0000014E9AA05000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1814635111.0000014E9A9FF000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1861933634.0000014E9AA2E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1876360918.0000014E9AA3F000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1811024381.0000014E9AA05000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1858446761.0000014E9A9EE000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1860125534.0000014E9A9F2000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853924980.0000014E9A9EC000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1807487599.0000014E9AA05000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1807763706.0000014E9A9E6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://httpbin.org/	54Oa5PcvK1.exe, 00000002.00000003.1871310960.0000014E9D363000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/	54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file	54Oa5PcvK1.exe, 00000002.00000002.1914321964.00007FFDFA9C7000.00000002.00000001.01000000.0000001F.sdmp	false		high
http://www.cl.cam.ac.uk/~mgk25/iso-time.html	54Oa5PcvK1.exe, 00000002.00000003.1808235992.0000014E9C5D3000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1809151431.0000014E9C5E2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.micr	54Oa5PcvK1.exe	false		high
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	54Oa5PcvK1.exe, 00000002.00000003.1852623806.0000014E9C7B9000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863567043.0000014E9C878000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863928662.0000014E9D319000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	54Oa5PcvK1.exe, 00000002.00000002.1899076898.0000014E9A788000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1858902955.0000014E9A733000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1867143009.0000014E9A788000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1860523938.0000014E9A788000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1898176407.0000014E9A700000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1798235570.0000014E9A779000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1796228223.0000014E9A741000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1859447132.0000014E9A787000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1892110731.0000014E9A788000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1858979814.0000014E9A769000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1796543016.0000014E9A761000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1796949117.0000014E9A772000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1864218112.0000014E9A788000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.xrampsecurity.com/XGCA.crl#	54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/multiprocessing.html	54Oa5PcvK1.exe, 00000002.00000003.1860841559.0000014E9C4F0000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1895891104.0000014E9C4F5000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853847851.0000014E9C4EE000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1875390775.0000014E9C4F1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/re.html	54Oa5PcvK1.exe, 00000002.00000002.1902596491.0000014E9C704000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1854590119.0000014E9C6A9000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1859208920.0000014E9A98C000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1864133086.0000014E9C6C0000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1895552211.0000014E9A98F000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1858675566.0000014E9A7D0000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1859570149.0000014E9C6BF000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1866777303.0000014E9A7D0000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1860901451.0000014E9A7D0000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1872793967.0000014E9C6F4000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1869946544.0000014E9C6D1000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1860593059.0000014E9AAE8000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1900060979.0000014E9A98F000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1904289849.0000014E9CEE0000.00000004.00001000.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1816611807.0000014E9C6A9000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1864652551.0000014E9A7D0000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1870819223.0000014E9A98E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1865013694.0000014E9A98D000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853924980.0000014E9AA89000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1903819690.0000014E9CC10000.00000004.00001000.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1868207183.0000014E9C6C0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pypa/setuptools/issues/417#issuecomment-392298401	54Oa5PcvK1.exe, 00000002.00000002.1901264108.0000014E9C3D0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://github.com/ActiveState/appdirs	54Oa5PcvK1.exe, 00000002.00000002.1903341157.0000014E9C9F0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://wiki.debian.org/XDGBaseDirectorySpecification#state	54Oa5PcvK1.exe, 00000002.00000003.1858949459.0000014E9A70A000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1871410302.0000014E9A718000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1861135005.0000014E9A70B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crl	54Oa5PcvK1.exe, 00000002.00000003.1862831881.0000014E9D527000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp	false		high
http://wwwsearch.sf.net/):	54Oa5PcvK1.exe, 00000002.00000003.1860216079.0000014E9D35E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1875420977.0000014E9D35E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1896410972.0000014E9D35E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	54Oa5PcvK1.exe, 00000002.00000003.1889517854.0000014E9D560000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1889517854.0000014E9D55A000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1865696349.0000014E9D552000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1864479647.0000014E9D55F000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1906320899.0000014E9D560000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/legislacion_c.htm	54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp	false		high
http://tools.ietf.org/html/rfc6125#section-6.4.3	54Oa5PcvK1.exe, 00000002.00000002.1908369809.0000014E9DDE0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/O$	54Oa5PcvK1.exe, 00000002.00000003.1862831881.0000014E9D527000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1864820472.0000014E9D538000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.xrampsecurity.com/XGCA.crl0	54Oa5PcvK1.exe, 00000002.00000003.1875170154.0000014E9D21E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853200890.0000014E9D1C7000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852328372.0000014E9D169000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bugs.python.org/issue44497.	54Oa5PcvK1.exe, 00000002.00000002.1904289849.0000014E9CEE0000.00000004.00001000.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1903819690.0000014E9CC10000.00000004.00001000.00020000.00000000.sdmp	false		high
https://scrt.95271.pw/chrome.php0y	54Oa5PcvK1.exe, 00000002.00000002.1909500839.0000014E9DF50000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cert.fnmt.es/dpcs/	54Oa5PcvK1.exe, 00000002.00000003.1873917067.0000014E9D18E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1865545609.0000014E9D18E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853692270.0000014E9D18A000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863644545.0000014E9D18E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852328372.0000014E9D169000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1876161672.0000014E9D1AD000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1881118801.0000014E9D1B3000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp	false		high
https://google.com/mail	54Oa5PcvK1.exe, 00000002.00000003.1873917067.0000014E9D18E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853739475.0000014E9D180000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1865545609.0000014E9D18E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853692270.0000014E9D18A000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1859802176.0000014E9D184000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863644545.0000014E9D18E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852328372.0000014E9D169000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1865545609.0000014E9D184000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863484959.0000014E9D184000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1904744322.0000014E9D184000.00000004.00000020.00020000.00000000.sdmp	false		high
https://packaging.python.org/specifications/entry-points/	54Oa5PcvK1.exe, 00000002.00000002.1904451164.0000014E9CFE0000.00000004.00001000.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1903819690.0000014E9CC10000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/jaraco/jaraco.functools/issues/5	54Oa5PcvK1.exe, 00000002.00000002.1903341157.0000014E9C9F0000.00000004.00001000.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1904451164.0000014E9CFE0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.accv.es00	54Oa5PcvK1.exe, 00000002.00000003.1889517854.0000014E9D560000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1864479647.0000014E9D55F000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1906320899.0000014E9D560000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	54Oa5PcvK1.exe, 00000002.00000003.1864218112.0000014E9A788000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm	54Oa5PcvK1.exe, 00000002.00000003.1808235992.0000014E9C5D3000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1809151431.0000014E9C5E2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.rfc-editor.org/info/rfc7253	54Oa5PcvK1.exe, 00000002.00000003.1866219661.0000014E9D6D1000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852724640.0000014E9D738000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1872993264.0000014E9D73F000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1854847463.0000014E9D6D0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://scrt.95271.pw/chrome.php	54Oa5PcvK1.exe, 00000002.00000002.1909500839.0000014E9DF50000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/pyca/cryptography/issues	54Oa5PcvK1.exe, 00000002.00000002.1914321964.00007FFDFA9C7000.00000002.00000001.01000000.0000001F.sdmp	false		high
http://bugs.python.org/issue23606)	54Oa5PcvK1.exe, 00000002.00000002.1909500839.0000014E9DF50000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf	54Oa5PcvK1.exe, 00000002.00000003.1852623806.0000014E9C7B9000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853200890.0000014E9D1C7000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852328372.0000014E9D169000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1885346946.0000014E9D1DB000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1888570375.0000014E9C854000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1878269326.0000014E9D1DB000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1875670444.0000014E9D1D7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://foss.heptapod.net/pypy/pypy/-/issues/3539	54Oa5PcvK1.exe, 00000002.00000002.1907932601.0000014E9DAE0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://google.com/	54Oa5PcvK1.exe, 00000002.00000002.1905095096.0000014E9D293000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1886368793.0000014E9D292000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852328372.0000014E9D265000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1858252843.0000014E9D276000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mahler:8092/site-updates.py	54Oa5PcvK1.exe, 00000002.00000003.1896789568.0000014E9D40A000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1860347372.0000014E9D401000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D3F6000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1905649488.0000014E9D40B000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D405000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/SGCA.crl	54Oa5PcvK1.exe, 00000002.00000003.1890109806.0000014E9D50A000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863298445.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1895072068.0000014E9D526000.00000004.00000020.00020000.00000000.sdmp	false		high
http://.../back.jpeg	54Oa5PcvK1.exe, 00000002.00000002.1908369809.0000014E9DDE0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://tools.ietf.org/html/rfc5869	54Oa5PcvK1.exe, 00000002.00000003.1853200890.0000014E9D1C7000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852328372.0000014E9D169000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1878269326.0000014E9D1CE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.quovadisglobal.com/cpsQ	54Oa5PcvK1.exe, 00000002.00000003.1890109806.0000014E9D50A000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863298445.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1906166312.0000014E9D518000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1896550045.0000014E9D516000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.python.org/download/releases/2.3/mro/.	54Oa5PcvK1.exe, 00000002.00000003.1792466627.0000014E9A749000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1897780269.0000014E9A270000.00000004.00001000.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1792195668.0000014E9A749000.00000004.00000020.00020000.00000000.sdmp	false		high
http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html	54Oa5PcvK1.exe, 00000002.00000003.1852623806.0000014E9C7B9000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1873917067.0000014E9D18E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1865545609.0000014E9D18E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853200890.0000014E9D1C7000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1880949550.0000014E9D2E6000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853692270.0000014E9D18A000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1866219661.0000014E9D6DD000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1888734287.0000014E9D2E9000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1907273070.0000014E9D6DF000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863644545.0000014E9D18E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852328372.0000014E9D169000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1889443843.0000014E9D6DD000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1875972947.0000014E9D2FA000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1876161672.0000014E9D1AD000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863115442.0000014E9D5A4000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1889741215.0000014E9D2F2000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1886446854.0000014E9D6DD000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1906653844.0000014E9D5CE000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1885346946.0000014E9D1DB000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863017558.0000014E9D6D6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://httpbin.org/post	54Oa5PcvK1.exe, 00000002.00000003.1853200890.0000014E9D1C7000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852328372.0000014E9D169000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1875670444.0000014E9D1D7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/SGCA.crlK?(O	54Oa5PcvK1.exe, 00000002.00000003.1890109806.0000014E9D50A000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863298445.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1895072068.0000014E9D526000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Ousret/charset_normalizer	54Oa5PcvK1.exe, 00000002.00000003.1860216079.0000014E9D35E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1871310960.0000014E9D363000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.firmaprofesional.com/cps0	54Oa5PcvK1.exe, 00000002.00000003.1852623806.0000014E9C7B9000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1861816344.0000014E9C881000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863115442.0000014E9D5A4000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1871001126.0000014E9C886000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1906568571.0000014E9D5AA000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1867253506.0000014E9C882000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1903076365.0000014E9C897000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/re.html#re.sub	54Oa5PcvK1.exe, 00000002.00000002.1903561006.0000014E9CB00000.00000004.00001000.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1904289849.0000014E9CEE0000.00000004.00001000.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1816405751.0000014E9D0E1000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1816405751.0000014E9D139000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2920	54Oa5PcvK1.exe, 00000002.00000002.1908219521.0000014E9DCE0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/SGCA.crl0	54Oa5PcvK1.exe, 00000002.00000003.1876009699.0000014E9D364000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1860216079.0000014E9D35E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1891028384.0000014E9D365000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1871310960.0000014E9D363000.00000004.00000020.00020000.00000000.sdmp	false		high
https://yahoo.com/	54Oa5PcvK1.exe, 00000002.00000003.1873917067.0000014E9D18E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853739475.0000014E9D180000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1865545609.0000014E9D18E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853692270.0000014E9D18A000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1859802176.0000014E9D184000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863644545.0000014E9D18E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852328372.0000014E9D169000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1865545609.0000014E9D184000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863484959.0000014E9D184000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1904744322.0000014E9D184000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crl0	54Oa5PcvK1.exe, 00000002.00000003.1876009699.0000014E9D364000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1860216079.0000014E9D35E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1891028384.0000014E9D365000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1871310960.0000014E9D363000.00000004.00000020.00020000.00000000.sdmp	false		high
https://setuptools.pypa.io/en/latest/userguide/declarative_config.html#opt-2	54Oa5PcvK1.exe, 00000002.00000002.1903819690.0000014E9CC10000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://stackoverflow.com/questions/267399/how-do-you-match-only-valid-roman-numerals-with-a-regular	54Oa5PcvK1.exe, 00000002.00000002.1902596491.0000014E9C704000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1854590119.0000014E9C6A9000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1859208920.0000014E9A98C000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1864133086.0000014E9C6C0000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1895552211.0000014E9A98F000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1858675566.0000014E9A7D0000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1859570149.0000014E9C6BF000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1866777303.0000014E9A7D0000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1860901451.0000014E9A7D0000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1872793967.0000014E9C6F4000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1869946544.0000014E9C6D1000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1860593059.0000014E9AAE8000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1900060979.0000014E9A98F000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1816611807.0000014E9C6A9000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1864652551.0000014E9A7D0000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1870819223.0000014E9A98E000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1865013694.0000014E9A98D000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853924980.0000014E9AA89000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1868207183.0000014E9C6C0000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1816405751.0000014E9D0E1000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1816405751.0000014E9D139000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6	54Oa5PcvK1.exe, 00000002.00000003.1860841559.0000014E9C4F0000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1861187734.0000014E9C4F6000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1888694158.0000014E9C51D000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1853847851.0000014E9C4EE000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862082830.0000014E9C50D000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1896587599.0000014E9C523000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1866886822.0000014E9C516000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1874209287.0000014E9C51C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://html.spec.whatwg.org/multipage/	54Oa5PcvK1.exe, 00000002.00000002.1905274470.0000014E9D300000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1888734287.0000014E9D2FD000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1875972947.0000014E9D2FA000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1889741215.0000014E9D300000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.quovadisglobal.com/cps0	54Oa5PcvK1.exe, 00000002.00000003.1853200890.0000014E9D1C7000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852328372.0000014E9D169000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1878269326.0000014E9D1CE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pyparsing/pyparsing/wiki	54Oa5PcvK1.exe, 00000002.00000003.1816611807.0000014E9C6A9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl	54Oa5PcvK1.exe, 00000002.00000003.1890109806.0000014E9D50A000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1863298445.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1906166312.0000014E9D518000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1896550045.0000014E9D516000.00000004.00000020.00020000.00000000.sdmp	false		high
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings	54Oa5PcvK1.exe, 00000002.00000002.1908219521.0000014E9DCE0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0	54Oa5PcvK1.exe, 00000002.00000003.1889517854.0000014E9D560000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852044676.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1864479647.0000014E9D55F000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1862214836.0000014E9D504000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000002.1906320899.0000014E9D560000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.rfc-editor.org/rfc/rfc8259#section-8.1	54Oa5PcvK1.exe, 00000002.00000002.1905095096.0000014E9D293000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1886368793.0000014E9D292000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1852328372.0000014E9D265000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1858252843.0000014E9D276000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pyca/cryptography/issues/9253	54Oa5PcvK1.exe, 00000002.00000002.1914321964.00007FFDFA9C7000.00000002.00000001.01000000.0000001F.sdmp	false		high
http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/eax/eax-spec.pdf	54Oa5PcvK1.exe, 00000002.00000003.1880949550.0000014E9D2E6000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1888734287.0000014E9D2E9000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1875972947.0000014E9D2FA000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1889741215.0000014E9D2F2000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1887224183.0000014E9D2E9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iana.org/time-zones/repository/tz-link.html	54Oa5PcvK1.exe, 00000002.00000003.1808235992.0000014E9C5D3000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1808285799.0000014E9AA89000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1809151431.0000014E9C5E2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://tools.ietf.org/html/rfc5297	54Oa5PcvK1.exe, 00000002.00000002.1912566111.0000014E9E220000.00000004.00001000.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1872432884.0000014E9D6CB000.00000004.00000020.00020000.00000000.sdmp, 54Oa5PcvK1.exe, 00000002.00000003.1859025617.0000014E9D6CA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://upload.pypi.org/legacy/	54Oa5PcvK1.exe, 00000002.00000002.1903198908.0000014E9C8F0000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1577418
Start date and time:	2024-12-18 13:16:45 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	54Oa5PcvK1.exe renamed because original name is a hash value
Original Sample Name:	150bd33eb83e01bd26e6ea50fb7e1058e57855f8c50753f8a3b7401d712b8351.exe
Detection:	MAL
Classification:	mal56.spyw.winEXE@6/149@1/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 56% Number of executed functions: 65 Number of non-executed functions: 131
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
VT rate limit hit for: 54Oa5PcvK1.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_Salsa20.pyd	LmZVhGD5jF.exe	Get hash	malicious	Unknown	Browse
	7EznMik8Fw.exe	Get hash	malicious	Python Stealer	Browse
	MkWMm5piE5.exe	Get hash	malicious	Python Stealer	Browse
	okG6LaM2yP.exe	Get hash	malicious	Python Stealer	Browse
	JxrkpYVdCp.exe	Get hash	malicious	Python Stealer, Babadeda	Browse
	hSyJxPUUDx.exe	Get hash	malicious	Unknown	Browse
	u08NgsGNym.exe	Get hash	malicious	Python Stealer	Browse
	MkWMm5piE5.exe	Get hash	malicious	Python Stealer	Browse
	L5OMdZqWzq.exe	Get hash	malicious	Python Stealer	Browse
	ssPp3zvWwN.exe	Get hash	malicious	Python Stealer	Browse
C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_ARC4.pyd	LmZVhGD5jF.exe	Get hash	malicious	Unknown	Browse
	zW72x5d91l.bat	Get hash	malicious	Unknown	Browse
	7EznMik8Fw.exe	Get hash	malicious	Python Stealer	Browse
	MkWMm5piE5.exe	Get hash	malicious	Python Stealer	Browse
	okG6LaM2yP.exe	Get hash	malicious	Python Stealer	Browse
	JxrkpYVdCp.exe	Get hash	malicious	Python Stealer, Babadeda	Browse
	hSyJxPUUDx.exe	Get hash	malicious	Unknown	Browse
	u08NgsGNym.exe	Get hash	malicious	Python Stealer	Browse
	MkWMm5piE5.exe	Get hash	malicious	Python Stealer	Browse
	L5OMdZqWzq.exe	Get hash	malicious	Python Stealer	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_ARC4.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	4.703513333396807
Encrypted:	false
SSDEEP:	96:nDzb9VD9daQ2iTrqT+6Zdp/Q0I1uLfcC75JiC4Rs89EcYyGDV90OcX6gY/7ECFV:Dzz9damqTrpYTst0E5DVPcqgY/79X
MD5:	6176101B7C377A32C01AE3EDB7FD4DE6
SHA1:	5F1CB443F9D677F313BEC07C5241AEAB57502F5E
SHA-256:	EFEA361311923189ECBE3240111EFBA329752D30457E0DBE9628A82905CD4BDB
SHA-512:	3E7373B71AE0834E96A99595CFEF2E96C0F5230429ADC0B5512F4089D1ED0D7F7F0E32A40584DFB13C41D257712A9C4E9722366F0A21B907798AE79D8CEDCF30
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: LmZVhGD5jF.exe, Detection: malicious, Browse Filename: zW72x5d91l.bat, Detection: malicious, Browse Filename: 7EznMik8Fw.exe, Detection: malicious, Browse Filename: MkWMm5piE5.exe, Detection: malicious, Browse Filename: okG6LaM2yP.exe, Detection: malicious, Browse Filename: JxrkpYVdCp.exe, Detection: malicious, Browse Filename: hSyJxPUUDx.exe, Detection: malicious, Browse Filename: u08NgsGNym.exe, Detection: malicious, Browse Filename: MkWMm5piE5.exe, Detection: malicious, Browse Filename: L5OMdZqWzq.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...b..b..b..R...b..Uc..b.Rc..b..c..b..Ug..b..Uf..b..Ua..b..j..b..b..b....b..`..b.Rich.b.................PE..d....e.........." ...%............P........................................p............`.........................................P(.......(..d....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata..,.... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......(..............@..@.reloc..,....`.......*..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_Salsa20.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	4.968452734961967
Encrypted:	false
SSDEEP:	96:JF3TgNlF/1Nt5aSd4+1ijg0NLfFNJSCqsstXHTeH5ht47qMbxbfDqbwYH/kcX6gT:WF/1nb2mhQtkXHTeZ87VDqrMcqgYvEp
MD5:	371776A7E26BAEB3F75C93A8364C9AE0
SHA1:	BF60B2177171BA1C6B4351E6178529D4B082BDA9
SHA-256:	15257E96D1CA8480B8CB98F4C79B6E365FE38A1BA9638FC8C9AB7FFEA79C4762
SHA-512:	C23548FBCD1713C4D8348917FF2AB623C404FB0E9566AB93D147C62E06F51E63BDAA347F2D203FE4F046CE49943B38E3E9FA1433F6455C97379F2BC641AE7CE9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: LmZVhGD5jF.exe, Detection: malicious, Browse Filename: 7EznMik8Fw.exe, Detection: malicious, Browse Filename: MkWMm5piE5.exe, Detection: malicious, Browse Filename: okG6LaM2yP.exe, Detection: malicious, Browse Filename: JxrkpYVdCp.exe, Detection: malicious, Browse Filename: hSyJxPUUDx.exe, Detection: malicious, Browse Filename: u08NgsGNym.exe, Detection: malicious, Browse Filename: MkWMm5piE5.exe, Detection: malicious, Browse Filename: L5OMdZqWzq.exe, Detection: malicious, Browse Filename: ssPp3zvWwN.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%............P.....................................................`..........................................8......x9..d....`.......P..L............p..,....3...............................1..@............0...............................text...(........................... ..`.rdata.......0......................@..@.data...8....@.......*..............@....pdata..L....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..,....p.......2..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_chacha20.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.061461040216793
Encrypted:	false
SSDEEP:	192:ldF/1nb2mhQtkXn0t/WS60YYDEiqvdvGyv9lkVcqgYvEMo:v2f6XSZ6XYD6vdvGyv9MgYvEMo
MD5:	CB5238E2D4149636377F9A1E2AF6DC57
SHA1:	038253BABC9E652BA4A20116886209E2BCCF35AC
SHA-256:	A8D3BB9CD6A78EBDB4F18693E68B659080D08CB537F9630D279EC9F26772EFC7
SHA-512:	B1E6AB509CF1E5ECC6A60455D6900A76514F8DF43F3ABC3B8D36AF59A3DF8A868B489ED0B145D0D799AAC8672CBF5827C503F383D3F38069ABF6056ECCD87B21
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%............P.....................................................`..........................................8.......9..d....`.......P..d............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......,..............@....pdata..d....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_pkcs1_decode.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.236167046748013
Encrypted:	false
SSDEEP:	192:/siHXqpoUol3xZhRyQX5lDnRDFYav+tcqgRvE:h6D+XBDgDgRvE
MD5:	D9E7218460AEE693BEA07DA7C2B40177
SHA1:	9264D749748D8C98D35B27BEFE6247DA23FF103D
SHA-256:	38E423D3BCC32EE6730941B19B7D5D8872C0D30D3DD8F9AAE1442CB052C599AD
SHA-512:	DDB579E2DEA9D266254C0D9E23038274D9AE33F0756419FD53EC6DC1A27D1540828EE8F4AD421A5CFFD9B805F1A68F26E70BDC1BAB69834E8ACD6D7BB7BDB0DB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...........R......U.....R............U......U......U................}.........Rich...........................PE..d....e.........." ...%............P.....................................................`..........................................9.......9..d....`.......P..\|............p..,....3...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...h....@.......,..............@....pdata..\|....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_aes.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	6.558176937399355
Encrypted:	false
SSDEEP:	384:Dz2P+7nYpPMedFDlDchrVX1mEVmT9ZgkoD/PKDkGuF0U390QOo8VdbKBWmuCLg46:DzeqWB7YJlmLJ3oD/S4j990th9VCsC
MD5:	F751792DF10CDEED391D361E82DAF596
SHA1:	3440738AF3C88A4255506B55A673398838B4CEAC
SHA-256:	9524D1DADCD2F2B0190C1B8EDE8E5199706F3D6C19D3FB005809ED4FEBF3E8B5
SHA-512:	6159F245418AB7AD897B02F1AADF1079608E533B9C75006EFAF24717917EAA159846EE5DFC0E85C6CFF8810319EFECBA80C1D51D1F115F00EC1AFF253E312C00
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...b..b..b..R...b..Uc..b.Rc..b..c..b..Ug..b..Uf..b..Ua..b..j..b..b..b....b..`..b.Rich.b.................PE..d....e.........." ...%.H...H......P.....................................................`.................................................,...d...............................4... ...................................@............`...............................text....F.......H.................. ..`.rdata..d6...`...8...L..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_aesni.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	5.285191078037458
Encrypted:	false
SSDEEP:	192:wJBjJHEkEPYi3Xd+dc26E4++yuqAyXW9wifD4jqccqgwYUMvEW:ikRwi3wO26Ef+yuIm9PfD7wgwYUMvE
MD5:	BBEA5FFAE18BF0B5679D5C5BCD762D5A
SHA1:	D7C2721795113370377A1C60E5CEF393473F0CC5
SHA-256:	1F4288A098DA3AAC2ADD54E83C8C9F2041EC895263F20576417A92E1E5B421C1
SHA-512:	0932EC5E69696D6DD559C30C19FC5A481BEFA38539013B9541D84499F2B6834A2FFE64A1008A1724E456FF15DDA6268B7B0AD8BA14918E2333567277B3716CC4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........TX..:...:...:.....:..;...:...;...:...;...:..?...:..>...:..9...:..R2...:..R:...:..R....:..R8...:.Rich..:.................PE..d....e.........." ...%. ... ......P.....................................................`..........................................9......D:..d....`.......P...............p..,....3...............................1..@............0.. ............................text...h........ .................. ..`.rdata.......0.......$..............@..@.data...(....@.......4..............@....pdata.......P.......6..............@..@.rsrc........`.......:..............@..@.reloc..,....p.......<..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_arc2.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	5.505471888568532
Encrypted:	false
SSDEEP:	192:vd9VkyQ5f8vjVaCHpKpTTjaNe7oca2DW3Q2dhmdcqgwNeecBih:JkP5cjIGpKlqD2D4kzgwNeE
MD5:	D2175300E065347D13211F5BF7581602
SHA1:	3AE92C0B0ECDA1F6B240096A4E68D16D3DB1FFB0
SHA-256:	94556934E3F9EE73C77552D2F3FC369C02D62A4C9E7143E472F8E3EE8C00AEE1
SHA-512:	6156D744800206A431DEE418A1C561FFB45D726DC75467A91D26EE98503B280C6595CDEA02BDA6A023235BD010835EA1FC9CB843E9FEC3501980B47B6B490AF7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%."... ......P.....................................................`.........................................0J.......J..d....p.......`..................,....C...............................B..@............@...............................text....!.......".................. ..`.rdata.......@.......&..............@..@.data...8....P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..,............>..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_blowfish.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20992
Entropy (8bit):	6.06124024160806
Encrypted:	false
SSDEEP:	384:bUv5cJMOZA0nmwBD+XpJgLa0Mp8Qpg4P2llyM:0K1XBD+DgLa1yTi
MD5:	45616B10ABE82D5BB18B9C3AB446E113
SHA1:	91B2C0B0F690AE3ABFD9B0B92A9EA6167049B818
SHA-256:	F348DB1843B8F38A23AEE09DD52FB50D3771361C0D529C9C9E142A251CC1D1EC
SHA-512:	ACEA8C1A3A1FA19034FD913C8BE93D5E273B7719D76CB71C36F510042918EA1D9B44AC84D849570F9508D635B4829D3E10C36A461EC63825BA178F5AC1DE85FB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%.$...0......P.....................................................`.........................................pY.......Z..d............p..................4...@S...............................R..@............@...............................text....".......$.................. ..`.rdata..L....@... ...(..............@..@.data...8....`.......H..............@....pdata.......p.......J..............@..@.rsrc................N..............@..@.reloc..4............P..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_cast.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	25088
Entropy (8bit):	6.475467273446457
Encrypted:	false
SSDEEP:	384:oc6HLZiMDFuGu+XHZXmrfXA+UA10ol31tuXy4IYgLWi:B6H1TZXX5XmrXA+NNxWiFdLWi
MD5:	CF3C2F35C37AA066FA06113839C8A857
SHA1:	39F3B0AEFB771D871A93681B780DA3BD85A6EDD0
SHA-256:	1261783F8881642C3466B96FA5879A492EA9E0DAB41284ED9E4A82E8BCF00C80
SHA-512:	1C36B80AAE49FD5E826E95D83297AE153FDB2BC652A47D853DF31449E99D5C29F42ED82671E2996AF60DCFB862EC5536BB0A68635D4E33D33F8901711C0C8BE6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%.$...@............................................................`.........................................@i.......i..d...............................4....b...............................a..@............@...............................text....#.......$.................. ..`.rdata.......@...0...(..............@..@.data...8....p.......X..............@....pdata...............Z..............@..@.rsrc................^..............@..@.reloc..4............`..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_cbc.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.838534302892255
Encrypted:	false
SSDEEP:	192:0F/1nb2mhQtkr+juOxKbDbnHcqgYvEkrK:u2f6iuOsbDtgYvEmK
MD5:	20708935FDD89B3EDDEEA27D4D0EA52A
SHA1:	85A9FE2C7C5D97FD02B47327E431D88A1DC865F7
SHA-256:	11DD1B49F70DB23617E84E08E709D4A9C86759D911A24EBDDFB91C414CC7F375
SHA-512:	F28C31B425DC38B5E9AD87B95E8071997E4A6F444608E57867016178CD0CA3E9F73A4B7F2A0A704E45F75B7DCFF54490510C6BF8461F3261F676E9294506D09B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%............P.....................................................`..........................................8.......9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_cfb.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	4.9047185025862925
Encrypted:	false
SSDEEP:	192:NRgPX8lvI+KnwSDTPUDEhKWPXcqgzQkvEd:2og9rUD9mpgzQkvE
MD5:	43BBE5D04460BD5847000804234321A6
SHA1:	3CAE8C4982BBD73AF26EB8C6413671425828DBB7
SHA-256:	FAA41385D0DB8D4EE2EE74EE540BC879CF2E884BEE87655FF3C89C8C517EED45
SHA-512:	DBC60F1D11D63BEBBAB3C742FB827EFBDE6DFF3C563AE1703892D5643D5906751DB3815B97CBFB7DA5FCD306017E4A1CDCC0CDD0E61ADF20E0816F9C88FE2C9B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K............RQ.....U.....R............U......U......U..................=..........Rich...................PE..d....e.........." ...%..... ......P.....................................................`..........................................9.......9..d....`.......P..d............p..,....3...............................1..@............0...............................text...(........................... ..`.rdata.......0......................@..@.data...8....@.......,..............@....pdata..d....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_ctr.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	5.300163691206422
Encrypted:	false
SSDEEP:	192:j0J1gSHxKkwv0i8XSi3Sm57NEEE/qexUEtDrdkrRcqgUF6+6vEX:jM01si8XSi3SACqe7tDeDgUUjvE
MD5:	C6B20332B4814799E643BADFFD8DF2CD
SHA1:	E7DA1C1F09F6EC9A84AF0AB0616AFEA55A58E984
SHA-256:	61C7A532E108F67874EF2E17244358DF19158F6142680F5B21032BA4889AC5D8
SHA-512:	D50C7F67D2DFB268AD4CF18E16159604B6E8A50EA4F0C9137E26619FD7835FAAD323B5F6A2B8E3EC1C023E0678BCBE5D0F867CD711C5CD405BD207212228B2B4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K,..B..B..B..R...B..UC..B.RC..B..C..B..UG..B..UF..B..UA..B..J..B..B..B....B..@..B.Rich.B.........................PE..d....e.........." ...%..... ......P.....................................................`..........................................9......x:..d....`.......P...............p..,....3...............................1..@............0.. ............................text............................... ..`.rdata.......0....... ..............@..@.data........@.......0..............@....pdata.......P.......2..............@..@.rsrc........`.......6..............@..@.reloc..,....p.......8..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_des.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	57856
Entropy (8bit):	4.260220483695234
Encrypted:	false
SSDEEP:	384:9XUqVT1dZ/GHkJnYcZiGKdZHDLtiduprZNZY0JAIg+v:99HGHfJidSK
MD5:	0B538205388FDD99A043EE3AFAA074E4
SHA1:	E0DD9306F1DBE78F7F45A94834783E7E886EB70F
SHA-256:	C4769D3E6EB2A2FECB5DEC602D45D3E785C63BB96297268E3ED069CC4A019B1A
SHA-512:	2F4109E42DB7BC72EB50BCCC21EB200095312EA00763A255A38A4E35A77C04607E1DB7BB69A11E1D80532767B20BAA4860C05F52F32BF1C81FE61A7ECCEB35ED
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.........................................................K......K......Ki.....K.....Rich...........................PE..d....e.........." ...%.8...................................................0............`.....................................................d...............l............ ..4...................................@...@............P...............................text....7.......8.................. ..`.rdata..f....P.......<..............@..@.data...8...........................@....pdata..l...........................@..@.rsrc...............................@..@.reloc..4.... ......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_des3.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	58368
Entropy (8bit):	4.276870967324261
Encrypted:	false
SSDEEP:	384:9jUqho9weF5/eHkRnYcZiGKdZHDL7idErZjZYXGg:9RCneH//id42
MD5:	6C3E976AB9F47825A5BD9F73E8DBA74E
SHA1:	4C6EB447FE8F195CF7F4B594CE7EAF928F52B23A
SHA-256:	238CDB6B8FB611DB4626E6D202E125E2C174C8F73AE8A3273B45A0FC18DEA70C
SHA-512:	B19516F00CC0484D9CDA82A482BBFE41635CDBBE19C13F1E63F033C9A68DD36798C44F04D6BD8BAE6523A845E852D81ACADD0D5DD86AF62CC9D081B803F8DF7B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.........................................................K......K......Ki.....K.....Rich...........................PE..d....e.........." ...%.:...................................................0............`.................................................P...d............................ ..4...................................@...@............P...............................text...x9.......:.................. ..`.rdata.......P.......>..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..4.... ......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_ecb.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	4.578113904149635
Encrypted:	false
SSDEEP:	96:R0qVVdJvbrqTu6ZdpvY0IluLfcC75JiCKs89EpmFWLOXDwo2Pj15XkcX6gbW6z:DVddiT7pgTctEEI4qXDo11kcqgbW6
MD5:	FEE13D4FB947835DBB62ACA7EAFF44EF
SHA1:	7CC088AB68F90C563D1FE22D5E3C3F9E414EFC04
SHA-256:	3E0D07BBF93E0748B42B1C2550F48F0D81597486038C22548224584AE178A543
SHA-512:	DEA92F935BC710DF6866E89CC6EB5B53FC7ADF0F14F3D381B89D7869590A1B0B1F98F347664F7A19C6078E7AA3EB0F773FFCB711CC4275D0ECD54030D6CF5CB2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.`.r.`.r.`.{...p.`.g.a.p.`.9.a.q.`.r.a.Q.`.g.e.y.`.g.d.z.`.g.c.q.`.H.h.s.`.H.`.s.`.H...s.`.H.b.s.`.Richr.`.................PE..d....e.........." ...%............P........................................p............`.........................................p'......((..P....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_eksblowfish.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	6.143719741413071
Encrypted:	false
SSDEEP:	384:IUv5cRUtPQtjLJiKMjNrDF6pJgLa0Mp8Q90gYP2lXCM:BKR8I+K0lDFQgLa17zU
MD5:	76F88D89643B0E622263AF676A65A8B4
SHA1:	93A365060E98890E06D5C2D61EFBAD12F5D02E06
SHA-256:	605C86145B3018A5E751C6D61FD0F85CF4A9EBF2AD1F3009A4E68CF9F1A63E49
SHA-512:	979B97AAC01633C46C048010FA886EBB09CFDB5520E415F698616987AE850FD342A4210A8DC0FAC1E059599F253565862892171403F5E4F83754D02D2EF3F366
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%.(...0......P.....................................................`.........................................pY.......Z..d............p..................4...@S...............................R..@............@...............................text...X'.......(.................. ..`.rdata..T....@... ...,..............@..@.data...8....`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..4............T..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_ocb.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	17920
Entropy (8bit):	5.353267174592179
Encrypted:	false
SSDEEP:	384:7PHNP3Mj7Be/yB/6sB3yxcb+IMcOYqQViCBD8bg6Vf4A:hPcnB8KSsB34cb+bcOYpMCBDX
MD5:	D48BFFA1AF800F6969CFB356D3F75AA6
SHA1:	2A0D8968D74EBC879A17045EFE86C7FB5C54AEE6
SHA-256:	4AA5E9CE7A76B301766D3ECBB06D2E42C2F09D0743605A91BF83069FEFE3A4DE
SHA-512:	30D14AD8C68B043CC49EAFB460B69E83A15900CB68B4E0CBB379FF5BA260194965EF300EB715308E7211A743FF07FA7F8779E174368DCAA7F704E43068CC4858
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%.(... ......P.....................................................`..........................................I.......J..d....p.......`..................,....C...............................A..@............@...............................text....'.......(.................. ..`.rdata..8....@.......,..............@..@.data........P.......<..............@....pdata.......`.......>..............@..@.rsrc........p.......B..............@..@.reloc..,............D..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_ofb.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.741247880746506
Encrypted:	false
SSDEEP:	192:0F/1nb2mhQtkgU7L9D037tfcqgYvEJPb:u2f6L9DSJxgYvEJj
MD5:	4D9182783EF19411EBD9F1F864A2EF2F
SHA1:	DDC9F878B88E7B51B5F68A3F99A0857E362B0361
SHA-256:	C9F4C5FFCDD4F8814F8C07CE532A164AB699AE8CDE737DF02D6ECD7B5DD52DBD
SHA-512:	8F983984F0594C2CAC447E9D75B86D6EC08ED1C789958AFA835B0D1239FD4D7EBE16408D080E7FCE17C379954609A93FC730B11BE6F4A024E7D13D042B27F185
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%............P.....................................................`..........................................8.......9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......&..............@....pdata..X....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_BLAKE2b.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	5.212941287344097
Encrypted:	false
SSDEEP:	192:2F/1nb2mhQtkRySMfJ2ycxFzShJD9bAal2QDeJKcqgQx2QY:M2fKRQB2j8JD2fJagQx2QY
MD5:	F4EDB3207E27D5F1ACBBB45AAFCB6D02
SHA1:	8EAB478CA441B8AD7130881B16E5FAD0B119D3F0
SHA-256:	3274F49BE39A996C5E5D27376F46A1039B6333665BB88AF1CA6D37550FA27B29
SHA-512:	7BDEBF9829CB26C010FCE1C69E7580191084BCDA3E2847581D0238AF1CAA87E68D44B052424FDC447434D971BB481047F8F2DA1B1DEF6B18684E79E63C6FBDC5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%..... ......P.....................................................`..........................................9......\|:..d....`.......P..@............p..,....3...............................2..@............0...............................text...X........................... ..`.rdata.......0....... ..............@..@.data...8....@.......0..............@....pdata..@....P.......2..............@..@.rsrc........`.......6..............@..@.reloc..,....p.......8..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_BLAKE2s.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	5.181291194389683
Encrypted:	false
SSDEEP:	192:hF/1nb2mhQt7fSOp/CJPvADQHKtxSOvbcqgEvcM+:N2fNKOZWPIDnxVlgEvL
MD5:	9D28433EA8FFBFE0C2870FEDA025F519
SHA1:	4CC5CF74114D67934D346BB39CA76F01F7ACC3E2
SHA-256:	FC296145AE46A11C472F99C5BE317E77C840C2430FBB955CE3F913408A046284
SHA-512:	66B4D00100D4143EA72A3F603FB193AFA6FD4EFB5A74D0D17A206B5EF825E4CC5AF175F5FB5C40C022BDE676BA7A83087CB95C9F57E701CA4E7F0A2FCE76E599
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%..... ......P.....................................................`.........................................09.......9..d....`.......P..@............p..,....3...............................2..@............0...............................text...8........................... ..`.rdata..4....0......................@..@.data...8....@......................@....pdata..@....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..,....p.......6..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_MD2.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	5.140195114409974
Encrypted:	false
SSDEEP:	192:RsiHXqpo0cUp8XnUp8XjEQnlDtJI6rcqgcx2:f6DcUp8XUp8AclDA69gcx2
MD5:	8A92EE2B0D15FFDCBEB7F275154E9286
SHA1:	FA9214C8BBF76A00777DFE177398B5F52C3D972D
SHA-256:	8326AE6AD197B5586222AFA581DF5FE0220A86A875A5E116CB3828E785FBF5C2
SHA-512:	7BA71C37AAF6CB10FC5C595D957EB2846032543626DE740B50D7CB954FF910DCF7CEAA56EB161BAB9CC1F663BADA6CA71973E6570BAC7D6DA4D4CC9ED7C6C3DA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%..... ......P.....................................................`..........................................9......0:..d....`.......P..(............p..,....4...............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...h....@......................@....pdata..(....P.......0..............@..@.rsrc........`.......4..............@..@.reloc..,....p.......6..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_MD4.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	5.203867759982304
Encrypted:	false
SSDEEP:	192:WsiHXqpwUiv6wPf+4WVrd1DFrCqwWwcqgfvE:s6biio2Pd1DFmlgfvE
MD5:	FE16E1D12CF400448E1BE3FCF2D7BB46
SHA1:	81D9F7A2C6540F17E11EFE3920481919965461BA
SHA-256:	ADE1735800D9E82B787482CCDB0FBFBA949E1751C2005DCAE43B0C9046FE096F
SHA-512:	A0463FF822796A6C6FF3ACEBC4C5F7BA28E7A81E06A3C3E46A0882F536D656D3F8BAF6FB748008E27F255FE0F61E85257626010543FC8A45A1E380206E48F07C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%............P.....................................................`.........................................p8...... 9..d....`.......P..(............p..,...@3...............................2..@............0...............................text...X........................... ..`.rdata..p....0......................@..@.data...p....@.......,..............@....pdata..(....P......................@..@.rsrc........`.......2..............@..@.reloc..,....p.......4..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_MD5.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	5.478301937972917
Encrypted:	false
SSDEEP:	192:hZ9WXA7M93g8U7soSchhiLdjM5J6ECTGmDZkRsP0rcqgjPrvE:8Q0gH7zSccA5J6ECTGmDua89gjPrvE
MD5:	34EBB5D4A90B5A39C5E1D87F61AE96CB
SHA1:	25EE80CC1E647209F658AEBA5841F11F86F23C4E
SHA-256:	4FC70CB9280E414855DA2C7E0573096404031987C24CF60822854EAA3757C593
SHA-512:	82E27044FD53A7309ABAECA06C077A43EB075ADF1EF0898609F3D9F42396E0A1FA4FFD5A64D944705BBC1B1EBB8C2055D8A420807693CC5B70E88AB292DF81B7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%. ..........P.....................................................`..........................................8.......9..d....`.......P..X............p..,....3...............................1..@............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........@.......2..............@....pdata..X....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..,....p.......:..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_RIPEMD160.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	18432
Entropy (8bit):	5.69608744353984
Encrypted:	false
SSDEEP:	384:nkP5RjF7GsIyV6Lx41NVYaVmtShQRKAa8+DSngkov:onx7RI26LuuHKz8+DbN
MD5:	42C2F4F520BA48779BD9D4B33CD586B9
SHA1:	9A1D6FFA30DCA5CE6D70EAC5014739E21A99F6D8
SHA-256:	2C6867E88C5D3A83D62692D24F29624063FCE57F600483BAD6A84684FF22F035
SHA-512:	1F0C18E1829A5BAE4A40C92BA7F8422D5FE8DBE582F7193ACEC4556B4E0593C898956065F398ACB34014542FCB3365DC6D4DA9CE15CB7C292C8A2F55FB48BB2B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%.... ......P.....................................................`..........................................I.......J..d....p.......`..................,....D..............................PC..@............@...............................text....)......................... ..`.rdata.......@......................@..@.data...8....P.......>..............@....pdata.......`.......@..............@..@.rsrc........p.......D..............@..@.reloc..,............F..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_SHA1.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	5.7981108922569735
Encrypted:	false
SSDEEP:	384:qPHNP3MjevhSY/8EBbVxcJ0ihTLdFDuPHgj+kf4D:sPcKvr/jUJ0sbDGAj+t
MD5:	AB0BCB36419EA87D827E770A080364F6
SHA1:	6D398F48338FB017AACD00AE188606EB9E99E830
SHA-256:	A927548ABEA335E6BCB4A9EE0A949749C9E4AA8F8AAD481CF63E3AC99B25A725
SHA-512:	3580FB949ACEE709836C36688457908C43860E68A36D3410F3FA9E17C6A66C1CDD7C081102468E4E92E5F42A0A802470E8F4D376DAA4ED7126818538E0BD0BC4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%.0..........P.....................................................`..........................................H.......I..d....p.......`..X...............,....C...............................A..@............@...............................text..../.......0.................. ..`.rdata.......@.......4..............@..@.data........P.......B..............@....pdata..X....`.......D..............@..@.rsrc........p.......H..............@..@.reloc..,............J..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_SHA224.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.865452719694432
Encrypted:	false
SSDEEP:	384:y1jwGPJHLvzcY1EEerju9LcTZ6RO3RouLKtcyDNOcwgjxo:QjwyJUYToZwOLuzDNB1j
MD5:	C8FE3FF9C116DB211361FBB3EA092D33
SHA1:	180253462DD59C5132FBCCC8428DEA1980720D26
SHA-256:	25771E53CFECB5462C0D4F05F7CAE6A513A6843DB2D798D6937E39BA4B260765
SHA-512:	16826BF93C8FA33E0B5A2B088FB8852A2460E0A02D699922A39D8EB2A086E981B5ACA2B085F7A7DA21906017C81F4D196B425978A10F44402C5DB44B2BF4D00A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%.8... ......P.....................................................`..........................................Z.......[..d............p..................,... T...............................R..@............P...............................text....6.......8.................. ..`.rdata.......P.......<..............@..@.data........`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..,............T..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_SHA256.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.867732744112887
Encrypted:	false
SSDEEP:	384:51jwGPJHLxzcY1EEerju9LcTZ6RO3RouLKtcyDNIegjxo:rjwyJOYToZwOLuzDNI7j
MD5:	A442EA85E6F9627501D947BE3C48A9DD
SHA1:	D2DEC6E1BE3B221E8D4910546AD84FE7C88A524D
SHA-256:	3DBCB4D0070BE355E0406E6B6C3E4CE58647F06E8650E1AB056E1D538B52B3D3
SHA-512:	850A00C7069FFDBA1EFE1324405DA747D7BD3BA5D4E724D08A2450B5A5F15A69A0D3EAF67CEF943F624D52A4E2159A9F7BDAEAFDC6C689EACEA9987414250F3B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%.8... ......P.....................................................`..........................................Z.......[..d............p..................,... T...............................R..@............P...............................text....6.......8.................. ..`.rdata.......P.......<..............@..@.data........`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..,............T..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_SHA384.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	27136
Entropy (8bit):	5.860044313282322
Encrypted:	false
SSDEEP:	384:xFDL3RqE3MjjQ95UnLa+1WT1aA7qHofg5JptfISH2mDDXfgjVx2:jDLh98jjRe+1WT1aAeIfMzxH2mDDIj
MD5:	59BA0E05BE85F48688316EE4936421EA
SHA1:	1198893F5916E42143C0B0F85872338E4BE2DA06
SHA-256:	C181F30332F87FEECBF930538E5BDBCA09089A2833E8A088C3B9F3304B864968
SHA-512:	D772042D35248D25DB70324476021FB4303EF8A0F61C66E7DED490735A1CC367C2A05D7A4B11A2A68D7C34427971F96FF7658D880E946C31C17008B769E3B12F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%.J..."......P.....................................................`......................................... l.......m..d...............................,....e...............................d..@............`...............................text...hH.......J.................. ..`.rdata..X....`.......N..............@..@.data................`..............@....pdata...............b..............@..@.rsrc................f..............@..@.reloc..,............h..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_SHA512.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	27136
Entropy (8bit):	5.917025846093607
Encrypted:	false
SSDEEP:	384:tFYLXRqEnMgj969GUnLa+1WT1aA7qHofg5JptfIS320DXwElrgjhig:PYLB9Mgj0e+1WT1aAeIfMzx320DXD+j
MD5:	8194D160FB215498A59F850DC5C9964C
SHA1:	D255E8CCBCE663EE5CFD3E1C35548D93BFBBFCC0
SHA-256:	55DEFCD528207D4006D54B656FD4798977BD1AAE6103D4D082A11E0EB6900B08
SHA-512:	969EEAA754519A58C352C24841852CF0E66C8A1ADBA9A50F6F659DC48C3000627503DDFB7522DA2DA48C301E439892DE9188BF94EEAF1AE211742E48204C5E42
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%.J..."......P.....................................................`..........................................l.......m..d...............................,...@f...............................e..@............`...............................text....H.......J.................. ..`.rdata.......`.......N..............@..@.data................`..............@....pdata...............b..............@..@.rsrc................f..............@..@.reloc..,............h..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_ghash_clmul.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12800
Entropy (8bit):	4.999870226643325
Encrypted:	false
SSDEEP:	192:DzFRF/1nb2mhQtk4axusjfkgZhoYDQgRjcqgQvEty:DzFd2f64axnTTz5D1gQvEty
MD5:	C89BECC2BECD40934FE78FCC0D74D941
SHA1:	D04680DF546E2D8A86F60F022544DB181F409C50
SHA-256:	E5B6E58D6DA8DB36B0673539F0C65C80B071A925D2246C42C54E9FCDD8CA08E3
SHA-512:	715B3F69933841BAADC1C30D616DB34E6959FD9257D65E31C39CD08C53AFA5653B0E87B41DCC3C5E73E57387A1E7E72C0A668578BD42D5561F4105055F02993C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...b..b..b..R...b..Uc..b.Rc..b..c..b..Ug..b..Uf..b..Ua..b..j..b..b..b....b..`..b.Rich.b.................PE..d....e.........." ...%............P.....................................................`..........................................8......89..d....`.......P...............p..,....3...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......(..............@....pdata.......P.......*..............@..@.rsrc........`......................@..@.reloc..,....p.......0..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_ghash_portable.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	5.025153056783597
Encrypted:	false
SSDEEP:	192:AF/1nb2mhQtks0iiNqdF4mtPjD02A5APYcqgYvEL2x:62f6fFA/4GjDFcgYvEL2x
MD5:	C4CC05D3132FDFB05089F42364FC74D2
SHA1:	DA7A1AE5D93839577BBD25952A1672C831BC4F29
SHA-256:	8F3D92DE840ABB5A46015A8FF618FF411C73009CBAA448AC268A5C619CF84721
SHA-512:	C597C70B7AF8E77BEEEBF10C32B34C37F25C741991581D67CF22E0778F262E463C0F64AA37F92FBC4415FE675673F3F92544E109E5032E488F185F1CFBC839FE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4Y..Z...Z...Z......Z..[...Z...[...Z...[...Z.._...Z..^...Z..Y...Z..RR...Z..RZ...Z..R....Z..RX...Z.Rich..Z.........PE..d....e.........." ...%............P.....................................................`..........................................8......h9..d....`.......P..X............p..,....2...............................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...8....@.......*..............@....pdata..X....P.......,..............@..@.rsrc........`.......0..............@..@.reloc..,....p.......2..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_keccak.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	5.235115741550938
Encrypted:	false
SSDEEP:	192:XTRgffnRaNfBj9xih1LPK73jm6AXiN4rSRIh42gDhgvrjcqgCieT3WQ:XafgNpj9cHW3jqXeBRamDOZgCieT
MD5:	1E201DF4B4C8A8CD9DA1514C6C21D1C4
SHA1:	3DC8A9C20313AF189A3FFA51A2EAA1599586E1B2
SHA-256:	A428372185B72C90BE61AC45224133C4AF6AE6682C590B9A3968A757C0ABD6B4
SHA-512:	19232771D4EE3011938BA2A52FA8C32E00402055038B5EDF3DDB4C8691FA7AE751A1DC16766D777A41981B7C27B14E9C1AD6EBDA7FFE1B390205D0110546EE29
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%."... ......P.....................................................`.........................................`I......TJ..d....p.......`..p...............,....C...............................B..@............@...............................text...(!.......".................. ..`.rdata.......@.......&..............@..@.data........P.......6..............@....pdata..p....`.......8..............@..@.rsrc........p.......<..............@..@.reloc..,............>..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_poly1305.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	5.133714807569085
Encrypted:	false
SSDEEP:	192:JZNGXEgvUh43G6coX2SSwmPL4V7wTdDlpaY2cqgWjvE:EVMhuGGF2L4STdDyYWgWjvE
MD5:	76C84B62982843367C5F5D41B550825F
SHA1:	B6DE9B9BD0E2C84398EA89365E9F6D744836E03A
SHA-256:	EBCD946F1C432F93F396498A05BF07CC77EE8A74CE9C1A283BF9E23CA8618A4C
SHA-512:	03F8BB1D0D63BF26D8A6FFF62E94B85FFB4EA1857EB216A4DEB71C806CDE107BA0F9CC7017E3779489C5CEF5F0838EDB1D70F710BCDEB629364FC288794E6AFE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..z...z...z......z..{...z...{...z...{...z......z..~...z..y...z..Rr...z..Rz...z..R....z..Rx...z.Rich..z.................PE..d....e.........." ...%..... ......P.....................................................`......................................... 9.......9..d....`.......P..\|............p..,....3...............................1..@............0...............................text...X........................... ..`.rdata..(....0......."..............@..@.data........@.......2..............@....pdata..\|....P.......4..............@..@.rsrc........`.......8..............@..@.reloc..,....p.......:..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Math\_modexp.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	35840
Entropy (8bit):	5.928082706906375
Encrypted:	false
SSDEEP:	768:8bEkzS7+k9rMUb8cOe9rs9ja+V/Mhjh56GS:8bEP779rMtcOCs0I/Mhf
MD5:	B41160CF884B9E846B890E0645730834
SHA1:	A0F35613839A0F8F4A87506CD59200CCC3C09237
SHA-256:	48F296CCACE3878DE1148074510BD8D554A120CAFEF2D52C847E05EF7664FFC6
SHA-512:	F4D57351A627DD379D56C80DA035195292264F49DC94E597AA6638DF5F4CF69601F72CC64FC3C29C5CBE95D72326395C5C6F4938B7895C69A8D839654CFC8F26
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N4.\|.U./.U./.U./.-a/.U./....U./A-...U./.U./!U./....U./....U./....U./0....U./0....U./0../.U./0....U./Rich.U./................PE..d......e.........." ...%.^...0......`.....................................................`..........................................~..\|...\...d...............................,....s...............................q..@............p..(............................text...8].......^.................. ..`.rdata.......p.......b..............@..@.data................v..............@....pdata..............................@..@.rsrc...............................@..@.reloc..,...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Protocol\_scrypt.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.799063285091512
Encrypted:	false
SSDEEP:	192:nkCfXASTMeAk4OepIXcADp/X6RcqgO5vE:ZJMcPepIXcAD563gO5vE
MD5:	BA46602B59FCF8B01ABB135F1534D618
SHA1:	EFF5608E05639A17B08DCA5F9317E138BEF347B5
SHA-256:	B1BAB0E04AC60D1E7917621B03A8C72D1ED1F0251334E9FA12A8A1AC1F516529
SHA-512:	A5E2771623DA697D8EA2E3212FBDDE4E19B4A12982A689D42B351B244EFBA7EFA158E2ED1A2B5BC426A6F143E7DB810BA5542017AB09B5912B3ECC091F705C6E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K............RQ.....U.....R............U......U......U..................=..........Rich...................PE..d....e.........." ...%............P.....................................................`..........................................8..d...$9..d....`.......P..4............p..,....3...............................1..@............0...............................text...x........................... ..`.rdata.......0......................@..@.data........@.......&..............@....pdata..4....P.......(..............@..@.rsrc........`.......,..............@..@.reloc..,....p......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\PublicKey\_ec_ws.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	754688
Entropy (8bit):	7.624959985050181
Encrypted:	false
SSDEEP:	12288:I1UrmZ9HoxJ8gf1266y8IXhJvCKAmqVLzcrZgYIMGv1iLD9yQvG6h9:gYmzHoxJFf1p34hcrn5Go9yQO6L
MD5:	3F20627FDED2CF90E366B48EDF031178
SHA1:	00CED7CD274EFB217975457906625B1B1DA9EBDF
SHA-256:	E36242855879D71AC57FBD42BB4AE29C6D80B056F57B18CEE0B6B1C0E8D2CF57
SHA-512:	05DE7C74592B925BB6D37528FC59452C152E0DCFC1D390EA1C48C057403A419E5BE40330B2C5D5657FEA91E05F6B96470DDDF9D84FF05B9FD4192F73D460093C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&:..b[.Lb[.Lb[.Lk#sLd[.Lw$.M`[.L)#.Ma[.Lb[.LI[.Lw$.Mn[.Lw$.Mj[.Lw$.Ma[.LX..Mg[.LX..Mc[.LX..Lc[.LX..Mc[.LRichb[.L........................PE..d....e.........." ...%.n..........`.....................................................`..........................................p..d...tq..d...............0...............4...@Z...............................Y..@...............(............................text....l.......n.................. ..`.rdata...............r..............@..@.data................j..............@....pdata..0............r..............@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\PublicKey\_ed25519.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	27648
Entropy (8bit):	5.792654050660321
Encrypted:	false
SSDEEP:	384:hBwi/rOF26VZW1n0n/Is42g9qhrnW0mvPauYhz35sWJftjb1Ddsia15gkbQ0e1:/L/g28Ufsxg9GmvPauYLxtX1D/kf
MD5:	290D936C1E0544B6EC98F031C8C2E9A3
SHA1:	CAEEA607F2D9352DD605B6A5B13A0C0CB1EA26EC
SHA-256:	8B00C859E36CBCE3EC19F18FA35E3A29B79DE54DA6030AAAD220AD766EDCDF0A
SHA-512:	F08B67B633D3A3F57F1183950390A35BF73B384855EAAB3AE895101FBC07BCC4990886F8DE657635AD528D6C861BC2793999857472A5307FFAA963AA6685D7E8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..........)......................................R......R......RE.....R.....Rich...........PE..d....e.........." ...%.F...(......P.....................................................`..........................................j..0....k..d...............................,...pc..............................0b..@............`...............................text...xD.......F.................. ..`.rdata.."....`.......J..............@..@.data................\..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..,............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\PublicKey\_ed448.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	67072
Entropy (8bit):	6.060461288575063
Encrypted:	false
SSDEEP:	1536:nqctkGACFI5t35q2JbL0UbkrwwOoKXyMH1B7M9rMdccdWxRLpq:nqctkGACFI5t35q2JbgrwwOoqLTM9rMh
MD5:	5782081B2A6F0A3C6B200869B89C7F7D
SHA1:	0D4E113FB52FE1923FE05CDF2AB9A4A9ABEFC42E
SHA-256:	E72E06C721DD617140EDEBADD866A91CF97F7215CBB732ECBEEA42C208931F49
SHA-512:	F7FD695E093EDE26FCFD0EE45ADB49D841538EB9DAAE5B0812F29F0C942FB13762E352C2255F5DB8911F10FA1B6749755B51AAE1C43D8DF06F1D10DE5E603706
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N4.\|.U./.U./.U./.-a/.U./....U./A-...U./.U./!U./....U./....U./....U./0....U./0....U./0../.U./0....U./Rich.U./................PE..d......e.........." ...%.....8......`........................................@............`.........................................`...h.......d.... .......................0..,.......................................@............................................text............................... ..`.rdata..*...........................@..@.data...............................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..,....0......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\PublicKey\_x25519.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	4.488437566846231
Encrypted:	false
SSDEEP:	96:tpVVdJvbrqTu6ZdpvY0IluLfcC75JiC4cs89EfqADwhDTAbcX6gn/7EC:5VddiT7pgTctdErDwDTicqgn/7
MD5:	289EBF8B1A4F3A12614CFA1399250D3A
SHA1:	66C05F77D814424B9509DD828111D93BC9FA9811
SHA-256:	79AC6F73C71CA8FDA442A42A116A34C62802F0F7E17729182899327971CFEB23
SHA-512:	4B95A210C9A4539332E2FB894D7DE4E1B34894876CCD06EEC5B0FC6F6E47DE75C0E298CF2F3B5832C9E028861A53B8C8E8A172A3BE3EC29A2C9E346642412138
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.h.r.h.r.h.{...p.h.g.i.p.h.9.i.q.h.r.i.V.h.g.m.y.h.g.l.z.h.g.k.q.h.H.`.s.h.H.h.s.h.H...s.h.H.j.s.h.Richr.h.........................PE..d....e.........." ...%............P........................................p............`..........................................'..P...0(..P....P.......@...............`..,...P#..............................."..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Util\_cpuid_c.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	4.730605326965181
Encrypted:	false
SSDEEP:	96:MJVVdJvbrqTu6ZdpvY0IluLfcC75JiCKs89EVAElIijKDQGrbMZYJWJcX6gbW6s:CVddiT7pgTctEEaEDKDlMCWJcqgbW6
MD5:	4D9C33AE53B38A9494B6FBFA3491149E
SHA1:	1A069E277B7E90A3AB0DCDEE1FE244632C9C3BE4
SHA-256:	0828CAD4D742D97888D3DFCE59E82369317847651BBA0F166023CB8ACA790B2B
SHA-512:	BDFBF29198A0C7ED69204BF9E9B6174EBB9E3BEE297DD1EB8EB9EA6D7CAF1CC5E076F7B44893E58CCF3D0958F5E3BDEE12BD090714BEB5889836EE6F12F0F49E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.`.r.`.r.`.{...p.`.g.a.p.`.9.a.q.`.r.a.Q.`.g.e.y.`.g.d.z.`.g.c.q.`.H.h.s.`.H.`.s.`.H...s.`.H.b.s.`.Richr.`.................PE..d....e.........." ...%............P........................................p............`..........................................'..\|....'..P....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..,....`.......&..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Util\_strxor.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	4.685843290341897
Encrypted:	false
SSDEEP:	96:6ZVVdJvbrqTu6ZdpvY0IluLfcC75JiCKs89EMz3DHWMoG4BcX6gbW6O:IVddiT7pgTctEEO3DLoHcqgbW6
MD5:	8F4313755F65509357E281744941BD36
SHA1:	2AAF3F89E56EC6731B2A5FA40A2FE69B751EAFC0
SHA-256:	70D90DDF87A9608699BE6BBEDF89AD469632FD0ADC20A69DA07618596D443639
SHA-512:	FED2B1007E31D73F18605FB164FEE5B46034155AB5BB7FE9B255241CFA75FF0E39749200EB47A9AB1380D9F36F51AFBA45490979AB7D112F4D673A0C67899EF4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.`.r.`.r.`.{...p.`.g.a.p.`.9.a.q.`.r.a.Q.`.g.e.y.`.g.d.z.`.g.c.q.`.H.h.s.`.H.`.s.`.H...s.`.H.b.s.`.Richr.`.................PE..d....e.........." ...%............P........................................p............`.........................................`'..t....'..P....P.......@...............`..,...."...............................!..@............ ...............................text...x........................... ..`.rdata....... ......................@..@.data...8....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..,....`.......&..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\Pythonwin\mfc140u.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5653424
Entropy (8bit):	6.729277267882055
Encrypted:	false
SSDEEP:	49152:EuEsNcEc8/CK4b11P5ViH8gw0+NVQD5stWIlE7lva8iposS9j5fzSQzs7ID+AVuS:EnL8+5fiEnQFLOAkGkzdnEVomFHKnPS
MD5:	03A161718F1D5E41897236D48C91AE3C
SHA1:	32B10EB46BAFB9F81A402CB7EFF4767418956BD4
SHA-256:	E06C4BD078F4690AA8874A3DEB38E802B2A16CCB602A7EDC2E077E98C05B5807
SHA-512:	7ABCC90E845B43D264EE18C9565C7D0CBB383BFD72B9CEBB198BA60C4A46F56DA5480DA51C90FF82957AD4C84A4799FA3EB0CEDFFAA6195F1315B3FF3DA1BE47
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q.cu...&...&...&...'...&...'...&...'...&..&...&G..'...&G..'...&...'...&...&..&G..'...&G..'...&G..'...&G..'...&G..&...&G..'...&Rich...&................PE..d....~.a.........." .....(-..X)......X,.......................................V......YV...`A..........................................:.....h.;.......?......`=..8....V..'...PU.0p..p.5.T...........................`...8............@-.P...0.:......................text....&-......(-................. ..`.rdata.......@-......,-.............@..@.data....6... <.......<.............@....pdata...8...`=..:....<.............@..@.didat..H.....?.......?.............@....rsrc.........?.......?.............@..@.reloc..0p...PU..r....T.............@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\Pythonwin\win32ui.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1143296
Entropy (8bit):	6.042100978272984
Encrypted:	false
SSDEEP:	12288:+jUcbgAIjeB47XV6LMDANfo4KR0fpCTuWpG0LwP8Ehzf3N:+DbOG47X3ANfoNnTt40TEhL3
MD5:	0E96B5724C2213300864CEB36363097A
SHA1:	151931D9162F9E63E8951FC44A9B6D89AF7AF446
SHA-256:	85CF3081B0F1ADAFDBDCF164D7788A7F00E52BACDF02D1505812DE4FACFC962F
SHA-512:	46E8FEE7B12F061EA8A7AB0CD4A8E683946684388498D6117AFC404847B9FBB0A16DC0E5480609B1352DF8F61457DCDBDA317248CA81082CC4F30E29A3242D3B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k.N..~...~...~..r....~.v.....~..a....~...z...~...}...~...{...~.......~.......~.v.w...~.v.~...~.v.....~.v.\|...~.Rich..~.........................PE..d......d.........." .........r......T.....................................................`.........................................@....T..Hr..h...............................p\..p...T.......................(......8................0...........................text............................... ..`.rdata..f...........................@..@.data...............................@....pdata...............d..............@..@.rsrc...............................@..@.reloc..p\.......^..................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	119192
Entropy (8bit):	6.6016214745004635
Encrypted:	false
SSDEEP:	1536:+qvQ1Dj2DkX7OcujarvmdlYNABCmgrP4ddbkZIecbWcFML/UXzlghzdMFw84hzk:+qvQ1D2CreiABCmgYecbWVLUD6h+b4ho
MD5:	BE8DBE2DC77EBE7F88F910C61AEC691A
SHA1:	A19F08BB2B1C1DE5BB61DAF9F2304531321E0E40
SHA-256:	4D292623516F65C80482081E62D5DADB759DC16E851DE5DB24C3CBB57B87DB83
SHA-512:	0DA644472B374F1DA449A06623983D0477405B5229E386ACCADB154B43B8B083EE89F07C3F04D2C0C7501EAD99AD95AECAA5873FF34C5EEB833285B598D5A655
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.../c../c../c._]b./c..W.../c../b./c../c../c...`./c...g./c...f./c...c./c....../c...a./c.Rich./c.........................PE..d.....cW.........." ...&. ...d......................................................-.....`A.........................................e..4...4m...........................O...........N..p............................L..@............0...............................text...&........................... ..`fothk........ ...................... ..`.rdata..\C...0...D...$..............@..@.data...p............h..............@....pdata...............l..............@..@_RDATA...............x..............@..@.rsrc................z..............@..@.reloc...............~..............@..B................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\VCRUNTIME140_1.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49528
Entropy (8bit):	6.662491747506177
Encrypted:	false
SSDEEP:	768:wPIyGVrxmKqOnA4j3z6Su77A+i0QLxi9z9Rtii9zn+:fBr87uW1nA8QLx+zrti+zn+
MD5:	F8DFA78045620CF8A732E67D1B1EB53D
SHA1:	FF9A604D8C99405BFDBBF4295825D3FCBC792704
SHA-256:	A113F192195F245F17389E6ECBED8005990BCB2476DDAD33F7C4C6C86327AFE5
SHA-512:	BA7F8B7AB0DEB7A7113124C28092B543E216CA08D1CF158D9F40A326FB69F4A2511A41A59EA8482A10C9EC4EC8AC69B70DFE9CA65E525097D93B819D498DA371
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9@.W}!..}!..}!...S...!..{....!..tYJ.v!..}!..N!..{...x!..{...z!..{...f!..{...\|!..{.&.\|!..{...\|!..Rich}!..................PE..d.....v..........." ...&.<...8.......B...................................................`A........................................Pm.......m..x....................r..xO......D....c..p...........................`b..@............P..`............................text...p:.......<.................. ..`.rdata...#...P...$...@..............@..@.data................d..............@....pdata...............f..............@..@.rsrc................l..............@..@.reloc..D............p..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\_asyncio.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	65304
Entropy (8bit):	6.188956852878315
Encrypted:	false
SSDEEP:	1536:g2NcWvZEvWjtzE6OAz9WFIbOnP17Sy/xXY:g2NcefdE6OAz9WFIbOn9DY
MD5:	41806866D74E5EDCE05EDC0AD47752B9
SHA1:	C3D603C029FDAC45BAC37BB2F449FAB86B8845DD
SHA-256:	76DB93BD64CB4A36EDB37694456F89BB588DB98CF2733EB436F000B309EEC3B2
SHA-512:	2A019EFAF3315B8B98BE93AC4BEA15CEC8B9ECC6EAB298FA93D3947BAD2422B5A126D52CB4998363BDC82641FBA9B8F42D589AFE52D02914E55A5A6116989FDE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z2.T.Sq..Sq..Sq..+...Sq..,p..Sq..,t..Sq..,u..Sq..,r..Sq.$.p..Sq.U+p..Sq..Sp..Sq.$.\|..Sq.$.q..Sq.$...Sq.$.s..Sq.Rich.Sq.................PE..d......e.........." ...%.R..........`.....................................................`.........................................@...P.......d......................../..........`w..T........................... v..@............p...............................text....P.......R.................. ..`.rdata...J...p...L...V..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\_bz2.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	84760
Entropy (8bit):	6.5702075964298015
Encrypted:	false
SSDEEP:	1536:xqgz7lGeu595+NHRGYWlnswz108Lh3uwtIbCVW7Syqx7T:AgzxAbl3nLhJtIbCVW8T
MD5:	37EACE4B806B32F829DE08DB3803B707
SHA1:	8A4E2BB2D04685856D1DE95B00F3FFC6EA1E76B9
SHA-256:	1BE51EF2B5ACBE490217AA1FF12618D24B95DF6136C6844714B9CA997B4C7F9B
SHA-512:	1591A263DE16373EE84594943A0993721B1E1A2F56140D348A646347A8E9760930DF4F632ADCEE9C9870F9C20D7818A3A8C61B956723BF94777E0B7FB7689B2D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<..R..R..R......R...S..R.....R...W..R...V..R...Q..R...S..R..S..R..S..R..._..R...R..R......R...P..R.Rich.R.........................PE..d...)..e.........." ...%.....^...............................................P....../.....`.........................................p...H............0....... .. ......../...@..........T...........................p...@............................................text...G........................... ..`.rdata..L>.......@..................@..@.data...............................@....pdata.. .... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\_cffi_backend.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	178176
Entropy (8bit):	6.165902427203749
Encrypted:	false
SSDEEP:	3072:87aw5iwiVHprp0+/aSdXUONX9dAXS7qkSTLkKh23/qZl:87kBVHplaSdRj4LkSTLLhW/q
MD5:	739D352BD982ED3957D376A9237C9248
SHA1:	961CF42F0C1BB9D29D2F1985F68250DE9D83894D
SHA-256:	9AEE90CF7980C8FF694BB3FFE06C71F87EB6A613033F73E3174A732648D39980
SHA-512:	585A5143519ED9B38BB53F912CEA60C87F7CE8BA159A1011CF666F390C2E3CC149E0AC601B008E039A0A78EAF876D7A3F64FFF612F5DE04C822C6E214BC2EFDE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A:.#.[.p.[.p.[.p.#.p.[.p..q.[.p..zp.[.p..q.[.p..q.[.p..q.[.pN#.q.[.pj.q.[.p.[.p.[.pM.q.[.p.#.p.[.pM.q.[.pM.xp.[.pM.q.[.pRich.[.p................PE..d......f.........." ...).....B............................................... ............`.........................................PX..l....X.......................................?...............................=..@............................................text...X........................... ..`.rdata..............................@..@.data....].......0...j..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\_ctypes.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	124696
Entropy (8bit):	6.042889733169693
Encrypted:	false
SSDEEP:	3072:bZMeF788mzTWJMNufLI2qV6phIzRIbLPMV:bmeGWWNufLI2ichyZ
MD5:	A25CDCF630C024047A47A53728DC87CD
SHA1:	8555AE488E0226A272FD7DB9F9BDBB7853E61A21
SHA-256:	3D43869A4507ED8ECE285AE85782D83BB16328CF636170ACB895C227EBB142AC
SHA-512:	F6A4272DEDDC5C5C033A06E80941A16F688E28179EAB3DBC4F7A9085EA4AD6998B89FC9AC501C5BF6FEA87E0BA1D9F2EDA819AD183B6FA7B6DDF1E91366C12AF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........X...X...X...Q.*.^...M...Z...M...T...M...P...M...\...b...Z.......Y.......^.......[...X.......b...^...b...Y...b.F.Y...b...Y...RichX...........PE..d...%..e.........." ...%.............\....................................................`..........................................Q.......Q..................P......../..............T...........................`...@............................................text............................... ..`.rdata..2m.......n..................@..@.data...$=...p...8...`..............@....pdata..P...........................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\_decimal.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	253720
Entropy (8bit):	6.552393878399124
Encrypted:	false
SSDEEP:	6144:F4aNJPKHCXqKEyKOxVpclJeMvfrZNxKl9qWM53pLW1A+6teJCxc:O2JyHCXqKIMpgeMnr5K4lRxc
MD5:	E4E032221ACA4033F9D730F19DC3B21A
SHA1:	584A3B4BC26A323CE268A64AAD90C746731F9A48
SHA-256:	23BDD07B84D2DBCB077624D6DCBFC66AB13A9EF5F9EEBE31DC0FFECE21B9E50C
SHA-512:	4A350BA9E8481B66E7047C9E6C68E6729F8074A29EF803ED8452C04D6D61F8F70300D5788C4C3164B0C8FB63E7C9715236C0952C3166B606E1C7D7FFF36B7C4C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........mBP\.,.\.,.\.,.Ut..R.,.Is-.^.,.Is).Q.,.Is(.T.,.Is/.X.,.f.-._.,..t-.^.,.\.-...,.f./.].,.f.!.S.,.f.,.].,.f...].,.f...].,.Rich\.,.........PE..d......e.........." ...%.x...<.......................................................2....`......................................... T..P...pT...................&......./......P.......T...........................`...@............................................text...1v.......x.................. ..`.rdata..l............\|..............@..@.data....*...p...$...T..............@....pdata...&.......(...x..............@..@.rsrc...............................@..@.reloc..P...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\_hashlib.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	65304
Entropy (8bit):	6.254250311701017
Encrypted:	false
SSDEEP:	1536:0WuY1lTorKnYzF9G0pLOjWNBgFIbOIp7Sy0Vxu:tuYc9GIOjiBgFIbOIpqC
MD5:	BA682DFCDD600A4BB43A51A0D696A64C
SHA1:	DF85AD909E9641F8FCAA0F8F5622C88D904E9E20
SHA-256:	2AD55E11BDDB5B65CDF6E9E126D82A3B64551F7AD9D4CBF74A1058FD7E5993BD
SHA-512:	79C607E58881D3C3DFB83886FE7AA4CDDB5221C50499D33FE21E1EFB0FFA1FD0D3F52CBE97B16B04FBE2B067D6EB5997AC66DEC9D2A160D3CB6D44FFCA0F5636
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........t..n'..n'..n'..'..n'.o&..n'.k&..n'.j&..n'.m&..n'..o&..n'.xo&..n'..o'r.n'.xc&..n'.xn&..n'.x.'..n'.xl&..n'Rich..n'........PE..d...D..e.........." ...%.T...~......0@...............................................~....`.............................................P................................/......X...P}..T............................\|..@............p..0............................text....S.......T.................. ..`.rdata..rO...p...P...X..............@..@.data...8...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..X...........................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\_lzma.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	159512
Entropy (8bit):	6.8416618325941725
Encrypted:	false
SSDEEP:	3072:OJlBQV6AniiMeSznf09mNogMKNA/ZttIbZ1bW/9:OJlozifF8YOgbihtL
MD5:	3273720DDF2C5B75B072A1FB13476751
SHA1:	5FE0A4F98E471EB801A57B8C987F0FEB1781CA8B
SHA-256:	663F1087C2ED664C5995A3FFA64546D2E33A0FCE8A9121B48CC7C056B74A2948
SHA-512:	919DBBFCC2F5913655D77F6C4AE9BAA3A300153A5821DC9F23E0ACEB89F69CB9FB86D6CE8F367B9301E0F7B6027E6B2F0911A2E73255AB5150A74B862F8AF18E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......RH...)t..)t..)t..Q...)t..Vu..)t..Vq..)t..Vp..)t..Vw..)t.,.u..)t.]Qu..)t..)u.p)t.,.y.,)t.,.t..)t.,....)t.,.v..)t.Rich.)t.................PE..d...F..e.........." ...%.d...........6....................................................`..........................................%..L...\%..x....p.......P.......@.../......8.......T...............................@............................................text....b.......d.................. ..`.rdata..............h..............@..@.data........@......................@....pdata.......P....... ..............@..@.rsrc........p.......4..............@..@.reloc..8............>..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\_multiprocessing.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	34584
Entropy (8bit):	6.412362180449176
Encrypted:	false
SSDEEP:	768:rkLI6Rwc95w5lTdywGnJj1IbWtNS5YiSyvjAMxkEHB:kIk95klTdywGJj1IbWtNQ7Sy7xrB
MD5:	758128E09779A4BAA28E68A8B9EE2476
SHA1:	4E81C682CF18E2A4B46E50F037799C43C6075F11
SHA-256:	3C5B0823E30810AEE47FDFAD567491BC33DD640C37E35C8600E75C5A8D05CE2A
SHA-512:	5096F0DAACF72012A7AD08B177C366B4FE1DED3A18AEBFE438820B79C7CB735350EF831A7FB7D10482EEFD4C0B8A41511042BB41F4507BBC0332C52DF9288088
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........*..y..y..y..y..y...x..y...x..y...x..y...x..y.L.x..y..y..y...x..y.L.x..y.L.x..y.Loy..y.L.x..yRich..y........PE..d......e.........." ...%.....<......0.....................................................`.........................................0D..`....D..x....p.......`.......X.../...........4..T...........................p3..@............0...............................text............................... ..`.rdata..^....0... ..."..............@..@.data........P.......B..............@....pdata.......`.......H..............@..@.rsrc........p.......L..............@..@.reloc...............V..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\_overlapped.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	51480
Entropy (8bit):	6.391641395965735
Encrypted:	false
SSDEEP:	768:z4Cryw+9YWFx6Zc7FXuhAnYRlgVvEEkC59fYJIbXtA5YiSyvgrAMxkEDV:zJh8FXZVvvkCnfYJIbXtS7Sy4LxN
MD5:	E2A301B3FD3BDFEC3BF6CA006189B2AC
SHA1:	86B29EE1A42DE70135A6786CDCE69987F1F61193
SHA-256:	4990F62E11C0A5AB15A9FFCE9D054F06D0BC9213AEA0C2A414A54FA01A5EB6DC
SHA-512:	4E5493CC4061BE923B253164FD785685D5ECCF16FD3ACB246B9D840F6F7D9ED53555F53725AF7956157D89EAA248A3505C30BD88C26E04AABDAE62E4774FFA4E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8j.{\|.w(\|.w(\|.w(us.(x.w(itv)~.w(itr)p.w(its)t.w(itt)..w(F.v)~.w(\|.v(..w(7sv)y.w(7ss)}.w(F.z)}.w(F.w)}.w(F..(}.w(F.u)}.w(Rich\|.w(................PE..d......e.........." ...%.B...Z......p.....................................................`............................................X...(............................/......,....f..T............................e..@............`...............................text...NA.......B.................. ..`.rdata...5...`...6...F..............@..@.data................\|..............@....pdata..............................@..@.rsrc...............................@..@.reloc..,...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\_queue.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	32536
Entropy (8bit):	6.447575038735403
Encrypted:	false
SSDEEP:	768:c+yFY6rbXmxU1RIbQU+5YiSyvzZAMxkEC:c+wJbXWU1RIbQU07SyLBxu
MD5:	284FBC1B32F0282FC968045B922A4EE2
SHA1:	7CCEA7A48084F2C8463BA30DDAE8AF771538AE82
SHA-256:	AC3B144D7D7C8EE39F29D8749C5A35C4314B5365198821605C883FD11807E766
SHA-512:	BAA75F7553CF595AD78C84CBB0F2A50917C93596ECE1FF6221E64272ADC6FACDD8376E00918C6C3246451211D9DFC66442D31759BD52C26985C7F133CF011065
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z2.X.Sa..Sa..Sa..+...Sa..,`..Sa..,d..Sa..,e..Sa..,b..Sa.$.`..Sa.U+`..Sa..S`.TSa.$.l..Sa.$.a..Sa.$...Sa.$.c..Sa.Rich.Sa.................PE..d......e.........." ...%.....8............................................................`..........................................C..L....C..d....p.......`.......P.../..........p4..T...........................03..@............0..0............................text............................... ..`.rdata..R....0......................@..@.data...x....P.......<..............@....pdata.......`.......@..............@..@.rsrc........p.......D..............@..@.reloc...............N..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\_socket.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	79640
Entropy (8bit):	6.290718686906052
Encrypted:	false
SSDEEP:	1536:sEbflgPFXTcf3uj79/s+S+pzpp+iTFVf7JRIbLw87Sy8Ckxt:smG1U3uj79/sT+pzH+YFVTJRIbLw8eCg
MD5:	485D998A2DE412206F04FA028FE6BA90
SHA1:	286E29D4F91A46171BA1E3C8229E6DE94B499F1D
SHA-256:	8F9EDE5044643413C3B072CD31A565956498CA07CDD17FB6A04483D388FDAD76
SHA-512:	68591522E9188F06FF81CD2B3506B40B9AD508D6E34F0111819BF5EFF47ED9ADF95EBFAE5D05B685C4F53B186D15CC45E0D831D96BE926F7A5762EE2F1341F1F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........h...............q.......v.......v.......v.......v.......................q........................l.............Rich....................PE..d...@..e.........." ...%.l...........%.......................................P......G.....`.............................................P............0....... ..x......../...@..........T...............................@............................................text...*k.......l.................. ..`.rdata...t.......v...p..............@..@.data...............................@....pdata..x.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\_sqlite3.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	120088
Entropy (8bit):	6.256550171739811
Encrypted:	false
SSDEEP:	3072:w2nLU/Nk3qkD0ii3CLl147ZvV9NdrRvdO5ylAuCoVMJtcMYqsJFIbOQ5e:XLU/NgqkVD5ZJtOP
MD5:	8C9F7BEEEEB75816CC0C1F8474023029
SHA1:	96A49C164BDFCE7A0D90D87074E0C9B5F8077610
SHA-256:	D077E236B709B5242D62CE4923FEDDBFCC719EC26612ED474ED3B25EE290D0AC
SHA-512:	ABA229C8B843C07EA8D59AC901D06263A3EEFE6824E71C4B4BEB47D5071BE34068F13CE13A962B0A8583C834C3DC4D045185C47FB8B2922E853FDB78BF4F6F77
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............`..`..`.....`...a...`.....`...e..`...d..`...c...`..:a..`...a...`..a..`..:m..`..:`..`..:...`..:b..`.Rich.`.........PE..d...C..e.........." ...%............p...............................................-D....`..........................................Z..P....Z.........................../..............T...........................p...@............................................text............................... ..`.rdata..l...........................@..@.data................n..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\_ssl.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	176920
Entropy (8bit):	5.955569171525942
Encrypted:	false
SSDEEP:	3072:UZIQQj5DC1z/39/2uX36XjRylB9d43Olh59YL48PMrN/WgAlNiVtIbC7N7d:rj5mRPxb36Xj44TLiVn
MD5:	E5B1A076E9828985EA8EA07D22C6ABD0
SHA1:	2A2827938A490CD847EA4E67E945DEB4EEF8CBB1
SHA-256:	591589DADC659D1AD4856D16CD25DC8E57EAA085BF68EB2929F8F93ABA69DB1B
SHA-512:	0AFD20F581EFB08A7943A1984E469F1587C96252E44B3A05CA3DFB6C7B8B9D1B9FD609E03A292DE6EC63B6373AEACC822E30D550B2F2D35BF7BF8DD6FC11F54F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........wf*...y...y...y.n.y...y.i.x...y.i.x...y.i.x...y.i.x...y...x...y...yL..y.n.x...y...x...y...x...y...y...y...x...yRich...y........................PE..d...C..e.........." ...%............l+....................................................`.........................................0...d................................/......\|...P...T...............................@............................................text.............................. ..`.rdata...".......$..................@..@.data...............................@....pdata...............\..............@..@.rsrc................h..............@..@.reloc..\|............r..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-console-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19864
Entropy (8bit):	6.993481836017306
Encrypted:	false
SSDEEP:	384:vWEhWQy36q0GftpBjqVsVERHRN75UVplCADZgJq:/0kisKEBq8ADZg4
MD5:	7699C096202DA0DB6B07FAFC914D60ED
SHA1:	6E952BE34B9457B0CC3E4AA372D941030407A0FC
SHA-256:	0052515763A1A31D2527A2EB2523FB7B88D8E55C4E4DA5EF352B565476BF21E0
SHA-512:	AE93507CAE8D2096C688850D369F8EF282699770B1E27621ED8EBEEDE1BB285A290F1E2E06A6E9287A05C243B907371977501F1AA4181810913763E0D5BCC2C0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..d...#.NV.........." .........................................................0......u\....`.........................................`...+............ ...................?..............8............................................................................rdata..@...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-datetime-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19352
Entropy (8bit):	7.001842888356878
Encrypted:	false
SSDEEP:	384:4WEhWRMoq0GftpBjCtOSbERHRN7qlZwHcC:ufaiEbEBGwB
MD5:	928BE2A3FC2E88BDA5CA0808324E97C4
SHA1:	B1E1BF73C5DFA99AD69BDC83EC6B6F65CEF1C3E2
SHA-256:	CC6C2FDF1C34FA82036165B111F91220BCF7E43AAB79DFB284F982F0590BEBB1
SHA-512:	FC83A74DBD60ADA174798D7F40D839F30EF4A288805121EA8D303E39C5FC81188F9EE86131C3DF3E2B37EDFCCA2BFEB3F69AA14E93A0D5D87A6255C6E87C73A7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..d...#.NV.........." .........................................................0............`.........................................`................ ...................?..............8............................................................................rdata..$...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-debug-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19352
Entropy (8bit):	7.007097657416164
Encrypted:	false
SSDEEP:	384:EWEhWbC2Jq0GftpBjDNACiERHRN7lVTdlrltm:SoLifNiEBDl
MD5:	4CB14835B061F42179D5251E744FD667
SHA1:	4A1B0B32963A20C479927E4E008BFA9B4168F226
SHA-256:	F9AAAABF78FEB39A1D8E971F5CE047D1C4A896A80409B800F1F7112CDCE420ED
SHA-512:	20C11B2DCF8A928D04CFE6A0130716CC474D48C996025950214D6F9E97BF26B0EC6E2A68F954B0875FC05CA49811BC6E943F91B592FECD14CC8FDDD3201841E9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..d...".NV.........." .........................................................0......43....`.........................................`................ ...................?..............8............................................................................rdata..0...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-errorhandling-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19376
Entropy (8bit):	7.031341799850956
Encrypted:	false
SSDEEP:	384:QvfC5WEhWHy36q0GftpBjTIPaHHCERHRN7sylTIw3R/E/M9:Qi5FkifCEBjR/mC
MD5:	6177998C2CE574A177E524746B77EFE7
SHA1:	21F262C4826E6EDD8534A9196AFDFAE9AC0E3D51
SHA-256:	A0AA340274D4BB46B6D9547D647AB7DC16C229577BBAB836E6A4F3307F310332
SHA-512:	AF8D6BBACD38B23F48F27BB472BEB81EE4EE6200AE54317D282ADA104252777B57B056FD5DE5FF0463EDE1BE8B734A8741D80C65A70B37910C13F04D85005117
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..d...".NV.........." .........................................................0............`.........................................`................ ...................?..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-file-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	22928
Entropy (8bit):	6.941304537427584
Encrypted:	false
SSDEEP:	384:SBPvVX7WEhWqC2Jq0GftpBjQXERHRN7qulfgOBU/Xwm:yPvVXD3LiaXEBuW2X5
MD5:	33636552339A4A04D75B7C32DBEC59D9
SHA1:	6457C3941D57BEBBC3A737C84377D102B6ECE18F
SHA-256:	05B478718540A6F410A3AD859F7D5E56C223D6786EACC7E9BC80264F587FD0C7
SHA-512:	B0F9FFED8B8861C9599E5CF0FBC5374E7CD8D170A360A3DFEB37D381DABEF941875EAF325666978071D25AA8F49D729684D8BE71D12C1B5A8928A7C00156ED03
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..d...".NV.........." .........................................................@............`.........................................`................0...................?..............8............................................................................rdata..............................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-file-l1-2-0.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19344
Entropy (8bit):	7.019387794302155
Encrypted:	false
SSDEEP:	384:8ZWEhW4Moq0GftpBjbFZERHRN7rklkETkA:8ZGaiDZEBLETf
MD5:	9D8413744097196F92327F632A85ACEE
SHA1:	DFC07F5E5A0634DD1F15FDC9FF9731748FBFF919
SHA-256:	6878D8168D5CC159EFE58F14E5BA10310D99B53AB8495521E54C966994DAC50B
SHA-512:	A8F6E9EE1C5D65F68B8B20D406D3E666C186E15CB3B92575257B5637FE7DD5AC7D75E9AD51C839BA4490512F68F6B48822FC9EDD316DD7625D3627D3B975FB2A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..d...".NV.........." .........................................................0............`.........................................`...L............ ...................?..............8............................................................................rdata..\...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-file-l2-1-0.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19336
Entropy (8bit):	7.07368062664954
Encrypted:	false
SSDEEP:	384:oVxWEhWWy36q0GftpBjHAdsERHRN7wUlZwHcv:oVhukiqdsEBwUww
MD5:	361C6BCFCEA263749419B0FBED7A0CE8
SHA1:	03DB13108CE9D5FC01CECF3199619FFBCCBD855A
SHA-256:	B74AEFD6FA638BE3F415165C8109121A2093597421101ABC312EE7FFA1130278
SHA-512:	AA8B585000CC65F9841B938E4523D91D8F6DB650E0B4BB11EFD740C27309BF81CDB77F05D0BEDA2489BF26F4FBC6D02C93CE3B64946502E2C044EEA89696CC76
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..d...).NV.........." .........................................................0......kw....`.........................................`................ ...................?..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-handle-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19352
Entropy (8bit):	7.021074039268697
Encrypted:	false
SSDEEP:	384:fWEhWmy36q0GftpBj4PERHRN7lmlfgOBU/g:POkiuPEBtW2g
MD5:	C2CD29370B21C0361D7F79D248C05860
SHA1:	52EFDA4BA402C793D4C75E6CE185720AE1432249
SHA-256:	550B4F5BA95108B01A24F05496576A4E73642334A10DDE61B09846E0EFB9F260
SHA-512:	D2165032403277BA10BFBB7861BBE7395A8B0847A669588D3780953D07C1B0EA4461ACC49753E8D4978840307B1C50F9E814AB5B62B8E341159E02109BCBAB71
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..d...".NV.........." .........................................................0............`.........................................`..._............ ...................?..............8............................................................................rdata..t...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-heap-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19856
Entropy (8bit):	6.9919788904502065
Encrypted:	false
SSDEEP:	384:VlzWEhW9Moq0GftpBjEwkcERHRN7AuhlCADZgJAq:LHaiwcEB4ADZgN
MD5:	E93F34FDCD8E5FFC34AF48C90F6F95D1
SHA1:	1CDAFB0DFB29712D37307BC5E5EDEFAB0EEF6D78
SHA-256:	ECA63FC5C873CE8B36C507E2B9A88CAAEA9617C84669886B15F6BC38BD0024C6
SHA-512:	3BF430A6A20B020F60627AE68D6385F3ABB7A89B16CCCC4AED1939C28527680FCE7A426F69353041C7AC50A177A8E7C3A631078E46BC73A8BF0E2B2E83A779A8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..d...".NV.........." .........................................................0.......m....`.........................................`................ ...................?..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-interlocked-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19368
Entropy (8bit):	7.0296234740052705
Encrypted:	false
SSDEEP:	384:GWEhW4C2Jq0GftpBjG/ERHRN7YlTIw3R/E/Mp1:cRLiKEB+R/mU1
MD5:	28FD20B58320F0ED023D9CA19DA3A06D
SHA1:	B7948DA624D84596055A9AE2A45AEA3A9B2D7B9B
SHA-256:	2F2F9660F4FFA814F465676D5B9CB9BB70D0B7C5FC5EB14C34CFE94A50883B21
SHA-512:	822E34CACC70EE151FF534F960D0820AE7D184A764B41CE23828E8E0E80DAF4888F528C9B1351A76883EEA2C6EB9674C8418F1787C1999EA06191D67D3928418
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..d...#.NV.........." .........................................................0............`.........................................`................ ...................?..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-libraryloader-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19888
Entropy (8bit):	7.038753075266474
Encrypted:	false
SSDEEP:	384:svuBL3BXWEhWDy36q0GftpBjxCnERHRN7n81lZwHcK:fBL3B3RkiCEB8xwv
MD5:	B45F933A57E388CFC5399645CDB696F3
SHA1:	D85450A4169C79B249D4EF64AD475F6645DC311C
SHA-256:	2F9C3B077DA02C587964A59E9C4E2F383FF8357229EAB4B4F04814DF94D78FF0
SHA-512:	E0DF0637BDAA4293EF0B4C0A5B9E40E5D2EA891DBB2CE465394EFEF8A1F07DF52630069E63D5E800575BA55C78C79CE095AACE3983258B4C576CDE500EF3A3BE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..d...".NV.........." .........................................................0.......X....`.........................................`................ ...................?..............8............................................................................rdata..(...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-localization-l1-2-0.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21936
Entropy (8bit):	7.020074477976467
Encrypted:	false
SSDEEP:	384:NOMw3zdp3bwjGjue9/0jCRrndbkWEhW9Moq0GftpBjciv9ERHRN7h3olfgOBU/J2:NOMwBprwjGjue9/0jCRrndbyDaiysEBY
MD5:	B402ED77D6F31D825BDA175DBC0C4F92
SHA1:	1F2A4B8753B3AAE225FEAC5487CC0011B73C0EB7
SHA-256:	6ED17FB3CA5156B39FBC1EF7D1EEFA95E739857607DE4CD8D41CECFCD1350705
SHA-512:	EC04013139F3FD9DBF22B92121D82B2EB97E136F8619790CDE2D0B660280E838962F9006D3E4C3A359627B017F2B6ADE7EDFF3BBC26E559C3DE37540585602D9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..d...#.NV.........." .........................................................0......Y[....`.........................................`................ ...................?..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-memory-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19856
Entropy (8bit):	7.015225750103134
Encrypted:	false
SSDEEP:	384:QqWEhWdfC2Jq0GftpBj42ERHRN7LXLlZwHc6k:riLi5EBDLwu
MD5:	CA3906B115461654EED0DB5933EEF5D5
SHA1:	0F03527A70C14413A7D114431F60D610D1805B8B
SHA-256:	76A3AA52D49DD0D8E0451F4045F4D8BA05D2332D0DB2A39408B85CD2E43B84A3
SHA-512:	CE6E067C528C76714C01CD2AAF052E170C2DB0F77EEC6486D15F08DF357ABE06A849B56506F89B95F1431A942B2B515F9CC626C7EC2847F4289FB613C91F6122
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..d...#.NV.........." .........................................................0............`.........................................`...l............ ...................?..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-namedpipe-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19360
Entropy (8bit):	7.074084808178223
Encrypted:	false
SSDEEP:	384:XWEhWCy36q0GftpBj/2QERHRN7nlkETk0:3qkil2QEByET/
MD5:	F24F386CFA5F097B523CCFBA5C8CDCA3
SHA1:	FC97363843226BB69B8A1F56D8B8735A087AC103
SHA-256:	B1B2595494072A52F1FC44586DEBF52312EAB1A245A7A16185D7B1AF37B159A6
SHA-512:	EB6C38A7CA3B627FC52B8DE65E8564004923B4533B9C4C920666D1D4C32C762E65CC181742B39C688654C8639DF6A385F7EA1FBE50A89471B2F938F897DF4278
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..d...".NV.........." .........................................................0......%.....`.........................................`................ ...................?..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-processenvironment-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20424
Entropy (8bit):	6.985652301775137
Encrypted:	false
SSDEEP:	384:TWWEhWcaCIc3q0GftpBj6Iz4ERHRN7soIslfgOBU/g:oti34EBsdW2g
MD5:	04729245832E3BF24CB5B28F9C2E9C1C
SHA1:	1AACEA212EA11758AB8C6C64CF7C501A3F713696
SHA-256:	BF11319EB6BE15633E47AB8F247D1ACC9A9ECDF37181FC0DDFE9388AB82AC90A
SHA-512:	11001746AA23C5999778D9A17892DA029DFF5E8E34265EFB40AB5704F4D5F52CC4750EFBE0D8B911E1AEB1875E4F0A4398655E1BF63143ABAD83B39643C00B5A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..d...".NV.........." .........................................................0............`.........................................`...G............ ...................?..............8............................................................................rdata..h...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-processthreads-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21432
Entropy (8bit):	7.014491925577937
Encrypted:	false
SSDEEP:	384:OWXk1JzNcKSImWEhWqC2Jq0GftpBj1vzt6ERHRN7+OlTIw3R/E/Mb:ObcKSdjLirAEB1R/mU
MD5:	C9DBB0DE9907BB628F5733C81F973462
SHA1:	DD51E5840BA634F8FF0D6B57510622C16BA4706A
SHA-256:	7646EBA0C683FC3E1B00F0B3B2B5912621B2016A6CEB7D53181CD1C3FA64785A
SHA-512:	E9B754B6A79808EF353F3991EA98B951867308AB73CAE2A666B039922190394A73BCC849744823A77754519C3E5178213D75E5B787B18032AB9BE0A5DCB2A813
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..d...#.NV.........." .........................................................0......qJ....`.........................................`................ ...................?..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-processthreads-l1-1-1.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19896
Entropy (8bit):	7.0278343042073805
Encrypted:	false
SSDEEP:	384:9DfIeAWEhWdC2Jq0GftpBjDL8ERHRN79j9lkETk8O:Gem6LiJ8EB9gETPO
MD5:	3D872BE898581F00D0310D7AB9ABAF2B
SHA1:	420E0AB98BB748723130DE414F0FFED117EF3F7E
SHA-256:	4DE821884CBEF4182B29D8C33CFE13E43E130AD58EE1281679E8D40A2EDCB8EA
SHA-512:	35CFB9888A5F4299403A0D9C57F0BA79E3625431A9ACC5E04AE2AE101B3DC521A0DCFF5D4A1BF508B25DBF05DD432F6987D860FF494D15538ED95673A8B7376B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..d...#.NV.........." .........................................................0............`.........................................`................ ...................?..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-profile-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	18840
Entropy (8bit):	7.100702524260397
Encrypted:	false
SSDEEP:	384:uVhWEhWoC2Jq0GftpBjJnERHRN75QrrhlkETkFd:q1Li3EB5UrwETgd
MD5:	AEC5EBAC6404B541565026C3CB290E0B
SHA1:	E541075842DE9DD7D0400CA0E55019D080697AB5
SHA-256:	4CA44EDE30B46F1F23905CECFA27F0EDB26EE960DBA10F9BF8002D79ED77C3E5
SHA-512:	74F4D501460C4A6F93888AE9B25D9732584C07EFD86ED9487B0D75E71E2EB03A840C37002C74967738088804192D42B9B443F5A826C8D66F1171232F6166D93E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..d...".NV.........." .........................................................0............`.........................................`................ ...................?..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-rtlsupport-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19880
Entropy (8bit):	6.991784429601899
Encrypted:	false
SSDEEP:	384:cGeVdWEhWm4y36q0GftpBjjQJykGERHRN7zQTlfgOBU/pMw:cGeVFpHki5SZGEBzbW2pL
MD5:	B8CEC282FB1491EB1D2BE2D969E96FE2
SHA1:	F9011802509B3BF617E76D5B0F16A2802749A5BF
SHA-256:	09B7F0A7F68A12602E7F4DBD5A7F1CDFB3E93FD54326884E48F36E2E200ACCE9
SHA-512:	339B6D129B4660F2FD377BF28F6819E941BA7D36377C9B59A1B9098C3BFEF0A62D4955E9A5338F09174C6A875AC1F420EFF5C422F63AB00194E2BA206FD42ED3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..d...#.NV.........." .........................................................0.......!....`.........................................`................ ...................?..............8............................................................................rdata..,...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-string-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19352
Entropy (8bit):	7.046756061074216
Encrypted:	false
SSDEEP:	384:9yMvfWEhWcC2Jq0GftpBjKuERHRN7l2wlfgOBU/2:9yMvP9LikuEBgxW22
MD5:	059BB41588D83C95CAEAC5D06CB0B59F
SHA1:	C8B26D26AE2118D7AE25FC87399FB2CD03E7F4DA
SHA-256:	3EDA46E395FAD6EC222AB44188D6A46A468B0FD4AFF28252938F4E6A9A3E3893
SHA-512:	0F4C0208BBEA87EC54453D718FAE2F4708524B3B6923B947E96A8C465DD8A9DE00BE2E5C90CB2B39A24D064DBED5417E7F954981689E89EA50B2C769C0BE64E1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..d...".NV.........." .........................................................0......7^....`.........................................`................ ...................?..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-synch-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21392
Entropy (8bit):	6.96535561797727
Encrypted:	false
SSDEEP:	384:Ldv3V0dfpkXc0vVaEWEhW3YDy36q0GftpBj0eERHRN7mlgHrIQ8:Ldv3VqpkXc0vVaSqBkivEBjrIl
MD5:	56BE6B76756E6D4F81DFB8F251B63739
SHA1:	BB1DF800B0728D965FCC754DAD08AE63D6B54C06
SHA-256:	83C1DF33DF30DF48AB161A5A1D6C3CB4BDAEBFF330EE6E81E871AFE3990D7A65
SHA-512:	C6B453ED68E2FEFDBA53928AAC6AC6B79D1366C427370BA6043A795C0EAF79A77BAC9E019F4413E24B8EEA9A787125C01B839C08DAD0099A79751C2BF73AC128
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..d...#.NV.........." .........................................................0......j.....`.........................................`...V............ ...................?..............8............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-synch-l1-2-0.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19856
Entropy (8bit):	7.060103337490769
Encrypted:	false
SSDEEP:	384:xtZ3lWEhWtE8y36q0GftpBjEn9ERHRN71QUlfgOBU/ml:7t7kis9EB1QVW2A
MD5:	1742DA4D8DF54767064BCB50B4B5C32D
SHA1:	50F0AE8E41F0EB2573F41B308882610C6897C574
SHA-256:	E000C6685719C2B07355C1EDDBFDAE7C6794AA6C0AC883D34AF33DFC8BF40779
SHA-512:	99823EA5553CEDE3A0C8C19A3BDD18E31E2BA92BF7EE4808257B660F621DE66EB596CFCB7BE5C13EBE8DDD3759809F258C4ECDD72D8D39D9C2D10B9624CB3D95
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..d...".NV.........." .........................................................0............`.........................................`...v............ ...................?..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-sysinfo-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20376
Entropy (8bit):	6.987462274389362
Encrypted:	false
SSDEEP:	384:vB2WEhW3y36q0GftpBjPjERHRN7ogDlCADZgJz:vBslkidjEBoRADZg1
MD5:	79B6580C25F8C572376CBF39BB41BE05
SHA1:	40DBA231AD9CFD891BCE54C44DC9F73E54C8532B
SHA-256:	F5BF492FE568EB57D2E7111B1C3927F1EE897B5A1109BC68EBE011A2DFDEF2FE
SHA-512:	E5A64E4F7AFC8693634F5D92AA5EF6F4C241CA2F246A641B728D54C1E82E856793DBEC40F4FD9A2653E962C0B6A4F179221594B3084116A7995AF5E3E769DDFA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..d...".NV.........." .........................................................0......O.....`.........................................`...E............ ...................?..............8............................................................................rdata..\...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-timezone-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19360
Entropy (8bit):	7.0871177471347195
Encrypted:	false
SSDEEP:	384:MWEhWhy36q0GftpBj+YERHRN7nwlCADZgJc:KLkiHEBnJADZgy
MD5:	6C180C8DE3ECF27DE7A5812FF055737E
SHA1:	3AAD20B71BB374BB2C5F7431A1B75B60956A01FD
SHA-256:	630466FD77AC7009C947A8370A0D0C20652169824C54DDCB8C05E8DF45E23197
SHA-512:	E4AA79EB2B6B3BE9B545E8CB8B43CD6052036DC5CCE7077BE40441B9942931B30D76C475D550A178D4E94C9C366CABC852F500E482B7FDCD361FC2A08E41C00E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..d...#.NV.........." .........................................................0......C2....`.........................................`................ ...................?..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-core-util-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19336
Entropy (8bit):	7.00947187660432
Encrypted:	false
SSDEEP:	192:/PWEhWvaNy3WUuDBks/nGfe4pBjSHdWm78RFAII1RHnhWgN7acWcrD+Rqnajjvun:nWEhWIy36q0GftpBjtERHRN77elZwHc+
MD5:	0C33A3762C1E583342D80E9B6483F74B
SHA1:	0EF41C8C68BE764D6C2F23E04279D6F12F32603C
SHA-256:	187D47EBCC1E96ABE635F23C92D2C63FC8CD741FCB03FE2DD5FC3054CB3D6D92
SHA-512:	93C907AE0C864A4FBA5EEF82AA2473FCBB5F376906A6918896294A4259F5B062A6FE4D9E455FC43741004ED928D8C6BB4D4BC10479BC9A4AC81A711542EC229F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..d...#.NV.........." .........................................................0......$f....`.........................................`...9............ ...................?..............8............................................................................rdata..L...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-crt-conio-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20368
Entropy (8bit):	7.0048171461365465
Encrypted:	false
SSDEEP:	384:LN+WEhW0C2Jq0GftpBjNgfERHRN79lCADZgJJ:mpLiUfEBiADZgn
MD5:	84A950E3C162D67F98516BB1744139E0
SHA1:	05FF2FE60C5748C33BA8605AAF609B3BDFE2772F
SHA-256:	91F4DB05C69C58ECB2493E30ACC5297043C41B1CE6DB50CEE4E2922CD4BCD7F2
SHA-512:	7328C6A512D450F2538EFEABF3F467489A898ED7C1D45C1952B98D118D898083510C9849182BC425411A408C113A351A28B41BEDEB5B8DE61427144B3FA87C80
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..d...#.NV.........." .........................................................0............`.........................................`................ ...................?..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-crt-convert-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	23448
Entropy (8bit):	6.8592303562068695
Encrypted:	false
SSDEEP:	384:WDyuWEhWYy36q0GftpBjBt6ERHRN7Kr3lgHrIQDm:yokiTt6EB0ArIz
MD5:	D749AFFFA2B3BE4B2A9EDAC50C20B28B
SHA1:	972253ED12C344B85290F7B3D5F9608A7F7B0670
SHA-256:	E64FBAC3491B4693E79A3F7B0DB1D788F93608D3FC82133EDF25A868C80D2153
SHA-512:	4447B6960A6C178F7C37DBD38E9AEC24BA5A0C58E19AFCFAA2B70DCA7D7BBE87AD7AA1AC9D48AB9B56B1F375768D4C4CB28D5AFCF714102F9757FAA2B3E728D9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..d...#.NV.........." .........................................................@............`.........................................`................0...................?..............8............................................................................rdata..............................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-crt-environment-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19872
Entropy (8bit):	6.992251797681991
Encrypted:	false
SSDEEP:	384:BWEhWxy36q0GftpBjUERHRN7QklgHrIQQ:RHki+EBQRrIN
MD5:	7A2874FE036F7DC86ED5F712ADAA38E6
SHA1:	440F2DC5379CEEE35D29571C195DC7A76E8B70E7
SHA-256:	DD054E4DE84144C2130FA8D28D563252A7C4089A58872E49D63BC43C9A1A3CB8
SHA-512:	D20811025F714B5FD3754D607422F4FB5CD6C456FFCEEF139EDCB0CFAACD9B63A694CE2EA737DB78385F0B23DDCFC283282A319B79E7A0E4BD50034E87AACB9A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..d...#.NV.........." .........................................................0............`.........................................`..."............ ...................?..............8............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-crt-filesystem-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21408
Entropy (8bit):	7.005777635258922
Encrypted:	false
SSDEEP:	384:r81nWm5CcWEhWMLy36q0GftpBjhERHRN7qEOlZwHcs:rOnWm5C6rmki/EBIwv
MD5:	73E14D927D075CA273B3237116351E8F
SHA1:	0C15CEA3C83C7F7E692DC6F8BD856B615C727D49
SHA-256:	966A7F15BFB2E0FF7888D583638EBD675D8F46B264194CF332F78140B7C129E1
SHA-512:	664F72D7ADF48F8499321F8A5DF952C6043532AAE09BAE9FFBD59DA77B161CD43211A3AAEF1BA85529DFE00498D1AC3A933A7C9CF437095C6A337C9BC0816B3F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..d...#.NV.........." .........................................................0.......]....`.........................................`................ ...................?..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-crt-heap-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20360
Entropy (8bit):	6.973623049512662
Encrypted:	false
SSDEEP:	384:4QWEhWJC2Jq0GftpBj+WU9ERHRN7LlgHrIQ3m:4WyLiC9EBMrIf
MD5:	01370C79EBABD534E7B58D35072D2866
SHA1:	8CD0CD21FF838A2A314246DEF4BD858BAB184A5D
SHA-256:	742BB9BF4C232F84AD8008AF4AF8EDA7A1EC3EB76F05D9D7EBB95F6A5CABD2D8
SHA-512:	B07D9634AC804B476D61B6A0FC87894947E88744CC3EECF7D68EDE3714ACD938FAE14452E43F9110919B8F8F9F5D4222E9DE2CA97A915DD07B3231D674729761
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..d...#.NV.........." .........................................................0............`.........................................`................ ...................?..............8............................................................................rdata..(...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-crt-locale-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19856
Entropy (8bit):	7.051566271525755
Encrypted:	false
SSDEEP:	384:b9DWEhWIy36q0GftpBjyK5ERHRN7WlgHrIQsa:NEkizEBTrI7a
MD5:	BACB72FA56DE18D5AC63E4A0A3FE768F
SHA1:	7DB19EFE649D30337781AFD62616C0549255046E
SHA-256:	25905676B543C4F05E9DAE135F929C03A57686A6941CE59BE2B3450521FEB943
SHA-512:	78D82962C11E5928E77C5BD0377ECB6B00C2ECA242D637F76E68FBF907BCE7381F3A5294100D055C30F6E2AEE164DB0B95DCF0C0C77E39EDCEC4A046CFC63ED4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..d...#.NV.........." .........................................................0......-.....`.........................................`...e............ ...................?..............8............................................................................rdata..\|...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-crt-math-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	28552
Entropy (8bit):	6.654016239428645
Encrypted:	false
SSDEEP:	384:FZVacWM4Oe59Ckb1hgmLiWEhWXy36q0GftpBjbERHRN7RlgHrIQE+:FZVJWMq59Bb1jQ9ki5EBqrIT+
MD5:	85893A96A568BA9781F50F876ED303CD
SHA1:	FB7473BC5B1E88E978B7E5664B45D69770C8F4FA
SHA-256:	08E34F12DE24E89379A0533F21A23CE6FECBEA05D4062796D4FFD4ADC3012316
SHA-512:	864FA39423B8CA9C43FA177ACA1484EC2FFAE4868A434E7A8016EFE88F396B67FB8CA3766F611DE7218E9983653A8B7B88B07C2591B252DD93A0D9638980E7FF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..d...#.NV.........." .........,...............................................P......U.....`.........................................`....%...........@...............0...?..............8............................................................................rdata...&.......(..................@..@.rsrc........@.......,..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-crt-multibyte-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	29128
Entropy (8bit):	4.764864996734757
Encrypted:	false
SSDEEP:	384:6A/kPLPmIHJI6/CpG3t2G3t4odXLtWBhWUUTNQ3Jllz3VW:R/kjPmIHJI6OXYQr4
MD5:	2E75BA5BC87963D4244AE9BAC3457466
SHA1:	A624F1EB6AE3B7EE01FEE889E65E0D7A4253FFA8
SHA-256:	77328A716589BE3C3BCF1F3D3134B4AD050380F504DBC1A3FA076380D77ED0F8
SHA-512:	C3AB9BD515A52AA19767F0CBE5EFDC4A8D145BDA959AE13EB3E587C1C20D05C9B3563DC2665699B597D34DA0593F8A324D197C1407ABAAD8118D0D599F5279FC
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~v..~v..~v.5.~..~v.5.v..~v.5.r..~v.5....~v.5.t..~v.Rich.~v.................PE..d................." .........P...............................................`......j.....`A........................................P.... ...........P...............P...!..............p............................................................................rdata..D".......0..................@..@.data........@......................@....rsrc........P.......@..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-crt-process-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20376
Entropy (8bit):	6.990619239924047
Encrypted:	false
SSDEEP:	384:OitIlWEhWHy36q0GftpBj05MrERHRN7lQkklfgOBU/Ux:v6dkiomEBPW2Ux
MD5:	9EE275466394A2088D7DFBBC0C716671
SHA1:	4D2F94674587251C60805889395AB7377E8C5E17
SHA-256:	C68A61C260454C0AEB051DDB2BED52CBCA44B96D50046017CBC351B41F225DC0
SHA-512:	996212D07B0B6E55F54E17D6A053F017B1FD00F50906DB9DE25B8AE5632EEAC9C197E91DB1C293E7ABF0E8B823937CB18E26F43E166F76C02A6914C9776A72B3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..d...#.NV.........." .........................................................0......n.....`.........................................`...x............ ...................?..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-crt-runtime-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	23960
Entropy (8bit):	6.8615759821856575
Encrypted:	false
SSDEEP:	384:E42r77WEhW+y36q0GftpBjLleERHRN7lXMl8tazs:E42r7DSkiNleEBzt9
MD5:	55B80C522731ECB92914BF9CDED028C2
SHA1:	424C61BC659CAF04281959EDE1B1F03B703934ED
SHA-256:	4C787FF8D40BB803E75FE6218FEC36A672CFA6CFC7F6E80E68A7EB0B77A10E5A
SHA-512:	3779B530C7DBA624369CB0F5D15154D89547ADC3C4C7CC0571F1E8326588165098B9B5768D0052ECF1EA4F2DC84AE7DCF4712E3BC9EBDADB5FCA4B0F4DE43812
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..d...#.NV.........." .........................................................@............`.........................................`...4............0...................?..............8............................................................................rdata..H...........................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-crt-stdio-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	25480
Entropy (8bit):	6.8150529690105115
Encrypted:	false
SSDEEP:	384:u3vAmiFVhFWEhW/y36q0GftpBjpq+cpfERHRN7ulZwHcP1:cvYjNki5eEBSwu
MD5:	4614D03A94D46C0E9D1C5D96A3FE1D78
SHA1:	CACB73CA3C7E31A4B8F749854060B7A422497050
SHA-256:	C7919BE431CE2FA1906FF9EEB19E4CB19A30A4680107EF8737CE894654B21A5A
SHA-512:	4F30E8C5893662D7889A049C206B08559AD1A34EB7927BE313086D6DAE40DCA3571DE3852DBA2AD9324E028FA86E8A391A58EC48BA5DBD5C4A88660FFE8B30DF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..d...#.NV.........." ......... ...............................................@............`.........................................`...a............0...............$...?..............8............................................................................rdata..t...........................@..@.rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-crt-string-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	25496
Entropy (8bit):	6.809287749827101
Encrypted:	false
SSDEEP:	768:a5yguNvZ5VQgx3SbwA71IkFZjkiJ9EBj8r95j:a5yguNvZ5VQgx3SbwA71Iijkm9EBwx5
MD5:	7A2799F4BC45505E7104E06DC8E254F8
SHA1:	323BC35E0101B351A4ABDE1FCE698520832518A8
SHA-256:	92F72F495A6897F7D7CF2C2064B2B65F6B4FBD4F30911A534A5CD0DE73395EBE
SHA-512:	2627DA183779F17FCC9709A6DA2E2916A296F61124ADB9BF563C80D723ADA9B769806CAB8FBC4ED916F54FD4CDE18F25E7AD53ED6C75E7E61FDEF37C2F1EC9B2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..d...#.NV.........." ......... ...............................................@......+.....`.........................................`................0...............$...?..............8............................................................................rdata..............................@..@.rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-crt-time-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	21896
Entropy (8bit):	6.938332058802964
Encrypted:	false
SSDEEP:	384:OPEzaWEhWIZC2Jq0GftpBjxERHRN71YXlgHrIQD:E0YPLi7EB3rI2
MD5:	38B633F132F8E2B3ABC268537FA415EC
SHA1:	CCCCB8C3E31DCE7B6B952022D245C11FF3AE8122
SHA-256:	46CB7B3A9F8AAC5ADCDBE23494E458F3195ADF4B8ED1C71F2D934DDDE651E57E
SHA-512:	23BD77D61C20B1AF7F13B5BCBEB9FA74EE807F809BB3D4DD40C7709CA4870078FA6E8E94EEFC83A725C0245C0CE02E3ADBD4F370D6B986F0C9442CCBC2C2AB96
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..d...#.NV.........." .........................................................0......:U....`.........................................`................ ...................?..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\api-ms-win-crt-utility-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20928
Entropy (8bit):	4.525945528506043
Encrypted:	false
SSDEEP:	192:evbjfHQduLWBhWVWYnO/VWQ4uWM6cA5E8qnajTw+CCevq:UfFWBhWFUix5E8lvwDDq
MD5:	E79464524FBC2C266DA52D0A903D85D3
SHA1:	6BAD715617992277751A8DDFC180BA291BA75D59
SHA-256:	6C78D4ABA91877C5BB33E545B6A69A818F377E07FF62E791B804FA5B4D2BCF02
SHA-512:	DEF71789E238ECD3B2D68DBD204ACC62537AD39CE50A5BF09F320FC8CACC1B3F561822784D006AB2145EAB5AB7BE3F74C1C773FBE814EFA040A1DBB3FFA6744E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............~v..~v..~v.5.~..~v.5.v..~v.5.r..~v.5....~v.5.t..~v.Rich.~v.................PE..d...F............." .........0...............................................@......a9....`A........................................P...^............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\base_library.zip

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1852021
Entropy (8bit):	5.576123239051486
Encrypted:	false
SSDEEP:	24576:mQR5pATG8/R5lUKdcubgAnyPb6l2X0iwh6E+dmzNPaaMVTC+dWwhcHHY:mQR5pE/R/2vN8+ww1
MD5:	EA42C63637A86AFC5C6C2A8A6BD39754
SHA1:	8E1C44CF9E0B05FFEB3A5B52BCA6B0B505D3CB6C
SHA-256:	C7EB35EEBE6C8E3FD311B1EE5FF1EE6D70AF2D6200782E7D14E61C0958E924BC
SHA-512:	E124389DBD00E7F9209A324331BB80F860432A3E2CF3217404349F6A2BB085EC9326E0763B0D2B64BB1063A7BD157C006D715BB4F1ABBE5B751278C0B62C454B
Malicious:	false
Preview:	PK..........!.h%..b...b......._collections_abc.pyc............................................d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.........................Z...e.d...............Z.d...Z...e.e...............Z.[.g.d...Z.d.Z...e...e.d.............................Z...e...e...e...........................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.g.............................Z...e...e...e.g...........................................Z...e...e...e.d...........................................Z...e...e...e.d.d.z.............................................Z...e...e...e...........................................Z...e...e.d.............................Z ..e...e.d.............................Z!..e...e...e"..........................................Z#..e.i.......................................

C:\Users\user\AppData\Local\Temp\_MEI67562\certifi\cacert.pem

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	299427
Entropy (8bit):	6.047872935262006
Encrypted:	false
SSDEEP:	6144:QW1x/M8fRR1jplkXURrVADwYCuCigT/QRSRqNb7d8iu5Nahx:QWb/TRJLWURrI5RWavdF08/
MD5:	50EA156B773E8803F6C1FE712F746CBA
SHA1:	2C68212E96605210EDDF740291862BDF59398AEF
SHA-256:	94EDEB66E91774FCAE93A05650914E29096259A5C7E871A1F65D461AB5201B47
SHA-512:	01ED2E7177A99E6CB3FBEF815321B6FA036AD14A3F93499F2CB5B0DAE5B713FD2E6955AA05F6BDA11D80E9E0275040005E5B7D616959B28EFC62ABB43A3238F0
Malicious:	false
Preview:	.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

C:\Users\user\AppData\Local\Temp\_MEI67562\charset_normalizer\md.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	4.673454313041419
Encrypted:	false
SSDEEP:	96:KG+p72HzA5iJGhU2Y0hQMsQJCUCLsZEA4elh3XQMtCFliHUWQcX6g8cim1qeSju1:A2HzzU2bRYoeLHkcqgvimoe
MD5:	723EC2E1404AE1047C3EF860B9840C29
SHA1:	8FC869B92863FB6D2758019DD01EDBEF2A9A100A
SHA-256:	790A11AA270523C2EFA6021CE4F994C3C5A67E8EAAAF02074D5308420B68BD94
SHA-512:	2E323AE5B816ADDE7AAA14398F1FDB3EFE15A19DF3735A604A7DB6CADC22B753046EAB242E0F1FBCD3310A8FBB59FF49865827D242BAF21F44FD994C3AC9A878
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..............................M....................................... ...?.......?.......?.a.....?.......Rich............................PE..d...siAe.........." ...%.....................................................p............`..........................................'..p...`(..d....P.......@...............`..,...`#.............................. "..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\charset_normalizer\md__mypyc.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	119296
Entropy (8bit):	5.872097486056729
Encrypted:	false
SSDEEP:	1536:OzgMw0g+m/+rxC9Jtd960WsCyqPD1/bZMlDML48Be9zGTVmZRJIRbvB:OsTH+VC9Jtd9VdCr7fMp/8yGTVmzmZ
MD5:	9EA8098D31ADB0F9D928759BDCA39819
SHA1:	E309C85C1C8E6CE049EEA1F39BEE654B9F98D7C5
SHA-256:	3D9893AA79EFD13D81FCD614E9EF5FB6AAD90569BEEDED5112DE5ED5AC3CF753
SHA-512:	86AF770F61C94DFBF074BCC4B11932BBA2511CAA83C223780112BDA4FFB7986270DC2649D4D3EA78614DBCE6F7468C8983A34966FC3F2DE53055AC6B5059A707
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..r...r...r......r...s...r...s...r...w...r...v..r...q...r.#.s...r...s...r..8z...r..8r...r..8....r..8p...r.Rich..r.........................PE..d...siAe.........." ...%...........0........................................ ............`.........................................p...d..........................................Px...............................w..@............@...............................text...X)......................... ..`.rdata...X...@...Z..................@..@.data...8=.......0..................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\cryptography-43.0.1.dist-info\INSTALLER

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Preview:	pip.

C:\Users\user\AppData\Local\Temp\_MEI67562\cryptography-43.0.1.dist-info\METADATA

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	5440
Entropy (8bit):	5.074342830021076
Encrypted:	false
SSDEEP:	96:DlaQIUQIhQIKQILbQIRIaMPktjaVxsxA2TtLDmplH7dwnqTIvrUmA0JQTQCQx5KN:LcPuP1srTtLDmplH7JTIvYX0JQTQ9x54
MD5:	554DC6138FDBF98B7F1EDFE207AF3D67
SHA1:	B6C806E2AFF9A0F560916A90F793348DBF0514BA
SHA-256:	0064A9B5FD2AC18605E512EF7127318AD9CF259E9445488C169F237A590602E1
SHA-512:	3A71B533874F4D0F94F15192791D2FA4DF9E8EBF184C711F1D4FA97230C04764C1C9A93258355B08107E5B72053C6901E883E3DB577E8A204D5B9EB3F8BC7BFC
Malicious:	false
Preview:	Metadata-Version: 2.3.Name: cryptography.Version: 43.0.1.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: License :: OSI Approved :: Apache Software License.Classifier: License :: OSI Approved :: BSD License.Classifier: Natural Language :: English.Classifier: Operating System :: MacOS :: MacOS X.Classifier: Operating System :: POSIX.Classifier: Operating System :: POSIX :: BSD.Classifier: Operating System :: POSIX :: Linux.Classifier: Operating System :: Microsoft :: Windows.Classifier: Programming Language :: Python.Classifier: Programming Language :: Python :: 3.Classifier: Programming Language :: Python :: 3 :: Only.Classifier: Programming Language :: Python :: 3.7.Classifier: Programming Language :: Python :: 3.8.Classifier: Programming Language :: Python :: 3.9.Classifier: Programming Language :: Python :: 3.10.Classifier: Programming Language :: Python :: 3.11.Classifier: Programming Language :: Python :: 3.12.Classif

C:\Users\user\AppData\Local\Temp\_MEI67562\cryptography-43.0.1.dist-info\RECORD

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	15579
Entropy (8bit):	5.567690749632252
Encrypted:	false
SSDEEP:	192:bX1Tojoz5jF4ELZVhXau4WPE6FGotqw++NX6in55qw/n+B:bXejohCEJaiPE6FGotqw++96in5+B
MD5:	850C89F8185D4BD3C91322CED9FF0941
SHA1:	585713DC0113561CEFD4D2003E9ABBB7FA175077
SHA-256:	059F4DD4D777F49808924B27DB2B7F7F413DB91729A42F7CD5F10C605AA211CF
SHA-512:	4DBFAD178A7496CA853951261FD15D99F27D102BAB15EA883FBBD896CA4248B3876DB85E9C25F0D1BB81A741AFE018E16D31AAF23D53EBFCFE893ADDF59AC31E
Malicious:	false
Preview:	cryptography-43.0.1.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..cryptography-43.0.1.dist-info/METADATA,sha256=AGSptf0qwYYF5RLvcScxitnPJZ6URUiMFp8jelkGAuE,5440..cryptography-43.0.1.dist-info/RECORD,,..cryptography-43.0.1.dist-info/REQUESTED,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..cryptography-43.0.1.dist-info/WHEEL,sha256=8_4EnrLvbhzH224YH8WypoB7HFn-vpbwr_zHlr3XUBI,94..cryptography-43.0.1.dist-info/license_files/LICENSE,sha256=Pgx8CRqUi4JTO6mP18u0BDLW8amsv4X1ki0vmak65rs,197..cryptography-43.0.1.dist-info/license_files/LICENSE.APACHE,sha256=qsc7MUj20dcRHbyjIJn2jSbGRMaBOuHk8F9leaomY_4,11360..cryptography-43.0.1.dist-info/license_files/LICENSE.BSD,sha256=YCxMdILeZHndLpeTzaJ15eY9dz2s0eymiSMqtwCPtPs,1532..cryptography/__about__.py,sha256=pY_pmYXjJTK-LjfCu7ot0NMj0QC2dkD1dCPyV8QjISM,445..cryptography/__init__.py,sha256=mthuUrTd4FROCpUYrTIqhjz6s6T9djAZrV7nZ1oMm2o,364..cryptography/__pycache__/__about__.cpython-311.pyc,,..cryptography/__pycache__/__ini

C:\Users\user\AppData\Local\Temp\_MEI67562\cryptography-43.0.1.dist-info\WHEEL

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	94
Entropy (8bit):	5.016084900984752
Encrypted:	false
SSDEEP:	3:RtEeX5pGogP+tkKciH/KQb:RtvoTWKTQb
MD5:	C869D30012A100ADEB75860F3810C8C9
SHA1:	42FD5CFA75566E8A9525E087A2018E8666ED22CB
SHA-256:	F3FE049EB2EF6E1CC7DB6E181FC5B2A6807B1C59FEBE96F0AFFCC796BDD75012
SHA-512:	B29FEAF6587601BBE0EDAD3DF9A87BFC82BB2C13E91103699BABD7E039F05558C0AC1EF7D904BCFAF85D791B96BC26FA9E39988DD83A1CE8ECCA85029C5109F0
Malicious:	false
Preview:	Wheel-Version: 1.0.Generator: maturin (1.7.0).Root-Is-Purelib: false.Tag: cp39-abi3-win_amd64.

C:\Users\user\AppData\Local\Temp\_MEI67562\cryptography-43.0.1.dist-info\license_files\LICENSE

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	197
Entropy (8bit):	4.61968998873571
Encrypted:	false
SSDEEP:	3:hWDncJhByZmJgXPForADu1QjygQuaAJygT2d5GeWreLRuOFEXAYeBKmJozlMHuO:h9Co8FyQjkDYc5tWreLBF/pn2mH1
MD5:	8C3617DB4FB6FAE01F1D253AB91511E4
SHA1:	E442040C26CD76D1B946822CAF29011A51F75D6D
SHA-256:	3E0C7C091A948B82533BA98FD7CBB40432D6F1A9ACBF85F5922D2F99A93AE6BB
SHA-512:	77A1919E380730BCCE5B55D76FBFFBA2F95874254FAD955BD2FE1DE7FC0E4E25B5FDAAB0FEFFD6F230FA5DC895F593CF8BFEDF8FDC113EFBD8E22FADAB0B8998
Malicious:	false
Preview:	This software is made available under the terms of either of the licenses.found in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made.under the terms of both these licenses..

C:\Users\user\AppData\Local\Temp\_MEI67562\cryptography-43.0.1.dist-info\license_files\LICENSE.APACHE

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	11360
Entropy (8bit):	4.426756947907149
Encrypted:	false
SSDEEP:	192:nUDG5KXSD9VYUKhu1JVF9hFGvV/QiGkS594drFjuHYx5dvTrLh3kTSEnQHbHR:UIvlKM1zJlFvmNz5VrlkTS0QHt
MD5:	4E168CCE331E5C827D4C2B68A6200E1B
SHA1:	DE33EAD2BEE64352544CE0AA9E410C0C44FDF7D9
SHA-256:	AAC73B3148F6D1D7111DBCA32099F68D26C644C6813AE1E4F05F6579AA2663FE
SHA-512:	F451048E81A49FBFA11B49DE16FF46C52A8E3042D1BCC3A50AAF7712B097BED9AE9AED9149C21476C2A1E12F1583D4810A6D36569E993FE1AD3879942E5B0D52
Malicious:	false
Preview:	. Apache License. Version 2.0, January 2004. https://www.apache.org/licenses/.. TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION.. 1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal Entity" shall mean the union of the acting entity and all. other entities that control, are controlled by, or are under common. control with that entity. For the purposes of this definition,. "control" means (i) the power, direct or indirect, to cause the. direction or management of such entity, whether by contract or. otherwise, or (ii) ownership of fifty percent (50%) or more of the. outstanding shares, or (iii) beneficial ow

C:\Users\user\AppData\Local\Temp\_MEI67562\cryptography-43.0.1.dist-info\license_files\LICENSE.BSD

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1532
Entropy (8bit):	5.058591167088024
Encrypted:	false
SSDEEP:	24:MjUnoorbOFFTJJyRrYFTjzMbmqEvBTP4m96432s4EOkUTKQROJ32s3yxsITf+3tY:MkOFJSrYJsaN5P406432svv32s3EsIqm
MD5:	5AE30BA4123BC4F2FA49AA0B0DCE887B
SHA1:	EA5B412C09F3B29BA1D81A61B878C5C16FFE69D8
SHA-256:	602C4C7482DE6479DD2E9793CDA275E5E63D773DACD1ECA689232AB7008FB4FB
SHA-512:	DDBB20C80ADBC8F4118C10D3E116A5CD6536F72077C5916D87258E155BE561B89EB45C6341A1E856EC308B49A4CB4DBA1408EABD6A781FBE18D6C71C32B72C41
Malicious:	false
Preview:	Copyright (c) Individual contributors..All rights reserved...Redistribution and use in source and binary forms, with or without.modification, are permitted provided that the following conditions are met:.. 1. Redistributions of source code must retain the above copyright notice,. this list of conditions and the following disclaimer... 2. Redistributions in binary form must reproduce the above copyright. notice, this list of conditions and the following disclaimer in the. documentation and/or other materials provided with the distribution... 3. Neither the name of PyCA Cryptography nor the names of its contributors. may be used to endorse or promote products derived from this software. without specific prior written permission...THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND.ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED.WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOS

C:\Users\user\AppData\Local\Temp\_MEI67562\cryptography\hazmat\bindings\_rust.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	7900672
Entropy (8bit):	6.519460416205842
Encrypted:	false
SSDEEP:	49152:Hvisa2OcIo0UYN1YA2sBCT7I0XIU6iOGtlqNVwASO0AIjoI+b0vjemXSKSDhxlT3:Pi/2PTYDBCT7NY+gTNxY7GbdJ295x
MD5:	81AD4F91BB10900E3E2E8EAF917F42C9
SHA1:	840F7AEF02CDA6672F0E3FC7A8D57F213DDD1DC6
SHA-256:	5F20D6CEC04685075781996A9F54A78DC44AB8E39EB5A2BCF3234E36BEF4B190
SHA-512:	11CD299D6812CDF6F0A74BA86EB44E9904CE4106167EBD6E0B81F60A5FCD04236CEF5CFF81E51ED391F5156430663056393DC07353C4A70A88024194768FFE9D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l..(...(...(...!...:...8......8...,...8... ...8...9...c..&...G......(...+...`...V...(.....`...)...`...)...Rich(...........................PE..d....j.f.........." ...).`Z..V........X.......................................x...........`.........................................p.r.......r...............t...............x......Cj.T....................Cj.(....Aj.@............pZ..............................text...._Z......`Z................. ..`.rdata..ZR...pZ..T...dZ.............@..@.data....+....r.......r.............@....pdata........t.......s.............@..@.reloc........x.......w.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\libcrypto-3.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5191960
Entropy (8bit):	5.962142634441191
Encrypted:	false
SSDEEP:	98304:n3+pefu6fSar+SJ8aqfPomg1CPwDvt3uFlDCE:3G+u6fb+SJ8aqfwmg1CPwDvt3uFlDCE
MD5:	E547CF6D296A88F5B1C352C116DF7C0C
SHA1:	CAFA14E0367F7C13AD140FD556F10F320A039783
SHA-256:	05FE080EAB7FC535C51E10C1BD76A2F3E6217F9C91A25034774588881C3F99DE
SHA-512:	9F42EDF04C7AF350A00FA4FDF92B8E2E6F47AB9D2D41491985B20CD0ADDE4F694253399F6A88F4BDD765C4F49792F25FB01E84EC03FD5D0BE8BB61773D77D74D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............l..l..l......l...m..l...i..l...h..l...o..l..m.y.l...m...l...o..l...h.l...l..l......l...n..l.Rich.l.........PE..d......e.........." ...%..7..4......v.........................................O.......P...`.........................................P.H.0....kN.@.....N.\|.....K.d.....O../....N....P.C.8.............................C.@............`N..............................text.....7.......7................. ..`.rdata....... 7.......7.............@..@.data....n....K..<....J.............@....pdata..0.....K......4K.............@..@.idata...%...`N..&....N.............@..@.00cfg..u.....N.......N.............@..@.rsrc...\|.....N......0N.............@..@.reloc........N......8N.............@..B................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\libffi-8.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	39696
Entropy (8bit):	6.641880464695502
Encrypted:	false
SSDEEP:	768:NiQfxQemQJNrPN+moyijAc5YiSyvkIPxWEqG:dfxIQvPkmoyijP7SytPxF
MD5:	0F8E4992CA92BAAF54CC0B43AACCCE21
SHA1:	C7300975DF267B1D6ADCBAC0AC93FD7B1AB49BD2
SHA-256:	EFF52743773EB550FCC6CE3EFC37C85724502233B6B002A35496D828BD7B280A
SHA-512:	6E1B223462DC124279BFCA74FD2C66FE18B368FFBCA540C84E82E0F5BCBEA0E10CC243975574FA95ACE437B9D8B03A446ED5EE0C9B1B094147CEFAF704DFE978
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".H...(.......L...............................................n....`......................................... l.......p..P...............P....l.../......,...@d...............................c..@............`.. ............................text....G.......H.................. ..`.rdata..h....`.......L..............@..@.data................b..............@....pdata..P............d..............@..@.reloc..,............j..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\libssl-3.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	787224
Entropy (8bit):	5.609561366841894
Encrypted:	false
SSDEEP:	12288:ytPc2nnGoNg4kSHoxX09yO5EavUFe9Xb12:y9jnnpTHoxXUsFe9XbM
MD5:	19A2ABA25456181D5FB572D88AC0E73E
SHA1:	656CA8CDFC9C3A6379536E2027E93408851483DB
SHA-256:	2E9FBCD8F7FDC13A5179533239811456554F2B3AA2FB10E1B17BE0DF81C79006
SHA-512:	DF17DC8A882363A6C5A1B78BA3CF448437D1118CCC4A6275CC7681551B13C1A4E0F94E30FFB94C3530B688B62BFF1C03E57C2C185A7DF2BF3E5737A06E114337
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........>:V.PiV.PiV.Pi_..iX.PiC.QhT.Pi..QhT.PiC.UhZ.PiC.Th^.PiC.ShR.PillQhU.PiV.QiH.PillThf.PillPhW.Pill.iW.PillRhW.PiRichV.Pi................PE..d......e.........." ...%...........K........................................ ............`..........................................g...Q..............s.......@M......./......`.......8...........................`...@............p...............................text...D)......................... ..`.rdata..Hy...@...z..................@..@.data....N.......H..................@....pdata...V.......X..................@..@.idata...c...p...d...H..............@..@.00cfg..u...........................@..@.rsrc...s...........................@..@.reloc..4...........................@..B........................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\markupsafe\_speedups.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	5.2050934917752825
Encrypted:	false
SSDEEP:	192:OtwEX3IfwEA1RwEaCjEUHsMV38w5Yk/pxggRSea1DvH5TCIcqgr:b27CsVB/pxkDvZTCMgr
MD5:	F9A048E8B523E5BC3C240862815DACEC
SHA1:	E33E530B9F6C2AC4E4982CC9FA91DDA10C5C4AF7
SHA-256:	304AA793204E1E6B2DC10AF9D212A2B68BC78EB1E1309D20626C9AE05BB50CAD
SHA-512:	1031BC1493CD43A9049E6D1AC3FE73D992FA9DE4C49E2982BE3BB61C2FBC57DD7B9A7669A95D16CEACEC149803A6D2271AAB3F2896F2B1DB14379A2EE0F560BE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z.0...^...^...^.......^..._...^.U._...^...[...^...Z...^...]...^.$+_...^..._.-.^.$+V...^.$+^...^.$+....^.$+\...^.Rich..^.........................PE..d...3..e.........." ...%.....&......P.....................................................`.........................................@>..d....>..d....p.......`..................L....7...............................6..@............0..x............................text............................... ..`.rdata..d....0......................@..@.data...8....P.......4..............@....pdata.......`.......6..............@..@.rsrc........p.......:..............@..@.reloc..L............<..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\pyexpat.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	198424
Entropy (8bit):	6.377860842507261
Encrypted:	false
SSDEEP:	3072:kbc8RnClmm52ApTkIS1uDH2dbjuBYI0XmQtVkPzlOzcURIbLhIz:wc85Qmm53TkDuD2devODtqP3U5
MD5:	D7ECC2746314FEC5CA46B64C964EA93E
SHA1:	39FC49D4058A65F0AA4FBDC3D3BCC8C7BEECAA01
SHA-256:	58B95F03A2D7EC49F5260E3E874D2B9FB76E95ECC80537E27ABEF0C74D03CB00
SHA-512:	D5A595AAF3C7603804DEAE4D4CC34130876A4C38CCD9F9F29D8B8B11906FA1A03DD9A1F8F5DBDE9DC2C62B89FE52DFE5B4EE409A8D336EDF7B5B8141D12E82D2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W,.6B..6B..6B..N..6B..IC..6B..IG..6B..IF..6B..IA..6B...C..6B..NC..6B..6C..6B...O..6B...B..6B......6B...@..6B.Rich.6B.........PE..d......e.........." ...%..................................................... ............`.............................................P.............................../..........p3..T...........................02..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...@!..........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\pyreadline3-3.5.4.dist-info\INSTALLER

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Preview:	pip.

C:\Users\user\AppData\Local\Temp\_MEI67562\pyreadline3-3.5.4.dist-info\LICENSE.md

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	2250
Entropy (8bit):	5.228085994344051
Encrypted:	false
SSDEEP:	48:EXRPFWGe3XSTrOOJ73rYJcVkMPDH432sm632s39t313ZOBTgy:EXpFWGe3jOJ73rYJVKY3b3zV6Td
MD5:	B39540D1870E7AB08118DC1D1FA7A9D1
SHA1:	6096C1EE928F2B3EBBF932973E809AC548F64403
SHA-256:	8FC4D8DE61B40533023B16E64528D13371A2E9C68677DF79ED5E93BA570471BD
SHA-512:	862EE765E91CFC9E0EBAEAFC435397CBF277CD38DA5F1142DE122E4DAA795F19CC91A8351B895125F4BDEF948AF26B7D0E8AD27D2E7B2991DB45752BCA08E108
Malicious:	false
Preview:	# LICENSE....## pyreadline3 copyright and licensing notes....Unless indicated otherwise, files in this project are covered by a BSD-type..license, included below.....Individual authors are the holders of the copyright for their code and are..listed in each file.....Some files may be licensed under different conditions. Ultimately each file..indicates clearly the conditions under which its author/authors have..decided to publish the code.....## pyreadline3 license....pyreadline3 is released under a BSD-type license.....Copyright (c) 2020 Bassem Girgis <brgirgis@gmail.com>.....Copyright (c) 2006-2020 J.rgen Stenarson <jorgen.stenarson@bostream.nu>.....Copyright (c) 2003-2006 Gary Bishop....Copyright (c) 2003-2006 Jack Trainor....All rights reserved.....Redistribution and use in source and binary forms, with or without..modification, are permitted provided that the following conditions are met:....a. Redistributions of source code must retain the above copyright notice,.. this list

C:\Users\user\AppData\Local\Temp\_MEI67562\pyreadline3-3.5.4.dist-info\METADATA

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4653
Entropy (8bit):	5.093770800896551
Encrypted:	false
SSDEEP:	96:D9zg0GjrQIRq9lGovhSW5UrPIZZZXqZx+pbEOT9PMX2dyD+l:p3tbSW5UEZZZXqZxW5GeI+l
MD5:	45EE20BA2BBD8759CA1C58A4B3A912E2
SHA1:	602A307F36527F40C7B6FCA2BABCC789547C5671
SHA-256:	9D039725AFD4FAC0D0967156F19F42AEEFED982555402D477B255DECF209002B
SHA-512:	D14C8AB5E985701A08AB0D1FE4C86871F239639F91CFF556307ED7DD93B8C8CF452D13975FBE34D1AE2FD4071F72B2933F5568EF9EB11A6741B3C3A5BD1D7B56
Malicious:	false
Preview:	Metadata-Version: 2.1..Name: pyreadline3..Version: 3.5.4..Summary: A python implementation of GNU readline...Author-email: Bassem Girgis <brgirgis@gmail.com>, Jorgen Stenarson <jorgen.stenarson@kroywen.se>, Gary Bishop <unknwon@unknown.com>, Jack Trainor <unknwon@unknown.com>..Maintainer-email: Bassem Girgis <brgirgis@gmail.com>..License: BSD..Project-URL: Homepage, https://github.com/pyreadline3/pyreadline3..Project-URL: Documentation, https://github.com/pyreadline3/pyreadline3..Project-URL: Repository, https://github.com/pyreadline3/pyreadline3.git..Project-URL: Issues, https://github.com/pyreadline3/pyreadline3/issues..Project-URL: Changelog, https://github.com/pyreadline3/pyreadline3/blob/master/doc/ChangeLog..Keywords: readline,pyreadline,pyreadline3..Classifier: Development Status :: 5 - Production/Stable..Classifier: Environment :: Console..Classifier: Operating System :: Microsoft :: Windows..Classifier: License :: OSI Approved :: BSD License..Classifier: Programming Language :

C:\Users\user\AppData\Local\Temp\_MEI67562\pyreadline3-3.5.4.dist-info\RECORD

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	7044
Entropy (8bit):	5.617800389134621
Encrypted:	false
SSDEEP:	96:hXancv6L9muEVwuffbqnYnqOdbxEnT+9F7O5xEFABg/6GPNCNJOOmUOWita7V5mP:hXXvtNzp1+KKoLGGD2+P
MD5:	45212A96D41552EC43705BBE4ACFDDCB
SHA1:	EEF153DE06B82916211E177673D2CC1FCCB1B986
SHA-256:	E12F9B98840D3B2C6B706CE611C0918154B9E061648810EEBB57B3595A3B6181
SHA-512:	E105EE91A433102BB445D332825DB4AA1D798566656BB9FCC4F5DB8CE8B681031CA15C5FE773140E66774AF49FA922665FF08F724925F01DC98D4E72A08C0D52
Malicious:	false
Preview:	__pycache__/readline.cpython-311.pyc,,..pyreadline3-3.5.4.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..pyreadline3-3.5.4.dist-info/LICENSE.md,sha256=j8TY3mG0BTMCOxbmRSjRM3Gi6caGd9957V6TulcEcb0,2250..pyreadline3-3.5.4.dist-info/METADATA,sha256=nQOXJa_U-sDQlnFW8Z9Cru_tmCVVQC1HeyVd7PIJACs,4653..pyreadline3-3.5.4.dist-info/RECORD,,..pyreadline3-3.5.4.dist-info/WHEEL,sha256=GV9aMThwP_4oNCtvEC2ec3qUYutgWeAzklro_0m4WJQ,91..pyreadline3-3.5.4.dist-info/top_level.txt,sha256=jFAZcAVg1WzdsUjogYZvyqSMaBAN38sqUZemcaDxF9E,21..pyreadline3/__init__.py,sha256=Pyu6nWoyEUUQKG-mol6rpiC1LhaDWDr8Metw0QJ0ws0,1031..pyreadline3/__pycache__/__init__.cpython-311.pyc,,..pyreadline3/__pycache__/error.cpython-311.pyc,,..pyreadline3/__pycache__/get_doc.cpython-311.pyc,,..pyreadline3/__pycache__/py3k_compat.cpython-311.pyc,,..pyreadline3/__pycache__/rlmain.cpython-311.pyc,,..pyreadline3/__pycache__/unicode_helper.cpython-311.pyc,,..pyreadline3/clipboard/__init__.py,sha256=ONeTJdTckSx0utxQb

C:\Users\user\AppData\Local\Temp\_MEI67562\pyreadline3-3.5.4.dist-info\WHEEL

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	91
Entropy (8bit):	4.718144065224423
Encrypted:	false
SSDEEP:	3:RtEeXMRYFAQ6AP+tPCCfA5S:RtC1dAWBBf
MD5:	7F6453A7381AA145E12AF40803936ACD
SHA1:	2E5EF9544128D62528021C7DA99AD053ED68F563
SHA-256:	195F5A3138703FFE28342B6F102D9E737A9462EB6059E033925AE8FF49B85894
SHA-512:	DA4D79AB9C4A9DFD1C7F65A8F7D71C285C0E04B192075012530D60C367C17F554EDFA416941673F462DA52C380C0B58FD3795DB656DF6EC118B55933AB587238
Malicious:	false
Preview:	Wheel-Version: 1.0.Generator: setuptools (75.1.0).Root-Is-Purelib: true.Tag: py3-none-any..

C:\Users\user\AppData\Local\Temp\_MEI67562\pyreadline3-3.5.4.dist-info\top_level.txt

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	21
Entropy (8bit):	3.3446983751597124
Encrypted:	false
SSDEEP:	3:uJM0WJ/bv:u0J/L
MD5:	EF6BE090D4FDBF180965E16643DD8642
SHA1:	4541545BCB7E01DADAEA92608C362A9323734D91
SHA-256:	8C5019700560D56CDDB148E881866FCAA48C68100DDFCB2A5197A671A0F117D1
SHA-512:	7661EE00D4096DE4A367E351C1632E78B35645AD376033A7659B5888FECDDBF16B373835087E96A8B3767E9CE0BD824A13BAC10564B055F5BD1EF4880DD20376
Malicious:	false
Preview:	pyreadline3.readline.

C:\Users\user\AppData\Local\Temp\_MEI67562\python3.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	67352
Entropy (8bit):	6.146376482841349
Encrypted:	false
SSDEEP:	768:iw/EsYpkVgBaz57kcDA7QKFmpz7cnzH/ks/KF61xubwmB1Cf//yhC74JFmpktJSv:F/5k8cnzeJfRIbL0D7SyZxEL
MD5:	35DA4143951C5354262A28DEE569B7B2
SHA1:	B07CB6B28C08C012EECB9FD7D74040163CDF4E0E
SHA-256:	920350A7C24C46339754E38D0DB34AB558E891DA0B3A389D5230A0D379BEE802
SHA-512:	2976667732F9EE797B7049D86FD9BEEB05409ADB7B89E3F5B1C875C72A4076CF65C762632B7230D7F581C052FCE65BB91C1614C9E3A52A738051C3BC3D167A23
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........T...5e..5e..5e..m..5e..e..5e.....5e..g..5e.Rich.5e.........PE..d......e.........." ...%..................................................................`.........................................`...P................................/..............T............................................................................rdata..............................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\python311.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5789464
Entropy (8bit):	6.087003733819531
Encrypted:	false
SSDEEP:	49152:7KUvq5S8qfFIbGoSieBCZjze3eWVWhQNkGDiUWmtAoaOvi26g2je7wkUB3AO1Fp6:7KUvq1quUqjTPGzuvihAs2oH9M8I9URf
MD5:	D06DA79BFD21BB355DC3E20E17D3776C
SHA1:	610712E77F80D2507FFE85129BFEB1FF72FA38BF
SHA-256:	2835E0F24FB13EF019608B13817F3ACF8735FBC5F786D00501C4A151226BDFF1
SHA-512:	E4DD839C18C95B847B813FFD0CA81823048D9B427E5DCF05F4FBE0D77B8F7C8A4BD1C67C106402CD1975BC20A8EC1406A38AD4764AB466EF03CB7EB1F431C38A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\|...\|...\|.......\|.......\|.......\|.......\|.......\|....c..\|......\|...\|..}.......\|.......\|.......\|.......\|..Rich.\|..........PE..d......e.........." ...%..%..P7.....\z.......................................@].......X...`...........................................@......A.......[.......W..2...(X../....[..D..@..T..............................@.............%.p............................text.....%.......%................. ..`.rdata........%.......%.............@..@.data...P&....A..X....A.............@....pdata...2....W..4....R.............@..@PyRuntim.....PY......LT.............@....rsrc.........[.......V.............@..@.reloc...D....[..F....V.............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\pywin32_system32\pythoncom311.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	669696
Entropy (8bit):	6.035392172368621
Encrypted:	false
SSDEEP:	12288:mjN+cC8C0nALOrc5qcse64RV7n04pd+1xeo:AN+cnCqrcEbefFno
MD5:	F98264F2DACFC8E299391ED1180AB493
SHA1:	849551B6D9142BF983E816FEF4C05E639D2C1018
SHA-256:	0FE49EC1143A0EFE168809C9D48FE3E857E2AC39B19DB3FD8718C56A4056696B
SHA-512:	6BB3DBD9F4D3E6B7BD294F3CB8B2EF4C29B9EFF85C0CFD5E2D2465BE909014A7B2ECD3DC06265B1B58196892BB04D3E6B0AA4B2CCBF3A716E0FF950EB28DB11C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........`...3...3...3..\3...3...2...3...2...3...2...3...2...3...2...3U..2...3...2...3...3..3U..2..3U..2...3U..2...3Rich...3................PE..d...f..d.........." ......................................................................`..........................................U...c..............l....@...z............... ......T...........................0...8............................................text............................... ..`.rdata...#.......$..................@..@.data....I..........................@....pdata...z...@...\|..................@..@.rsrc...l...........................@..@.reloc... ......."..................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\pywin32_system32\pywintypes311.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	134656
Entropy (8bit):	5.995319660651805
Encrypted:	false
SSDEEP:	3072:luJ2G0a2fYrFceQaVK756Y/r06trRjEKQze7KN9eJKVKG6j1J:luJ2faiYrFceQaVfY/rx1eze7KbewVrk
MD5:	90B786DC6795D8AD0870E290349B5B52
SHA1:	592C54E67CF5D2D884339E7A8D7A21E003E6482F
SHA-256:	89F2A5C6BE1E70B3D895318FDD618506B8C0E9A63B6A1A4055DFF4ABDC89F18A
SHA-512:	C6E1DBF25D260C723A26C88EC027D40D47F5E28FC9EB2DBC72A88813A1D05C7F75616B31836B68B87DF45C65EEF6F3EAED2A9F9767F9E2F12C45F672C2116E72
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#.$g..wg..wg..wn.[wk..w5..vc..w..5wf..w5..vs..w5..vo..w5..vd..ws..vf..w...ve..ws..vl..wg..w...w...vj..w...vf..w...vf..wRichg..w........PE..d......d.........." ................L........................................P............`......................................... u..`B......,....0..l.......L............@..0...`Q..T............................Q..8............................................text............................... ..`.rdata..R...........................@..@.data....-.......(..................@....pdata..L...........................@..@.rsrc...l....0......................@..@.reloc..0....@......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\select.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30488
Entropy (8bit):	6.583657920209147
Encrypted:	false
SSDEEP:	768:jeUeWEHqTG+RIbQGC5YiSyvkki+AMxkEGu:jeUeWEKTG+RIbQGg7Sy/rxyu
MD5:	E07AE2F7F28305B81ADFD256716AE8C6
SHA1:	9222CD34C14A116E7B9B70A82F72FC523EF2B2F6
SHA-256:	FB06AC13F8B444C3F7AE5D2AF15710A4E60A126C3C61A1F1E1683F05F685626C
SHA-512:	ACB143194CA465936A48366265AE3E11A2256AEAE333C576C8C74F8ED9B60987DAFF81647AEF74E236B30687A28BC7E3AA21C6AEDBFA47B1501658A2BFD117B4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V..t.s.'.s.'.s.'..7'.s.'...&.s.'...&.s.'...&.s.'...&.s.'(.&.s.'.s.'Ps.'Y..&.s.'(.&.s.'(.&.s.'(.['.s.'(.&.s.'Rich.s.'........PE..d......e.........." ...%.....2.......................................................J....`..........................................@..L...,A..x....p.......`.......H.../......L....3..T............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..L............F..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\setuptools-65.5.0.dist-info\INSTALLER

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Preview:	pip.

C:\Users\user\AppData\Local\Temp\_MEI67562\setuptools-65.5.0.dist-info\LICENSE

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1050
Entropy (8bit):	5.072538194763298
Encrypted:	false
SSDEEP:	24:1rmJHcwH0MP3gt8Hw1hj9QHOsUv4eOk4/+/m3oqMSFJ:1aJ8YHvEH5QHOs5exm3oEFJ
MD5:	7A7126E068206290F3FE9F8D6C713EA6
SHA1:	8E6689D37F82D5617B7F7F7232C94024D41066D1
SHA-256:	DB3F0246B1F9278F15845B99FEC478B8B506EB76487993722F8C6E254285FAF8
SHA-512:	C9F0870BC5D5EFF8769D9919E6D8DDE1B773543634F7D03503A9E8F191BD4ACC00A97E0399E173785D1B65318BAC79F41D3974AE6855E5C432AC5DACF8D13E8A
Malicious:	false
Preview:	Copyright Jason R. Coombs..Permission is hereby granted, free of charge, to any person obtaining a copy.of this software and associated documentation files (the "Software"), to.deal in the Software without restriction, including without limitation the.rights to use, copy, modify, merge, publish, distribute, sublicense, and/or.sell copies of the Software, and to permit persons to whom the Software is.furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included in.all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE.AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER.LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING.FROM, OUT OF OR IN CONNECTION WITH THE SOFTW

C:\Users\user\AppData\Local\Temp\_MEI67562\setuptools-65.5.0.dist-info\METADATA

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	6301
Entropy (8bit):	5.107162422517841
Encrypted:	false
SSDEEP:	192:W4rkAIG0wRg8wbNDdq6T9927uoU/GBpHFwTZ:Sq0wRg8wbNDdBh927uoU/GBRFi
MD5:	9E59BD13BB75B38EB7962BF64AC30D6F
SHA1:	70F6A68B42695D1BFA55ACB63D8D3351352B2AAC
SHA-256:	80C7A3B78EA0DFF1F57855EE795E7D33842A0827AA1EF4EE17EC97172A80C892
SHA-512:	67AC61739692ECC249EBDC8F5E1089F68874DCD65365DB1C389FDD0CECE381591A30B99A2774B8CAAA00E104F3E35FF3745AFF6F5F0781289368398008537AE7
Malicious:	false
Preview:	Metadata-Version: 2.1.Name: setuptools.Version: 65.5.0.Summary: Easily download, build, install, upgrade, and uninstall Python packages.Home-page: https://github.com/pypa/setuptools.Author: Python Packaging Authority.Author-email: distutils-sig@python.org.Project-URL: Documentation, https://setuptools.pypa.io/.Project-URL: Changelog, https://setuptools.pypa.io/en/stable/history.html.Keywords: CPAN PyPI distutils eggs package management.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: License :: OSI Approved :: MIT License.Classifier: Programming Language :: Python :: 3.Classifier: Programming Language :: Python :: 3 :: Only.Classifier: Topic :: Software Development :: Libraries :: Python Modules.Classifier: Topic :: System :: Archiving :: Packaging.Classifier: Topic :: System :: Systems Administration.Classifier: Topic :: Utilities.Requires-Python: >=3.7.License-File: LICENSE.Provides-Extra: certs.Provides-Extra: docs.Requi

C:\Users\user\AppData\Local\Temp\_MEI67562\setuptools-65.5.0.dist-info\RECORD

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	37694
Entropy (8bit):	5.555787611309118
Encrypted:	false
SSDEEP:	384:vSzcBlShgRUhbul9nXJkpIVh498WjXYH0+5+E/8mrnaDoaQP7IOQRJqxBPgof2yd:vc853yQXYAY8AKCT9r2/GsIVxE9Im
MD5:	087F72A04BB085627494651E36C4C513
SHA1:	1E39070E246F91D8926268A033C6F584E629E2DE
SHA-256:	BFB77A968E06417BD37023BF1A2D7F1AAE9D8E74231665D6699D5BB82BDBD7B0
SHA-512:	39CE042A20324C6B63A192D70E56B36318C45D04B810A6BD333D1D40B6DAAD947AFB9156C003BC86C700A59F0F25753416D754DA06C808814920F92582CB6058
Malicious:	false
Preview:	_distutils_hack/__init__.py,sha256=TSekhUW1fdE3rjU3b88ybSBkJxCEpIeWBob4cEuU3ko,6128.._distutils_hack/__pycache__/__init__.cpython-311.pyc,,.._distutils_hack/__pycache__/override.cpython-311.pyc,,.._distutils_hack/override.py,sha256=Eu_s-NF6VIZ4Cqd0tbbA5wtWky2IZPNd8et6GLt1mzo,44..distutils-precedence.pth,sha256=JjjOniUA5XKl4N5_rtZmHrVp0baW_LoHsN0iPaX10iQ,151..pkg_resources/__init__.py,sha256=fT5Y3P1tcSX8sJomClUU10WHeFmvqyNZM4UZHzdpAvg,108568..pkg_resources/__pycache__/__init__.cpython-311.pyc,,..pkg_resources/_vendor/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..pkg_resources/_vendor/__pycache__/__init__.cpython-311.pyc,,..pkg_resources/_vendor/__pycache__/appdirs.cpython-311.pyc,,..pkg_resources/_vendor/__pycache__/zipp.cpython-311.pyc,,..pkg_resources/_vendor/appdirs.py,sha256=MievUEuv3l_mQISH5SF0shDk_BNhHHzYiAPrT3ITN4I,24701..pkg_resources/_vendor/importlib_resources/__init__.py,sha256=evPm12kLgYqTm-pbzm60bOuumumT8IpBNWFp0uMyrzE,506..pkg_resources/_vendor/importli

C:\Users\user\AppData\Local\Temp\_MEI67562\setuptools-65.5.0.dist-info\WHEEL

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	92
Entropy (8bit):	4.820827594031884
Encrypted:	false
SSDEEP:	3:RtEeX7MWcSlViZHKRRP+tPCCfA5S:RtBMwlViojWBBf
MD5:	4D57030133E279CEB6A8236264823DFD
SHA1:	0FDC3988857C560E55D6C36DCC56EE21A51C196D
SHA-256:	1B5E87E00DC87A84269CEAD8578B9E6462928E18A95F1F3373C9EEF451A5BCC0
SHA-512:	CD98F2A416AC1B13BA82AF073D0819C0EA7C095079143CAB83037D48E9A5450D410DC5CF6B6CFF3F719544EDF1C5F0C7E32E87B746F1C04FE56FAFD614B39826
Malicious:	false
Preview:	Wheel-Version: 1.0.Generator: bdist_wheel (0.37.1).Root-Is-Purelib: true.Tag: py3-none-any..

C:\Users\user\AppData\Local\Temp\_MEI67562\setuptools-65.5.0.dist-info\entry_points.txt

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	2740
Entropy (8bit):	4.540737240939103
Encrypted:	false
SSDEEP:	48:lELcZDy3g6ySDsm90rZh2Phv4hhpTqTog:yLAP8arZoP94hTTqcg
MD5:	D3262B65DB35BFFAAC248075345A266C
SHA1:	93AD6FE5A696252B9DEF334D182432CDA2237D1D
SHA-256:	DEC880BB89189B5C9B1491C9EE8A2AA57E53016EF41A2B69F5D71D1C2FBB0453
SHA-512:	1726750B22A645F5537C20ADDF23E3D3BAD851CD4BDBA0F9666F9F6B0DC848F9919D7AF8AD8847BD4F18D0F8585DDE51AFBAE6A4CAD75008C3210D17241E0291
Malicious:	false
Preview:	[distutils.commands].alias = setuptools.command.alias:alias.bdist_egg = setuptools.command.bdist_egg:bdist_egg.bdist_rpm = setuptools.command.bdist_rpm:bdist_rpm.build = setuptools.command.build:build.build_clib = setuptools.command.build_clib:build_clib.build_ext = setuptools.command.build_ext:build_ext.build_py = setuptools.command.build_py:build_py.develop = setuptools.command.develop:develop.dist_info = setuptools.command.dist_info:dist_info.easy_install = setuptools.command.easy_install:easy_install.editable_wheel = setuptools.command.editable_wheel:editable_wheel.egg_info = setuptools.command.egg_info:egg_info.install = setuptools.command.install:install.install_egg_info = setuptools.command.install_egg_info:install_egg_info.install_lib = setuptools.command.install_lib:install_lib.install_scripts = setuptools.command.install_scripts:install_scripts.rotate = setuptools.command.rotate:rotate.saveopts = setuptools.command.saveopts:saveopts.sdist = setuptools.command.sdist:sdist.seto

C:\Users\user\AppData\Local\Temp\_MEI67562\setuptools-65.5.0.dist-info\top_level.txt

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	41
Entropy (8bit):	3.9115956018096876
Encrypted:	false
SSDEEP:	3:3Wd+Nt8AfQYv:3Wd+Nttv
MD5:	789A691C859DEA4BB010D18728BAD148
SHA1:	AEF2CBCCC6A9A8F43E4E150E7FCF1D7B03F0E249
SHA-256:	77DC8BDFDBFF5BBAA62830D21FAB13E1B1348FF2ECD4CDCFD7AD4E1A076C9B88
SHA-512:	BC2F7CAAD486EB056CB9F68E6C040D448788C3210FF028397CD9AF1277D0051746CAE58EB172F9E73EA731A65B2076C6091C10BCB54D911A7B09767AA6279EF6
Malicious:	false
Preview:	_distutils_hack.pkg_resources.setuptools.

C:\Users\user\AppData\Local\Temp\_MEI67562\sqlite3.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1500440
Entropy (8bit):	6.5886899298928325
Encrypted:	false
SSDEEP:	24576:zTqtyGkxOc+wv05tP5kf82Hr/74YPF5o/P/gnAracr7/24UcypY7w0vpZUFJ++E:Sk0jwv4tP5kf8ar/74EF2/An4acrVUcl
MD5:	346F6150977371CDC424EC9275A9B47C
SHA1:	986096738808EB6ED364C4AC5B3500B5B35BEC10
SHA-256:	FF950AF2DAD140377A55DA6F3C242327CED0CF498DB50E028ABE1ED023F19B90
SHA-512:	03CB04E356A8A2D9B871D3365CAB01DA4220DF7687BE38572AE37FA833B924F8C7C5A4606B33AD717D50E5D3D8929F885F38EF5AD582A579C4EE7093F302EE9F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......SJ...+...+...+...S...+...T...+...T...+...T...+...T...+..\S...+...+...+..-....+..-....+..-.n..+..-....+..Rich.+..................PE..d...@..e.........." ...%..................................................................`..........................................d...".............................../..........P...T...............................@...............@............................text...x........................... ..`.rdata..f...........................@..@.data....G.......>..................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\tinyaes.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	55296
Entropy (8bit):	5.856174037987334
Encrypted:	false
SSDEEP:	768:MbEbpbAn7Ap8gifALrYpHmC35Z9LZ0e3lrl1lBp6Os:FVA7Kli4wpGC35X90ePT6Os
MD5:	12BE3EDC4E8C405FD5DB87A150CD7E3D
SHA1:	378760744CE573A2F6CD0E99339F95FA78253415
SHA-256:	ABD791A5881DA30E74EBDF0D4F7215AE12DC5D844C1A8FD14F3557D3862BEF7A
SHA-512:	61B3825ADC50D769AF535767CBDF1DFD14411091CC541C568FE65BA03BE81CDAE03B833699E1132452DF50A5BBF5EAA78012AA91531549A4FC3EFBB8823641EA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Z.............................................................................................B.............Rich....................PE..d...!..f.........." ...).....V...... ........................................0............`.........................................p...`.......d...............H............ ......@...................................@............................................text...x........................... ..`.rdata..x7.......8..................@..@.data...............................@....pdata..H...........................@..@.rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\ucrtbase.dll

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1044880
Entropy (8bit):	6.646904878375534
Encrypted:	false
SSDEEP:	24576:ZsKxVJ/pRRK0Y/9f5rl4NbpjONcncvE4mxvSZX0yp49H:OKxDPHQ5rlQBvhV
MD5:	5CE1730D8C2B332C2285902BC53AC5C4
SHA1:	28DA42431AC9F358FCDDE9C81B9554E773B1A3F4
SHA-256:	7A446ABE717BE7AEC33FA31F5864C293E408D4B48CD5DEFA13212A207A9E5E87
SHA-512:	33327E4751D5A1B496CD88A4F8C76B79D63BAAF15E3E3843E09E9DC32B8ACD86FEF8E09FABC4498D64354A79D63E0364D3909FDD6933F75E548A07489B9CA4F6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........of...5...5...5..5...5...5&..5...5...5...4...5...4...5...4...5...4...5...4..5...5...5...4...5Rich...5........PE..d......C.........." .....:..........0Z....................................................`A................................................................. ...........E.............p........................... f..............................................text...09.......:.................. ..`.rdata..^....P.......>..............@..@.data....&..........................@....pdata....... ......................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\unicodedata.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1141016
Entropy (8bit):	5.435118418691938
Encrypted:	false
SSDEEP:	12288:iYPYbfjwR6nb8onRiPDjRrO5184EPYPx++ZiLKGZ5KXyVH4eDq97:iaYbM90IDJcjEwPgPOG6Xyd46q97
MD5:	5CC36A5DE45A2C16035ADE016B4348EB
SHA1:	35B159110E284B83B7065D2CFF0B5EF4CCFA7BF1
SHA-256:	F28AC3E3AD02F9E1D8B22DF15FA30B2190B080261A9ADC6855248548CD870D20
SHA-512:	9CCCBF81E80C32976B7B2E0E3978E8F7350CCE542356131B24EBAB34B256EFD44643D41EE4B2994B9152C2E5AF302AA182A1889C99605140F47494A501EF46C1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........L..L..L..E.q.J..Y..N..Y..A..Y..D..Y..O..vE.O.....N..L.....vE.M..vE.M..vE..M..vE..M..RichL..........................PE..d......e.........." ...%.@..........P*..............................................o.....`.............................................X............`.......P..0....:.../...p.......]..T............................[..@............P..x............................text....>.......@.................. ..`.rdata.......P.......D..............@..@.data...H....0......................@....pdata..0....P.......&..............@..@.rsrc........`......................@..@.reloc.......p.......8..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\win32\_win32sysloader.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	5.115373165177945
Encrypted:	false
SSDEEP:	192:yuCm72PEO1jIUs0YqEcPbF55UgCWV4rofnbPutEvbqDLWn7ycLmrN/:LardA0Bzx14r6nbF0W+/
MD5:	6B3D025362F13D2E112D7FEC4B58BF0C
SHA1:	4A26921FCD1E9EE19C2D8BF67FB8ACF9C48AE359
SHA-256:	48D2D1F61383DCAF65F5F4F08CAE96F4A915EB89C3EA23D0EF9AE7B0A8173399
SHA-512:	3023901EDFF779DBD1FF37BA9FB950ECD6D9AC8117EA7A0585A004DA453B98AE5EAB8C2B15C85DCD6E0E9C24EF6734D4AE322B9E5C5E6C9553148B01A14BE808
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d.f. ... ... ...).."...r..."...4..."...r...+...r...(...r...#.......#... ...........!.......!.......!...Rich ...........PE..d......d.........." ......................................................................`..........................................;..`...`;..d....p..t....`..................@...\|2..T............................2..8............0..p............................text............................... ..`.rdata..$....0......................@..@.data........P......................@....pdata.......`.......0..............@..@.rsrc...t....p.......4..............@..@.reloc..@............8..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\win32\win32api.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	133632
Entropy (8bit):	5.851354810898845
Encrypted:	false
SSDEEP:	3072:HPwB2zC1vwC3XetCf5RlRVFhLaNKPAyymhNYm9b9e:HIB2zkvwGXetCfDlRVlPAyLYm9
MD5:	1D6762B494DC9E60CA95F7238AE1FB14
SHA1:	AA0397D96A0ED41B2F03352049DAFE040D59AD5D
SHA-256:	FAE5323E2119A8F678055F4244177B5806C7B6B171B1945168F685631B913664
SHA-512:	0B561F651161A34C37FF8D115F154C52202F573D049681F8CDD7BBA2E966BB8203780C19BA824B4A693EF12EF1EEEF6AEEEF96EB369E4B6129F1DEB6B26AAA00
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I^.f'..f'..f'......f'...&..f'...#..f'...$..f'.o.&..f'..."..f'...&..f'..f&..g'.o....f'.o.'..f'.o.%..f'.Rich.f'.................PE..d......d.........." .........................................................P............`..........................................................0..\....................@..$....v..T............................<..8............0..........@....................text...$........................... ..`.rdata......0......................@..@.data...x(......."..................@....pdata..............................@..@.rsrc...\....0......................@..@.reloc..$....@......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\win32\win32crypt.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	123904
Entropy (8bit):	5.966536263597539
Encrypted:	false
SSDEEP:	1536:qcoj2WDPYNSPEkIrFCkAShRD/bv0SShzljLraBqf9308qxJ83zEBoPTEdLQEF8/d:q7jbPA0SD9S3vrCqf93xM4TEdLZn1xa
MD5:	5390ADE0ED5428024F3D854B5B9BFE9F
SHA1:	DADA7B44887DCB7B77DCADB9690BAECF3EE2B937
SHA-256:	9771F09BE29BD7A69ABE774E28472A392382883C18A3CC524F8141E84B1BE22C
SHA-512:	92E82EFF79F45D4DE1CF27946A357F122C5337A85315D7C139458A1A6A51DFFBF3CBFCF832851FBDCD0EC1BD0F82E7089125FFBBE3275675433089BDDBFF865B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........U...U...U...\.v.S.......Q.......E.......].......V.....Q...A...R...U........\.....T.....T...RichU...........PE..d......d.........." ................(........................................ ............`..........................................o..................d.......................H....G..T............................H..8............................................text...~........................... ..`.rdata..............................@..@.data....-.......(..................@....pdata..............................@..@.rsrc...d...........................@..@.reloc..H...........................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\win32\win32evtlog.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	73216
Entropy (8bit):	5.760657769680508
Encrypted:	false
SSDEEP:	1536:0pFAM7885hqM5cE9GVV+YTFx5VgGYLxifpfz:YFJ78+NeVV+YBHVgGYLYfpfz
MD5:	F95639980A358B2B157AF19D8837B3AB
SHA1:	7B6CC1B4916B546D64E9B772F64669CA7EA0C31C
SHA-256:	9EDC507023126FE4BB61E301E06897956CE789FD4D985A42210B9B93D4F966CC
SHA-512:	97EEB0F7706ECDBC7B351F1D95F29491BB96B1BDBA2E24A16D713977F0F3FC538D55469E1873EAF3551B1707D42C3BBABD6B180971F096D6199A505725E59A16
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A..............V....W.....W......W..........W.............................:.........Rich...........................PE..d......d.........." ................p........................................`............`.............................................X...8........@.. ....0..\|............P..l.......T...........................`...8...............`.......@....................text............................... ..`.rdata..&\.......^..................@..@.data...............................@....pdata..\|....0......................@..@.rsrc... ....@......................@..@.reloc..l....P......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\win32\win32trace.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	23552
Entropy (8bit):	5.2797447560366155
Encrypted:	false
SSDEEP:	384:JPeeH8ZmV+zknwMsADuVLw0T8DmDRl2jYI7AHCQnpC9QJX1B5:JL+zi/uVbSYI4d6CB
MD5:	2705D0AC399B949261F4D9AF473DBA7C
SHA1:	2B84CEDFCB90F8278E698AC2319C860F373060F2
SHA-256:	961D93DBD18F33685C5384F4346D8AF2A452E51F7171E6CB053B9BB260EDA5A3
SHA-512:	F546670352D5934F11EFBE53AE382EE96E9D88DB7A8709EE1CEC36474E61E3C3DD9EDC01A8557152A0F3F0CF808410E31AE37F178BB2F34EC00156808103C72D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........>].OP..OP..OP..7...OP..:Q..OP..:U..OP..:T..OP..:S..OP..:Q..OP..$Q..OP..OQ..OP..:Y..OP..:P..OP..:R..OP.Rich.OP.................PE..d......d.........." .....,...,.......(....................................................`..........................................Q..T...dQ..........d....p.......................G..T...........................0H..8............@...............................text....*.......,.................. ..`.rdata.......@.......0..............@..@.data...(....`.......L..............@....pdata.......p.......R..............@..@.rsrc...d............V..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\win32com\shell\shell.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	528384
Entropy (8bit):	6.160492941773028
Encrypted:	false
SSDEEP:	6144:x1uoSNIiaRGfvtQqmJeRAsgUW9yKj6pWa1P5ziI7RRWf:x1uoSNIH8HtQbems66pWab37R4f
MD5:	8A0C2F96414475498D6E9BADA00DE986
SHA1:	BB8E66F3DF9F25B12777E3F48BA7069940F0C920
SHA-256:	3F45C59F75E61FA93B5C2B1F65995B621C3FD301FB500A17599BEFA54538D1D0
SHA-512:	75D718F30209D81819CEA7B148D3A8DD7FCB9FC94E87A8DD5D7C795B334DEACD6A598F583475B7005D0E81929C9E70F19BABFE92BE1E1E39F62296078FDEEAEA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.C.............bh.....Wo......Wo......Wo......Wo.......q.......o.......q.......q...............o..C....o.......o......Rich....................PE..d...#..d.........." .....$................................................................`.............................................L...............L.......xx...............!......T..............................8............@...............................text...n#.......$.................. ..`.rdata.......@.......(..............@..@.data...@....0...^..................@....pdata..xx.......z...p..............@..@.rsrc...L...........................@..@.reloc...!......."..................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\zstandard\_cffi.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	650752
Entropy (8bit):	6.4073215909095005
Encrypted:	false
SSDEEP:	6144:rbTutDqcmbgSZZ/jZMaBHXD/OHHSAU1gIkpWCuMshv9K1HFV1jBjgG4LFxJY/1n:rfrcmsSHBHXiSArRENMivwF1jdgs/1n
MD5:	A19B5E6324D1A6A9FD99C98FE7B83FE2
SHA1:	4E3E56754A3C46C661EF591A4B5A5985BD4F6B85
SHA-256:	3ED00BB5876EAFA617BEBB213D2BC887B5637C53C4A849FCC2366084BF056787
SHA-512:	5975F90036CB7D3013FC6815F2C372EB9B89AF6C8153D1770EBBD70BF5B61E3B12DEFA3D7A4CCD364BD6A978B2879A15801D2AEC8BAD9221CA15DFFC9B7BA929
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................1....!X............!X.....!X.....!X......Z............_......_......_]....._.....Rich...........................PE..d...B'.f.........." ...(.....\...... ........................................0............`.........................................0...\........................3........... .......d..............................Pc..@...............@............................text...H........................... ..`.rdata..b...........................@..@.data...............................@....pdata...3.......4..................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI67562\zstandard\backend_c.cp311-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	519680
Entropy (8bit):	6.407145343537454
Encrypted:	false
SSDEEP:	12288:n5vDYEvt0Fwyow0k1rErp645rtxvi1gRNg5sXgz0:npBvt0Fw9fk1rErQ45rt5RNZ
MD5:	56DB4A861AEC914A860461DEDCDCA0A0
SHA1:	8535A8C9EAC371A54308795A8BBE89414933E035
SHA-256:	6AB611C4A24406D9D97F09D49D50142AB2734B69A2B0D9EA6489E4AF90C4A2A4
SHA-512:	600A21666E9ED334DE5B4B17F60136434EE485C80F9740E6085E24EF95CA5376E6223A54C6B1C8F12987EDAB5D89AF9676CC12E2A335F4C4E9AB79DFEF8E4B90
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........................P.............P......P......P......R........4...W......W......Wn.....W.....Rich...........PE..d...<'.f.........." ...(............ ........................................0............`.............................................d...D....................)........... ..d...0\...............................Z..@...............(............................text...H........................... ..`.rdata..............................@..@.data....-.......(..................@....pdata...).......*..................@..@.rsrc...............................@..@.reloc..d.... ......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nhj_etj2

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:qn:qn
MD5:	3F1D1D8D87177D3D8D897D7E421F84D6
SHA1:	DD082D742A5CB751290F1DB2BD519C286AA86D95
SHA-256:	F02285FB90ED8C81531FE78CF4E2ABB68A62BE73EE7D317623E2C3E3AEFDFFF2
SHA-512:	2AE2B3936F31756332CA7A4B877D18F3FCC50E41E9472B5CD45A70BEA82E29A0FA956EE6A9EE0E02F23D9DB56B41D19CB51D88AAC06E9C923A820A21023752A9
Malicious:	false
Preview:	blat

C:\Users\user\AppData\Local\Temp\tmp5fxsnor_\Local State

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	66646
Entropy (8bit):	6.044576597568136
Encrypted:	false
SSDEEP:	1536:k8Tc32bwS8Oa6nviYQkiEZQiaWh9emCgfXJ9Uu:k8bJznvi61e8fIu
MD5:	BEEB299F37F7FB5E83199C87E7D12EDA
SHA1:	D77E47377D802C79BD8C0B87B1E9F0520A6A9864
SHA-256:	06FEBBBE692878AD3433329A9155B08A1E0A5EC68152AD6B03A552FB39DACD46
SHA-512:	911E4E566B7663D7EF504B77A60B60C4F060C01CF451D6EF40F4D370F20194354B31FF3FFB8223DE22166DC522DDFE5912523EBF5A474F7A6621A3EB95EDF56F
Malicious:	false
Preview:	{"browser":{"first_run_finished":true,"first_run_study_group":"EnabledE-5","shortcut_migration_version":"117.0.5938.132"},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en"},"legacy":{"profile":{"name":{"migrated":true}}},"management":{"platform":{"azure_active_directory":0,"enterprise_mdm_win":0}},"os_crypt":{"app_bound_fixed_data":"AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAG7I4XamucEiJgTIvWNrX8QAAAAACAAAAAAAQZgAAAAEAACAAAACz9LIY/Sft4sF7BR0/+RlMXu9lhIRI5BaZTSQpyRPpLAAAAAAOgAAAAAIAACAAAADpL4/Y0/1c7GfAyejoQlHrWIfhufkrSTaxhr33kLRaiGABAABCz7EyQ+8ml1FxjRqtgyeWwLLZ2IHAzJeD0JnWN0wZz313G7DGWg+UAsBKIMQy5yoFT6uS18pLOAyaJXxUDloUrKvqu51HeVrnYHoVb8WT7jb6PiSZemofWqeToVsJHvtWDZt5T3cRsPTFluK+ErdhV/M4aslTfHhHU5oOdEFpJOJjtEggjyvy+1z4MfOSzFQSR/yUPtVqL11Kienypq7Pfce/sgXQVyQx5HJtARkiij5S80SSAzlX7odXphhcK8KFY7RZq5/8tF3h6DjBHxi9tJQHjyUkWUars8S2pxC2nfARqxQF3hsXBSGhzpXzBeEyndaMlhVfFQG+uOvLDxv6WWNzrjY/N23xyPWDnjICFAZ1Phbd/J/YvjpTb6AiXnSITx3SZj6TKb6dLBr9boJsB8rSYGXCaHgO5j6IZBvlJWu9yNA8rR4b0hxpmRkM7XxuKP

C:\Users\user\AppData\Local\Temp\tmp5fxsnor_\Login Data

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpfcfae2eh\Local State

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6648
Entropy (8bit):	5.799886528185702
Encrypted:	false
SSDEEP:	96:iaYufr62qpTM5ih/cI9URXl8RotowZFVvluhte4dUONIeTC6XQS0qGqk+Z4uj+rW:Io+The2RUUhH6qRAq1k8SPxVLZ7VTi1
MD5:	90A2F19EEFA47D85E430FE6C5168119E
SHA1:	37891580B150A8ACE11FFD627FBB31A27F23613D
SHA-256:	EB2BD55079C7F57F370274A590904D6816B2888B19EAD691FC316E2E34E6097B
SHA-512:	CA73C269544837779C04CD438FE07171FAF8FC88689D9AD9F3CBAEC3CC92A803F17FE9BB0CEEFC950B10930F079D9ABBB259BE32C8A6BBE7CEE331C2DCCE7E0A
Malicious:	false
Preview:	{"browser":{"last_redirect_origin":""},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"edge":{"perf_center":{"performance_mode":3,"performance_mode_is_on":false,"performance_mode_main_toggle":false}},"fire_local_softlanding_notification":false,"fre":{"soft_landing_bubble":{"bubble_response":0,"has_user_seen_bubble":true,"is_bubble_triggered":0}},"hardware_acceleration_mode_previous":true,"legacy":{"profile":{"name":{"migrated":true}}},"migration":{"last_edgeuwp_pin_migration_on_edge_version":"92.0.902.67","last_edgeuwp_pin_migration_on_os_version":"10 OS Version 2009 (Build 19045.2006)","last_edgeuwp_pin_migration_success":false},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAADscBs/HS2TTJocp6NtpoyLEAAAAAoAAABFAGQAZwBlAAAAEGYAAAABAAAgAAAAsW8ultSdDwTk/AwAAbf7bEI2/b0XfFbP3jjJ+raY3fcAAAAADoAAAAACAAAgAAAAsg3hXdbXl6JIj8KFvhbWlaqVSpM3ag+0g0nExYB2Z1kwAAAAXs7yCB0jG0dlOoc3vEVs9i7od11B2WMH/KUhpHcou9G

C:\Users\user\AppData\Local\Temp\tmpfcfae2eh\Login Data

Download File

Process:	C:\Users\user\Desktop\54Oa5PcvK1.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	7.997262994889526
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	54Oa5PcvK1.exe
File size:	23'470'644 bytes
MD5:	7779f97c3a704491e0b217ef536d225a
SHA1:	9f5943b644c8e694b3cb6296a450de5be369dcb9
SHA256:	150bd33eb83e01bd26e6ea50fb7e1058e57855f8c50753f8a3b7401d712b8351
SHA512:	f2a7a0d3e3295d40d4d28617d178aee2e230663b868526a8b467fedd836deee14d52396239e9a14679712685542963b01cef42fd399007af77d76fdc1aeaa26d
SSDEEP:	393216:oEkZQtsMVehZ2YsHFUK2Jn1+TtIiFC/IjcBhpyi9mPDnrmvUaudE6vjK6GIva4lu:ohQtsQ6Z2YwUlJn1QtI1/I2pyZDCv0di
TLSH:	A3373322A22218D8D9D95439A11AD279CBB1FC83ABF0D00F73B457174FDB1519EBAF21
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................................1.............-.............................................H.......H.......Rich...................

File Icon


Icon Hash:	2e1e7c4c4c61e979

Static PE Info

General

Entrypoint:	0x14000a6a0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x671D4D9B [Sat Oct 26 20:14:19 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	ba5546933531fafa869b1f86a4e2a959

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FA5B070091Ch
dec eax
add esp, 28h
jmp 00007FA5B070051Fh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 28h
call 00007FA5B0700E64h
test eax, eax
je 00007FA5B07006D3h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007FA5B07006B7h
dec eax
cmp ecx, eax
je 00007FA5B07006C6h
xor eax, eax
dec eax
cmpxchg dword ptr [00041E8Ch], ecx
jne 00007FA5B07006A0h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007FA5B07006A9h
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
movzx eax, byte ptr [00041E77h]
test ecx, ecx
mov ebx, 00000001h
cmove eax, ebx
mov byte ptr [00041E67h], al
call 00007FA5B0700C63h
call 00007FA5B0701D92h
test al, al
jne 00007FA5B07006B6h
xor al, al
jmp 00007FA5B07006C6h
call 00007FA5B070F171h
test al, al
jne 00007FA5B07006BBh
xor ecx, ecx
call 00007FA5B0701DA2h
jmp 00007FA5B070069Ch
mov al, bl
dec eax
add esp, 20h
pop ebx
ret
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [00041E2Ch], 00000000h
mov ebx, ecx
jne 00007FA5B0700719h
cmp ecx, 01h
jnbe 00007FA5B070071Ch
call 00007FA5B0700DCAh
test eax, eax
je 00007FA5B07006DAh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3bb94	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x52000	0xf004	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x4e000	0x20e8	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x62000	0x75c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x39350	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x39210	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2a000	0x350	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x28890	0x28a00	7c71956ea75242f33df45f4d2c19a4d8	False	0.5562019230769231	zlib compressed data	6.489977853279916	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2a000	0x1271a	0x12800	13f7508ea94b13668034138e91881a5a	False	0.515941722972973	data	5.846273787790564	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3d000	0x103f8	0xe00	9bd2cebaa3285e8e266c4c373a15119d	False	0.13337053571428573	DOS executable (block device driver \377\3)	1.808915577448681	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x4e000	0x20e8	0x2200	f2a57235499cb8c84daf2de6f18a85eb	False	0.4756433823529412	data	5.330974160786823	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x51000	0x15c	0x200	32c20bb907888de565d4d8836d097016	False	0.392578125	data	2.795351059303424	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x52000	0xf004	0xf200	1ab3512333bf10a0c6fc66b2cb2093a4	False	0.7950025826446281	data	7.356246179782812	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x62000	0x75c	0x800	b7279c82d58eeae8dc663879402c6f2e	False	0.54296875	data	5.238892234772638	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x52208	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.56636460554371
RT_ICON	0x530b0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.7287906137184116
RT_ICON	0x53958	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.7471098265895953
RT_ICON	0x53ec0	0x909b	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9971636186822983
RT_ICON	0x5cf5c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.38309128630705397
RT_ICON	0x5f504	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.4826454033771107
RT_ICON	0x605ac	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.699468085106383
RT_GROUP_ICON	0x60a14	0x68	data	0.7019230769230769
RT_MANIFEST	0x60a7c	0x587	XML 1.0 document, ASCII text, with CRLF line terminators	0.44593639575971733

Imports

DLL

Import

KERNEL32.dll

GetCommandLineW, GetEnvironmentVariableW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, CreateDirectoryW, GetTempPathW, WaitForSingleObject, Sleep, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, LoadLibraryExW, SetConsoleCtrlHandler, FindClose, FindFirstFileExW, CloseHandle, GetCurrentProcess, LocalFree, FormatMessageW, MultiByteToWideChar, WideCharToMultiByte, WriteConsoleW, GetProcAddress, GetModuleFileNameW, SetDllDirectoryW, FreeLibrary, GetLastError, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetModuleHandleW, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, CreateFileW, GetDriveTypeW, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetFullPathNameW, RemoveDirectoryW, FindNextFileW, SetStdHandle, DeleteFileW, ReadFile, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW, GetCurrentDirectoryW, FlushFileBuffers, HeapReAlloc, GetFileAttributesExW, GetStringTypeW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, SetEndOfFile

ADVAPI32.dll

ConvertSidToStringSidW, GetTokenInformation, OpenProcessToken, ConvertStringSecurityDescriptorToSecurityDescriptorW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 13:17:54.690433979 CET	49551	53	192.168.2.4	1.1.1.1
Dec 18, 2024 13:17:55.363480091 CET	53	49551	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 18, 2024 13:17:54.690433979 CET	192.168.2.4	1.1.1.1	0xcd88	Standard query (0)	ssh.0523qyfw.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 18, 2024 13:17:55.363480091 CET	1.1.1.1	192.168.2.4	0xcd88	Name error (3)	ssh.0523qyfw.com	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	07:17:44
Start date:	18/12/2024
Path:	C:\Users\user\Desktop\54Oa5PcvK1.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\54Oa5PcvK1.exe"
Imagebase:	0x7ff788770000
File size:	23'470'644 bytes
MD5 hash:	7779F97C3A704491E0B217EF536D225A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	07:17:44
Start date:	18/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	07:17:48
Start date:	18/12/2024
Path:	C:\Users\user\Desktop\54Oa5PcvK1.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\54Oa5PcvK1.exe"
Imagebase:	0x7ff788770000
File size:	23'470'644 bytes
MD5 hash:	7779F97C3A704491E0B217EF536D225A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:17:50
Start date:	18/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "ver"
Imagebase:	0x7ff683750000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	13.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	53

Executed Functions

Function 00007FF788794EA0 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF788794EE5

Part of subcall function 00007FF788794838: _invalid_parameter_noinfo.LIBCMT ref: 00007FF78879484C

Part of subcall function 00007FF788789F78: RtlFreeHeap.NTDLL(?,?,?,00007FF788791EC2,?,?,?,00007FF788791EFF,?,?,00000000,00007FF7887923C5,?,?,00000000,00007FF7887922F7), ref: 00007FF788789F8E
Part of subcall function 00007FF788789F78: GetLastError.KERNEL32(?,?,?,00007FF788791EC2,?,?,?,00007FF788791EFF,?,?,00000000,00007FF7887923C5,?,?,00000000,00007FF7887922F7), ref: 00007FF788789F98

Part of subcall function 00007FF788789F30: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF788789F0F,?,?,?,?,?,00007FF788781A40), ref: 00007FF788789F39
Part of subcall function 00007FF788789F30: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF788789F0F,?,?,?,?,?,00007FF788781A40), ref: 00007FF788789F5E

_get_daylight.LIBCMT ref: 00007FF788794ED4

Part of subcall function 00007FF788794898: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7887948AC

_get_daylight.LIBCMT ref: 00007FF78879514A
_get_daylight.LIBCMT ref: 00007FF78879515B
_get_daylight.LIBCMT ref: 00007FF78879516C
GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7887953AC), ref: 00007FF788795193

Strings

Eastern Standard Time, xrefs: 00007FF788795239
Eastern Summer Time, xrefs: 00007FF788795251

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 4070488512-239921721
Opcode ID: aa85b069b6fb92bd10a5b6d5be9144cf64bbc0ff06c8fbb0fdd7caf4b6a87e0b
Instruction ID: 06864b94738b1f235a632702068a5f04d127175c8542b00ffb86ee308194361a
Opcode Fuzzy Hash: aa85b069b6fb92bd10a5b6d5be9144cf64bbc0ff06c8fbb0fdd7caf4b6a87e0b
Instruction Fuzzy Hash: 27D1C122A9829286E724BFB5D8905B9E771FF4C784FE44136EA0D47686DF3CE441C368

Function 00007FF7887758E0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(?,00000000,?,00007FF7887758AD), ref: 00007FF78877597A
GetCurrentProcessId.KERNEL32(?,00007FF7887758AD), ref: 00007FF788775980

Part of subcall function 00007FF788775AF0: GetEnvironmentVariableW.KERNEL32(00007FF788772817,?,?,?,?,?,?), ref: 00007FF788775B2A
Part of subcall function 00007FF788775AF0: ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,?), ref: 00007FF788775B47

Part of subcall function 00007FF788786818: _invalid_parameter_noinfo.LIBCMT ref: 00007FF788786831

SetEnvironmentVariableW.KERNEL32(?,TokenIntegrityLevel), ref: 00007FF788775A31

Strings

TMP, xrefs: 00007FF788775918, 00007FF7887759D9, 00007FF788775A67
_MEI%d, xrefs: 00007FF788775988
LOADER: Failed to set the TMP environment variable., xrefs: 00007FF788775958
TMP, xrefs: 00007FF78877593E

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: Environment$Variable$CurrentExpandPathProcessStringsTemp_invalid_parameter_noinfo
String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
API String ID: 1556224225-1116378104
Opcode ID: c5f54b7bf307984578858df7ed726c29ecf57d9a1ab1fdaee90f5f6cb8ec536b
Instruction ID: 4a444f0c98d4d48383542149edb824feb81c59e29dd1cda1aa9ee3f85523f489
Opcode Fuzzy Hash: c5f54b7bf307984578858df7ed726c29ecf57d9a1ab1fdaee90f5f6cb8ec536b
Instruction Fuzzy Hash: 5A517E10F9D68340FE54B7A2A9552BAD2A17F9DBC0FE54031EC0E4BB96ED6CE501C328

Function 00007FF788795DEC Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF788795B20: _invalid_parameter_noinfo.LIBCMT ref: 00007FF788795B61
Part of subcall function 00007FF788795B20: _invalid_parameter_noinfo.LIBCMT ref: 00007FF788795BDF
Part of subcall function 00007FF788795B20: _invalid_parameter_noinfo.LIBCMT ref: 00007FF788795C30

CreateFileW.KERNELBASE ref: 00007FF788795EF2
CreateFileW.KERNEL32 ref: 00007FF788795F42
GetLastError.KERNEL32 ref: 00007FF788795F72
GetFileType.KERNELBASE ref: 00007FF788795F87
GetLastError.KERNEL32 ref: 00007FF788795F91
CloseHandle.KERNEL32 ref: 00007FF788795FC4
CloseHandle.KERNEL32 ref: 00007FF788796127
CreateFileW.KERNEL32 ref: 00007FF78879615C
GetLastError.KERNEL32 ref: 00007FF78879616B

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: 52a4378cdb78c32285671ba8c66096e739a338fe2dbd84037285ee5c330aca07
Instruction ID: 0a02657588f10ec07e75d1fe71a8dd0d2c3d11126ca9e83330320f104238c341
Opcode Fuzzy Hash: 52a4378cdb78c32285671ba8c66096e739a338fe2dbd84037285ee5c330aca07
Instruction Fuzzy Hash: 0DC1C232B68A4285EB10DFB8C8915ACB771FB48B98FA10325DA2E5B795DF3CE055C314

Function 00007FF78879511C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF78879514A

Part of subcall function 00007FF788794898: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7887948AC

_get_daylight.LIBCMT ref: 00007FF78879515B

Part of subcall function 00007FF788794838: _invalid_parameter_noinfo.LIBCMT ref: 00007FF78879484C

_get_daylight.LIBCMT ref: 00007FF78879516C

Part of subcall function 00007FF788794868: _invalid_parameter_noinfo.LIBCMT ref: 00007FF78879487C

Part of subcall function 00007FF788789F78: RtlFreeHeap.NTDLL(?,?,?,00007FF788791EC2,?,?,?,00007FF788791EFF,?,?,00000000,00007FF7887923C5,?,?,00000000,00007FF7887922F7), ref: 00007FF788789F8E
Part of subcall function 00007FF788789F78: GetLastError.KERNEL32(?,?,?,00007FF788791EC2,?,?,?,00007FF788791EFF,?,?,00000000,00007FF7887923C5,?,?,00000000,00007FF7887922F7), ref: 00007FF788789F98

GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7887953AC), ref: 00007FF788795193

Strings

Eastern Standard Time, xrefs: 00007FF788795239
Eastern Summer Time, xrefs: 00007FF788795251

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3458911817-239921721
Opcode ID: 745ef94ea7204a2bfbd30c29007a49fe20bc82f24fe0203fc347e73c8b1ad169
Instruction ID: ce6f3861426675179223b125059aecda14246e08625bd5edf74d603a14e756fa
Opcode Fuzzy Hash: 745ef94ea7204a2bfbd30c29007a49fe20bc82f24fe0203fc347e73c8b1ad169
Instruction Fuzzy Hash: C0518B32A9868286E710FFB1E8805A9E771BB5C784FA04136EA4D43796DF3CE440C768

Function 00007FF7887769E0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF788776A11
FindClose.KERNELBASE ref: 00007FF788776A20

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 0b7e5a9930ef76a70c4e782aa580d8521c3892be20b9910ca6b4e20049941746
Instruction ID: de72908166326834bffdca93d8ac1ea6c82f6b8b905099260828ee1d3eeed29f
Opcode Fuzzy Hash: 0b7e5a9930ef76a70c4e782aa580d8521c3892be20b9910ca6b4e20049941746
Instruction Fuzzy Hash: E0F0F432A5968286F760AFA4E494767F370BB88324F944335D66D026D4DF3CE008CA14

Function 00007FF7887717B0 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fread_nolock.LIBCMT ref: 00007FF78877185C
_fread_nolock.LIBCMT ref: 00007FF78877190E

Part of subcall function 00007FF78877E6D0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF78877E6E4

Strings

Error on file., xrefs: 00007FF78877193D
Failed to seek to cookie position!, xrefs: 00007FF78877182F
malloc, xrefs: 00007FF7887718EA
Failed to read cookie!, xrefs: 00007FF788771867
Could not allocate buffer for TOC!, xrefs: 00007FF7887718E3
fread, xrefs: 00007FF78877186E
MEI, xrefs: 00007FF7887717EF
fseek, xrefs: 00007FF788771836
Could not read full TOC!, xrefs: 00007FF788771919
Cannot read Table of Contents., xrefs: 00007FF788771995

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: _fread_nolock$_invalid_parameter_noinfo
String ID: Cannot read Table of Contents.$Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$fread$fseek$malloc
API String ID: 3405171723-4158440160
Opcode ID: 3aa32319f753003def624376a898b4782dad60ffaa994bf44efa6d587232dc82
Instruction ID: eb7087569641941b5b3e19d6ed2dc5c073145162d75ce73e6e58eb6693eae9cc
Opcode Fuzzy Hash: 3aa32319f753003def624376a898b4782dad60ffaa994bf44efa6d587232dc82
Instruction Fuzzy Hash: 15517C72A4960286EB54FFA4D490278F3B0FB5CB58BA18135DA0D87399DF3CE441CB68

Function 00007FF788771440 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF788771559
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7887715E5
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF7887714F9
fwrite, xrefs: 00007FF7887715DC
malloc, xrefs: 00007FF788771560
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF7887715D5
Failed to extract %s: failed to open target file!, xrefs: 00007FF78877148A
Failed to extract %s: failed to open archive file!, xrefs: 00007FF7887714CA
fread, xrefs: 00007FF7887715EC
fopen, xrefs: 00007FF788771491
fseek, xrefs: 00007FF788771500

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID:
String ID: Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 0-666925554
Opcode ID: acef7e076dfcd68a00e07062fece66cdd4ccfa26df71920dfac5e2982e43698f
Instruction ID: 1855476c67a55dd3937e9d22cd5a8be8b49de755e683e19bfd8f7f3a96632b78
Opcode Fuzzy Hash: acef7e076dfcd68a00e07062fece66cdd4ccfa26df71920dfac5e2982e43698f
Instruction Fuzzy Hash: 6751A761B8864281EA10FBA1A9406B9E3B0BF4ABD4FE44431DE1D87795EF3CE545C338

Function 00007FF788776A60 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000000,00007FF7887759BA,?,00007FF7887758AD), ref: 00007FF788776AA0
OpenProcessToken.ADVAPI32(?,00007FF7887758AD), ref: 00007FF788776AB1
GetTokenInformation.KERNELBASE(?,00007FF7887758AD(TokenIntegrityLevel)), ref: 00007FF788776AD3
GetLastError.KERNEL32(?,TokenIntegrityLevel), ref: 00007FF788776ADD
GetTokenInformation.KERNELBASE(?,TokenIntegrityLevel), ref: 00007FF788776B1A
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF788776B2C
CloseHandle.KERNEL32(?,00007FF7887758AD), ref: 00007FF788776B44
LocalFree.KERNEL32(?,00007FF7887758AD), ref: 00007FF788776B76
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FF788776B9D
CreateDirectoryW.KERNELBASE(?,00007FF7887758AD), ref: 00007FF788776BAE

Strings

S-1-3-4, xrefs: 00007FF788776B4F
D:(A;;FA;;;%s), xrefs: 00007FF788776B59

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: Token$ConvertDescriptorInformationProcessSecurityString$CloseCreateCurrentDirectoryErrorFreeHandleLastLocalOpen
String ID: D:(A;;FA;;;%s)$S-1-3-4
API String ID: 4998090-2855260032
Opcode ID: c79bcb34d9950482b5642b7e8b58aabf54e811d274faf88abeec3ee0803c085a
Instruction ID: ee80df555ee3b25f34cffd7df380571d715919db5325a7bc084b8b6ff0cc9a40
Opcode Fuzzy Hash: c79bcb34d9950482b5642b7e8b58aabf54e811d274faf88abeec3ee0803c085a
Instruction Fuzzy Hash: E941A63165C64282E710BFA5E8456AAF371FB89794FE00231EA5E476D8DF3CE408C714

Function 00007FF788776130 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 90
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF788776DB0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?), ref: 00007FF788776DEA

SetConsoleCtrlHandler.KERNEL32(00000000,00007FF788772B60,?,?,?,?,?,?), ref: 00007FF78877617F
GetStartupInfoW.KERNEL32 ref: 00007FF78877619E

Part of subcall function 00007FF7887892E4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7887892F8

Part of subcall function 00007FF78878705C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7887870C3

GetCommandLineW.KERNEL32 ref: 00007FF78877623E
CreateProcessW.KERNELBASE ref: 00007FF788776280
WaitForSingleObject.KERNEL32 ref: 00007FF788776294
GetExitCodeProcess.KERNELBASE ref: 00007FF7887762A4

Strings

CreateProcessW, xrefs: 00007FF7887762B7
Error creating child process!, xrefs: 00007FF7887762B0

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
String ID: CreateProcessW$Error creating child process!
API String ID: 2895956056-3524285272
Opcode ID: d5693698e4819ce5d510509d5cda6c943b390b1bcdb6e918232fd1435297541c
Instruction ID: f599b94f4519b6d03e401a2790c35ba37adc728b3685c66de57a10705988ca84
Opcode Fuzzy Hash: d5693698e4819ce5d510509d5cda6c943b390b1bcdb6e918232fd1435297541c
Instruction Fuzzy Hash: C9411531A4878281DA20ABA4F9552AAF374FF99360FA00335E6AD47BD5DF7CD044CB54

Function 00007FF788771000 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 274
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF788772CD0: GetModuleFileNameW.KERNEL32(?,00007FF7887727C9,?,?,?,?,?,?), ref: 00007FF788772D01

SetDllDirectoryW.KERNEL32 ref: 00007FF7887729D5

Part of subcall function 00007FF788775AF0: GetEnvironmentVariableW.KERNEL32(00007FF788772817,?,?,?,?,?,?), ref: 00007FF788775B2A
Part of subcall function 00007FF788775AF0: ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,?), ref: 00007FF788775B47

Strings

Cannot open PyInstaller archive from executable (%s) or external archive (%s), xrefs: 00007FF7887728BE
_MEIPASS2, xrefs: 00007FF788772803, 00007FF78877286C, 00007FF788772B1B, 00007FF788772B2B
_PYI_ONEDIR_MODE, xrefs: 00007FF78877282C, 00007FF788772857
Cannot side-load external archive %s (code %d)!, xrefs: 00007FF78877295C
MEI, xrefs: 00007FF788772917
Failed to convert DLL search path!, xrefs: 00007FF7887729BD

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: Environment$DirectoryExpandFileModuleNameStringsVariable
String ID: Cannot open PyInstaller archive from executable (%s) or external archive (%s)$Cannot side-load external archive %s (code %d)!$Failed to convert DLL search path!$MEI$_MEIPASS2$_PYI_ONEDIR_MODE
API String ID: 2344891160-3602715111
Opcode ID: d83bcef48ebb6a1968cbdadae4618be5d98dc17e925993e344ccd9eb13a7412d
Instruction ID: 3fbe6bd7377509fe40c208ccf1ed25806e4ac57aeab84a11bb45177a587d28da
Opcode Fuzzy Hash: d83bcef48ebb6a1968cbdadae4618be5d98dc17e925993e344ccd9eb13a7412d
Instruction Fuzzy Hash: C9C19621AAC68341FA24BBA195502FDD3B1FF5C784FE44031EA5E4769AEF2CE505C728

Function 00007FF788771050 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF78877111F
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF7887710B4
malloc, xrefs: 00007FF7887710F8, 00007FF788771126
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF788771249
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF7887710F1
1.2.13, xrefs: 00007FF78877107E

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID:
String ID: 1.2.13$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 0-1655038675
Opcode ID: 4fb0c1d5e84974c8ab8d407b7d1509341cb32bb3acb76aca408933e30b33f1ca
Instruction ID: 72f63e3cbf160c4b51c14696116fa26c1c6972fe8ef93c15f182e0a28c65607e
Opcode Fuzzy Hash: 4fb0c1d5e84974c8ab8d407b7d1509341cb32bb3acb76aca408933e30b33f1ca
Instruction Fuzzy Hash: 2351C422B8964281EA60FB91D8403B9E2B1FB89794FE44131DD4DC7795EF3CE545C728

Function 00007FF78878DF30 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,00000000,?,00007FF78878E2CA,?,?,-00000018,00007FF78878A383,?,?,?,00007FF78878A27A,?,?,?,00007FF7887854E2), ref: 00007FF78878E0AC
GetProcAddress.KERNEL32(?,00000000,?,00007FF78878E2CA,?,?,-00000018,00007FF78878A383,?,?,?,00007FF78878A27A,?,?,?,00007FF7887854E2), ref: 00007FF78878E0B8

Strings

api-ms-, xrefs: 00007FF78878DFF6
ext-ms-, xrefs: 00007FF78878E009

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 5d4014bca18f9f9ee9ee76f308e7221266f6712ab36b1d3e30b229e2872ef72f
Instruction ID: def85f34f1569cf54f57e9704a062d9b221cb8462026d10972336e748f34f483
Opcode Fuzzy Hash: 5d4014bca18f9f9ee9ee76f308e7221266f6712ab36b1d3e30b229e2872ef72f
Instruction Fuzzy Hash: 2A410622B5A60241FA11AB969900575E3B1BF0CB90FB84535DD2D87784EF3DE445C32C

Function 00007FF78878B08C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF78878B4B9

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 5e2fa04a27a554ad5a06cbbe01d601b05b68f3aeb2922c25288f770f6f319bba
Instruction ID: 26727775064b3454a86e1a6692d31858b7b64182a9cf4bfc5a2243ec0df0a342
Opcode Fuzzy Hash: 5e2fa04a27a554ad5a06cbbe01d601b05b68f3aeb2922c25288f770f6f319bba
Instruction Fuzzy Hash: 46C1E422A8C68A91E720AB9194412BDF771FB89B80FE54135DB5D07791CE7CE849C32C

Function 00007FF78878C590 Relevance: 6.2, APIs: 4, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF78878C57B), ref: 00007FF78878C6AC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF78878C57B), ref: 00007FF78878C737

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 1ee269c4fb3492fdab786e16ea0be33da994e1b3a3006f3c14cd8905a42bf150
Instruction ID: b7c63c867f519763324ee69e5fb5e301f308c2d8ef9c5d930bb629a3fe96844c
Opcode Fuzzy Hash: 1ee269c4fb3492fdab786e16ea0be33da994e1b3a3006f3c14cd8905a42bf150
Instruction Fuzzy Hash: B891A632F5865285F790AFA5948027DEBB0BB98B88FA44139DE0E57A84DF3CD441C72C

Function 00007FF78878E95C Relevance: 6.2, APIs: 4, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF78878EA4C
_get_daylight.LIBCMT ref: 00007FF78878EA5D
_get_daylight.LIBCMT ref: 00007FF78878EA6E
_isindst.LIBCMT ref: 00007FF78878EB39

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 993f4cb53d01987759aa9ab87d439edc94425a62c6450610c4994d1423bcdf7f
Instruction ID: b54488ba40f4a0db6ba43926e2abd0ed5ce2c76352051eb2e46cec664e08b529
Opcode Fuzzy Hash: 993f4cb53d01987759aa9ab87d439edc94425a62c6450610c4994d1423bcdf7f
Instruction Fuzzy Hash: B151F673F442118AEB14EFA49D85ABCEB71BB0835CFA40135DD1E56AE5DB38A442C718

Function 00007FF78878483C Relevance: 6.1, APIs: 4, Instructions: 119
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE ref: 00007FF78878486F
GetFileInformationByHandle.KERNELBASE ref: 00007FF7887848D1
GetLastError.KERNEL32 ref: 00007FF788784962
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF788784774), ref: 00007FF7887849AE

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 81de7022a69b47ce39b5392d1784fece2718e2d2aab2765227a8e407644b98c7
Instruction ID: f928715efbf7e48fbf7cc5a126852401b7f05119d5e913e2e6cf2fcbc0ca36e9
Opcode Fuzzy Hash: 81de7022a69b47ce39b5392d1784fece2718e2d2aab2765227a8e407644b98c7
Instruction Fuzzy Hash: 9B518D22A886418AFB20EFB094513BDE3B1BB58B58FA08035DE4967789DF78D441C368

Function 00007FF7887846E8 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF788784715
CreateFileW.KERNELBASE ref: 00007FF788784754
CloseHandle.KERNEL32 ref: 00007FF788784789

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: 58b178a13046118a9aa3eab3ad0445e857bf873c1952e3e12f7b4cc56e3b75ff
Instruction ID: f8fb023072568e62fb031e8cf524a16fa3327dc9f5c740ee1d531b3221e4c5e8
Opcode Fuzzy Hash: 58b178a13046118a9aa3eab3ad0445e857bf873c1952e3e12f7b4cc56e3b75ff
Instruction Fuzzy Hash: 2841B622D9878183E750ABA09510379F770FB99764F649334E69C03BD5EFACA5A0C728

Function 00007FF78877A51C Relevance: 4.6, APIs: 3, Instructions: 102COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF78877A530

Part of subcall function 00007FF78877A6FC: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF78877A71E

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF78877A545
__scrt_release_startup_lock.LIBCMT ref: 00007FF78877A5B3

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 3058843127-0
Opcode ID: 0a8c62a57e2cf59f1561fe537eeb51f2220189f8d74725526a3d26dbeb988a7e
Instruction ID: 9e0de20663d8b4324d398863b5fc90575a000ea3b82c281c8ba5a319650bc2c0
Opcode Fuzzy Hash: 0a8c62a57e2cf59f1561fe537eeb51f2220189f8d74725526a3d26dbeb988a7e
Instruction Fuzzy Hash: E1313C21E8924242FA54BBE0D6513B9E3B1BF8E784FE44435EA0D472D7DE2CA445C379

Function 00007FF7887889E8 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF7887889E4), ref: 00007FF7887889F9
TerminateProcess.KERNEL32(?,?,?,00007FF7887889E4), ref: 00007FF788788A04
ExitProcess.KERNEL32 ref: 00007FF788788A13

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: fc68bfbf785dc4e8d02d30f22ac316467e06faf73d836825e3014864920bd8dd
Instruction ID: 925d2a3eadc9e996c686945ac83f632618590ea34410132571c66880520bba06
Opcode Fuzzy Hash: fc68bfbf785dc4e8d02d30f22ac316467e06faf73d836825e3014864920bd8dd
Instruction Fuzzy Hash: 64D06714B8964286FA643BB05D95179D2717F8C711BA41438CC5B06393DD3DA44DD26D

Function 00007FF78877E6FC Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF78877E740
_invalid_parameter_noinfo.LIBCMT ref: 00007FF78877E837

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: a3600ff4682811ddeb36fb761298261c2e9791cf1ca8f4758584451e9995ac85
Instruction ID: dfc1145205c0d3efeafa65c0b869f4eea2ea31214b54c46dc0fc40625f13a773
Opcode Fuzzy Hash: a3600ff4682811ddeb36fb761298261c2e9791cf1ca8f4758584451e9995ac85
Instruction Fuzzy Hash: 1151E623B4924146F768BAE5940067AE2A1BF49FA4FA84634DE7C077C5CE3CE401C769

Function 00007FF78878BA48 Relevance: 3.1, APIs: 2, Instructions: 71COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF78878BAC1
GetFileType.KERNELBASE ref: 00007FF78878BAD7

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 51d66a3ea3a1e5720d3031fa8d01ef1f6d3b4a26eee4bfd04239a76c9c1293a5
Instruction ID: 158d691e6c616d5f9248dc9c28a949691d4b33f1558042d21019253e4d6b090d
Opcode Fuzzy Hash: 51d66a3ea3a1e5720d3031fa8d01ef1f6d3b4a26eee4bfd04239a76c9c1293a5
Instruction Fuzzy Hash: D831D622A58B4A81D7209B548590178EA70FB4DBB4FB81339DB6E073E4CF38E491D31D

Function 00007FF78878B764 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF78878B750,00000000,?,?,?,00007FF788771023,00007FF78878B859), ref: 00007FF78878B7B0
GetLastError.KERNEL32(?,?,?,?,?,00007FF78878B750,00000000,?,?,?,00007FF788771023,00007FF78878B859), ref: 00007FF78878B7BA

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 7196098b30ecd42809471233c9619b7315c9fb41ce716e28bdee8d0b35162eb6
Instruction ID: a9f8659f0e787c087dc2e20c81c8ceeadc5d9c5092f520e59c2cb0c1d06f9ce4
Opcode Fuzzy Hash: 7196098b30ecd42809471233c9619b7315c9fb41ce716e28bdee8d0b35162eb6
Instruction Fuzzy Hash: A111C161618B8281DA10AB76A904169E371BB88BF4FA84332EE7D4B7D9CE3CD054C708

Function 00007FF7887849E4 Relevance: 3.0, APIs: 2, Instructions: 40timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7887848F9), ref: 00007FF788784A17
SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7887848F9), ref: 00007FF788784A2D

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: 5359c6eadbc125880de5eb3a516e79e0ad43a75e61374d6be107f92d83a7530b
Instruction ID: 6ed29d5f192712568142e5ad2e7a1abd621d8f948be6302eafdeabe3b60ceada
Opcode Fuzzy Hash: 5359c6eadbc125880de5eb3a516e79e0ad43a75e61374d6be107f92d83a7530b
Instruction Fuzzy Hash: 7811E33268C64281EB20AB50A40103BF7B0FB887A0FB00235F6AD85AD8EF6CD054DB1C

Function 00007FF788786AE8 Relevance: 3.0, APIs: 2, Instructions: 35timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF788786965), ref: 00007FF788786B0B
SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF788786965), ref: 00007FF788786B21

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: 4979fb33e8de5b56483d857dcf3248564858e1df126649fde4a887e8262e5eb8
Instruction ID: c5f9ed1ad139bb660843bb13adab425f0de70c2457ae791fb2cf863f4af5a88f
Opcode Fuzzy Hash: 4979fb33e8de5b56483d857dcf3248564858e1df126649fde4a887e8262e5eb8
Instruction Fuzzy Hash: AE01A13254C65186E750AB54E40523AFBB0FB89729FB00235F6B9019D4DF3DE050DB28

Function 00007FF788789F78 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF788791EC2,?,?,?,00007FF788791EFF,?,?,00000000,00007FF7887923C5,?,?,00000000,00007FF7887922F7), ref: 00007FF788789F8E
GetLastError.KERNEL32(?,?,?,00007FF788791EC2,?,?,?,00007FF788791EFF,?,?,00000000,00007FF7887923C5,?,?,00000000,00007FF7887922F7), ref: 00007FF788789F98

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 38b70030576bf13f94cd83556ee530387765cecd0e7570bb2763cadcf4087263
Instruction ID: 8181e60e0374375873ffe33025ade153b242f0b9af9f3c12eaa6a1530f8fab34
Opcode Fuzzy Hash: 38b70030576bf13f94cd83556ee530387765cecd0e7570bb2763cadcf4087263
Instruction Fuzzy Hash: 1FE0BF50E8E54242FE187BF25945578D1717F9C740BA45034D91D56251EE2CA889C67C

Function 00007FF7887870D4 Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE ref: 00007FF7887870D8
GetLastError.KERNEL32 ref: 00007FF7887870E2

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID:
API String ID: 2018770650-0
Opcode ID: d9df61864aacf0c38aa57b7a7eccc268b2766f97fd3960567bd6780660c5006e
Instruction ID: 6efbc4b083ec1f10ea86a289355e470bde61487932f9e02a0ca65721cedfc646
Opcode Fuzzy Hash: d9df61864aacf0c38aa57b7a7eccc268b2766f97fd3960567bd6780660c5006e
Instruction Fuzzy Hash: 33D0C910E9D50381E61437F51D86479D5B03F4D760FF00674D43A802D0EE1CA0C9812D

Function 00007FF788786850 Relevance: 3.0, APIs: 2, Instructions: 12COMMON

Download Yara Rule

APIs

RemoveDirectoryW.KERNELBASE(?,?,?,?,?), ref: 00007FF788786854
GetLastError.KERNEL32(?,?,?,?,?), ref: 00007FF78878685E

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID:
API String ID: 377330604-0
Opcode ID: f10b0acbf04ce372ff2bba8e22346aa2cd94a9581c077f1b6ddec38c1268e9e8
Instruction ID: ad4d3fc6629063558ce31723a6b14e01834540bfaa0450a0ceaa252dc9185177
Opcode Fuzzy Hash: f10b0acbf04ce372ff2bba8e22346aa2cd94a9581c077f1b6ddec38c1268e9e8
Instruction Fuzzy Hash: EDD0CA10E9E50382EA1837F61D8A478D4B03F8C720FF00634C43E812E0FE2CA4C9822D

Function 00007FF78878A188 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,00007FF78878A005,?,?,00000000,00007FF78878A0BA), ref: 00007FF78878A1F6
GetLastError.KERNEL32(?,?,?,00007FF78878A005,?,?,00000000,00007FF78878A0BA), ref: 00007FF78878A200

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 6fe57093fbbb00cdf8389479e1e18e52ea82cce6ea34632ee61e1d7ac301845a
Instruction ID: cda6a7429926099457180346f8c0caeba85ce1ff2c8733b2bea62d1816014225
Opcode Fuzzy Hash: 6fe57093fbbb00cdf8389479e1e18e52ea82cce6ea34632ee61e1d7ac301845a
Instruction Fuzzy Hash: C421C210F5864241FA6077E19A94279E2B1BF8C7A4FA44234DE2E473C5DE6CA444C32E

Function 00007FF788775DF0 Relevance: 1.6, APIs: 1, Instructions: 141COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF788776DB0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?), ref: 00007FF788776DEA

_findclose.LIBCMT ref: 00007FF788776049

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: ByteCharMultiWide_findclose
String ID:
API String ID: 2772937645-0
Opcode ID: 181f2765e85eb4e7ebd6c50f12fb6341e80b998725aa5779b2beb13a577095ea
Instruction ID: 36ab663c414ea506646df2e57bd3301ea96eb8d786dce83a1de1184e3ce99bc9
Opcode Fuzzy Hash: 181f2765e85eb4e7ebd6c50f12fb6341e80b998725aa5779b2beb13a577095ea
Instruction Fuzzy Hash: 4771A152E18AC581E611EB2CC5052FDB370F7A9B4CFA4E325DB9C12596EF28E2D9C304

Function 00007FF78878B4DC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF78878B504

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3cb10c43647639a768565940e1ce5c449de1869fbc1a92892aa118bde093882e
Instruction ID: 117d0353dbd16151432f47124aaf57a6f8959f1fea7a12b5e585d3a817b58e69
Opcode Fuzzy Hash: 3cb10c43647639a768565940e1ce5c449de1869fbc1a92892aa118bde093882e
Instruction Fuzzy Hash: A141B032A4824587EA24EB99E550279F3B0FB5AB40FB41131D78E836D5DF2CE402C76D

Function 00007FF788776360 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF78877640A

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 55dd1c4a42a8cd9ba37efdbaa529a5d7591506b4685dbca8f65d782d7b6cfa4d
Instruction ID: 4328651a35dcf3decaf87fe8556f29969863b88e3b72b76e7a3cb7446935a1bc
Opcode Fuzzy Hash: 55dd1c4a42a8cd9ba37efdbaa529a5d7591506b4685dbca8f65d782d7b6cfa4d
Instruction Fuzzy Hash: B4216221B8869245EA14BB9269043BAE661BF49FD8FD84430EE0D0778ADF7CF145C618

Function 00007FF78878AF6C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF78878AFF2

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: ff4bd6b019ced27284b6fa2760217448de45b7808968d4935831090a049e7df0
Instruction ID: 5d71915011892b49899071b47912a346a48028abe41f322ca66005d63fac2759
Opcode Fuzzy Hash: ff4bd6b019ced27284b6fa2760217448de45b7808968d4935831090a049e7df0
Instruction Fuzzy Hash: B7319E62A5860286E711BB95884437CE670BB88BA4FE10135EA3D073D2DE7CF846D73D

Function 00007FF788788919 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF788788947

Part of subcall function 00007FF788788A40: GetModuleHandleExW.KERNEL32 ref: 00007FF788788A65
Part of subcall function 00007FF788788A40: GetProcAddress.KERNEL32 ref: 00007FF788788A7B
Part of subcall function 00007FF788788A40: FreeLibrary.KERNEL32 ref: 00007FF788788AA2

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 7474e071a48ef7130f5acd4d7b35ddfbaeb0d66e7037ac086cf5d56d8c80b409
Instruction ID: 5a9f789c34a5fc9546f0c24aee733b121b64a2f75f7e1dad1a8328d64e94a360
Opcode Fuzzy Hash: 7474e071a48ef7130f5acd4d7b35ddfbaeb0d66e7037ac086cf5d56d8c80b409
Instruction Fuzzy Hash: 3E21AE72A44702CAFB24AFA4C4402FCB3B0FB18318FA81636D65D06AC5DF38D484C7A9

Function 00007FF788785538 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF78878549D

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 25f020cec256df429067bb606d051891f0f83e0bb8faa834007163ccabd97c9c
Instruction ID: 533fb270f6bbf8043efffe64a09a28e0a2d45165a0f1e528c06f491b29a3a0d9
Opcode Fuzzy Hash: 25f020cec256df429067bb606d051891f0f83e0bb8faa834007163ccabd97c9c
Instruction Fuzzy Hash: 77118121A5C68181EB61BF91940067DE2B0BF89B80FE44431EA8C57A86CF7DE841D76C

Function 00007FF7887957DC Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7887957FF

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e860bb9bc84c29a06dccfc010b7eb52daf61d2c250f48aeb7393b4a8ace16f10
Instruction ID: ed22d38186ef2b1748799f127303453be0194e266f77866bef4aac82fe7c0f66
Opcode Fuzzy Hash: e860bb9bc84c29a06dccfc010b7eb52daf61d2c250f48aeb7393b4a8ace16f10
Instruction Fuzzy Hash: 9F219532A18A8187DB61AF68D880779F6B0FB88B54FA44234EA6D476D5DF3CD401CB14

Function 00007FF78877E97C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF78877E9D0

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 298f7b2a666c55937c0a4044f00fb88544ba948c427ceaa5fd6043e577695ec0
Instruction ID: ecebca251f9b4d81c0372b97f25670e93856484d79739193c72677e71f8d6b8d
Opcode Fuzzy Hash: 298f7b2a666c55937c0a4044f00fb88544ba948c427ceaa5fd6043e577695ec0
Instruction Fuzzy Hash: C701C422A8875141EA44FBD29900179F6B5BF9AFE0FA84631DE6C17BD6CE3CE411C718

Function 00007FF788776490 Relevance: 1.3, APIs: 1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: DirectoryErrorLastRemove
String ID:
API String ID: 377330604-0
Opcode ID: 084d7b594bcd28fb49fbeb931c26155fa6ca1cda91761dc2622677426efca5d5
Instruction ID: 88826c696f7d974e373e6ff63da0d29c6dc7c8b57e764560562a36ddf8ec9826
Opcode Fuzzy Hash: 084d7b594bcd28fb49fbeb931c26155fa6ca1cda91761dc2622677426efca5d5
Instruction Fuzzy Hash: EB418416D587C181EA51FB6495412BCE370FBA8744FA4A332DB8D4219BEF28F2D8C324

Function 00007FF78878DEB8 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FF78878AA16,?,?,?,00007FF788789BD3,?,?,00000000,00007FF788789E6E), ref: 00007FF78878DF0D

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 69550027ed8e3bf035e7bef6798a6f7658c1153be72ca181ca789a5114add420
Instruction ID: fc645b730fe34994f66bba238299955edb4ee4519e712605822a38250d1f6484
Opcode Fuzzy Hash: 69550027ed8e3bf035e7bef6798a6f7658c1153be72ca181ca789a5114add420
Instruction Fuzzy Hash: 61F04940B8A20341FE597BE259502B4D6B17F9CB40FEC4430C91E87AD2EE2CE482D23C

Function 00007FF78878CC2C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF78877F1E4,?,?,?,00007FF7887806F6,?,?,?,?,?,00007FF78878275D), ref: 00007FF78878CC6A

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: b827a7ab023d1767f95784f6f7fefaf86c66ee15463514ccfd07e797832e7771
Instruction ID: a75b05323a084f7774ed1fef1a3ecc0b89d4364ff10573a73ba577075b87c034
Opcode Fuzzy Hash: b827a7ab023d1767f95784f6f7fefaf86c66ee15463514ccfd07e797832e7771
Instruction Fuzzy Hash: 5BF05E10B9A24640FEA976F15941675D1A1BFCD7A0FA80234D93E852D1DD2CA480D23C

Non-executed Functions

Function 00007FF788772F20 Relevance: 291.0, APIs: 55, Strings: 111, Instructions: 457libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,00000000,00007FF7887722DE,?,?,?,?), ref: 00007FF788772F36
GetProcAddress.KERNEL32(?,?,00000000,00007FF7887722DE,?,?,?,?), ref: 00007FF788772F75
GetProcAddress.KERNEL32(?,?,00000000,00007FF7887722DE,?,?,?,?), ref: 00007FF788772F9A
GetProcAddress.KERNEL32(?,?,00000000,00007FF7887722DE,?,?,?,?), ref: 00007FF788772FBF
GetProcAddress.KERNEL32(?,?,00000000,00007FF7887722DE,?,?,?,?), ref: 00007FF788772FE7
GetProcAddress.KERNEL32(?,?,00000000,00007FF7887722DE,?,?,?,?), ref: 00007FF78877300F
GetProcAddress.KERNEL32(?,?,00000000,00007FF7887722DE,?,?,?,?), ref: 00007FF788773037
GetProcAddress.KERNEL32(?,?,00000000,00007FF7887722DE,?,?,?,?), ref: 00007FF78877305F
GetProcAddress.KERNEL32(?,?,00000000,00007FF7887722DE,?,?,?,?), ref: 00007FF788773087

Strings

PyUnicode_DecodeFSDefault, xrefs: 00007FF78877373D
Failed to get address for PySys_AddWarnOption, xrefs: 00007FF788773579
Failed to get address for Py_UnbufferedStdioFlag, xrefs: 00007FF788773099
Failed to get address for PyObject_CallFunction, xrefs: 00007FF788773489
PySys_SetPath, xrefs: 00007FF7887735FD
Failed to get address for Py_SetPath, xrefs: 00007FF7887731B9
Py_SetProgramName, xrefs: 00007FF7887731ED
Failed to get address for Py_DecRef, xrefs: 00007FF788773119
Failed to get address for PyUnicode_Decode, xrefs: 00007FF788773731
PySys_SetArgvEx, xrefs: 00007FF788773585
Py_DontWriteBytecodeFlag, xrefs: 00007FF788772F2F
PyUnicode_FromString, xrefs: 00007FF788773675
Failed to get address for PyMem_RawFree, xrefs: 00007FF7887736E1
PySys_GetObject, xrefs: 00007FF7887735AD
Failed to get address for Py_DontWriteBytecodeFlag, xrefs: 00007FF788772F48
Py_GetPath, xrefs: 00007FF7887731C5
Failed to get address for PyErr_Print, xrefs: 00007FF7887732D1
PyMem_RawFree, xrefs: 00007FF7887736C5
Failed to get address for Py_BuildValue, xrefs: 00007FF7887730F1
Failed to get address for PyLong_AsLong, xrefs: 00007FF788773439
PyObject_SetAttrString, xrefs: 00007FF7887734BD
Failed to get address for PySys_SetArgvEx, xrefs: 00007FF7887735A1
PyUnicode_Replace, xrefs: 00007FF7887737B5
PyImport_ImportModule, xrefs: 00007FF7887733A5
PyMarshal_ReadObjectFromString, xrefs: 00007FF78877364D
Py_VerboseFlag, xrefs: 00007FF788773055
Failed to get address for Py_NoUserSiteDirectory, xrefs: 00007FF788773021
PyEval_EvalCode, xrefs: 00007FF788773625
Py_Initialize, xrefs: 00007FF788773175
Py_DecRef, xrefs: 00007FF7887730FD
Failed to get address for Py_Initialize, xrefs: 00007FF788773191
Py_IgnoreEnvironmentFlag, xrefs: 00007FF788772FB5
Failed to get address for PyMarshal_ReadObjectFromString, xrefs: 00007FF788773669
Failed to get address for Py_Finalize, xrefs: 00007FF788773141
Py_SetPath, xrefs: 00007FF78877319D
PyDict_GetItemString, xrefs: 00007FF78877323D
PyUnicode_Decode, xrefs: 00007FF788773715
Failed to get address for PyImport_ImportModule, xrefs: 00007FF7887733C1
Py_UTF8Mode, xrefs: 00007FF7887730AD
Failed to get address for PyUnicode_FromString, xrefs: 00007FF788773691
Failed to get address for Py_SetProgramName, xrefs: 00007FF788773209
Py_UnbufferedStdioFlag, xrefs: 00007FF78877307D
Failed to get address for PyObject_CallFunctionObjArgs, xrefs: 00007FF7887734B1
Py_IncRef, xrefs: 00007FF78877314D
Failed to get address for PyErr_Occurred, xrefs: 00007FF7887732A9
Failed to get address for PyObject_GetAttrString, xrefs: 00007FF788773501
Failed to get address for PySys_SetObject, xrefs: 00007FF7887735F1
Failed to get address for PyEval_EvalCode, xrefs: 00007FF788773641
PyObject_CallFunction, xrefs: 00007FF78877346D
PyErr_Restore, xrefs: 00007FF788773305
PyObject_CallFunctionObjArgs, xrefs: 00007FF788773495
Failed to get address for PyUnicode_DecodeFSDefault, xrefs: 00007FF788773759
Failed to get address for PySys_SetPath, xrefs: 00007FF788773619
PyObject_GetAttrString, xrefs: 00007FF7887734E5
PyUnicode_Join, xrefs: 00007FF78877378D
PySys_SetObject, xrefs: 00007FF7887735D5
Failed to get address for Py_FileSystemDefaultEncoding, xrefs: 00007FF788772F87
Failed to get address for Py_OptimizeFlag, xrefs: 00007FF788773049
PyErr_NormalizeException, xrefs: 00007FF78877332D
Failed to get address for Py_FrozenFlag, xrefs: 00007FF788772FAC
Failed to get address for PyUnicode_Replace, xrefs: 00007FF7887737D1
GetProcAddress, xrefs: 00007FF788772F4F
Failed to get address for PySys_GetObject, xrefs: 00007FF7887735C9
Failed to get address for PyUnicode_FromFormat, xrefs: 00007FF788773709
PyUnicode_FromFormat, xrefs: 00007FF7887736ED
Py_BuildValue, xrefs: 00007FF7887730D5
PyErr_Clear, xrefs: 00007FF788773265
Failed to get address for Py_DecodeLocale, xrefs: 00007FF7887736B9
Failed to get address for PyErr_Restore, xrefs: 00007FF788773321
Failed to get address for PyDict_GetItemString, xrefs: 00007FF788773259
PyObject_Str, xrefs: 00007FF78877350D
PyErr_Print, xrefs: 00007FF7887732B5
Py_SetPythonHome, xrefs: 00007FF788773215
PyList_New, xrefs: 00007FF7887733F5
PyRun_SimpleStringFlags, xrefs: 00007FF788773535
PySys_AddWarnOption, xrefs: 00007FF78877355D
PyErr_Occurred, xrefs: 00007FF78877328D
PyLong_AsLong, xrefs: 00007FF78877341D
Failed to get address for PyUnicode_AsUTF8, xrefs: 00007FF788773781
PyModule_GetDict, xrefs: 00007FF788773445
PyImport_AddModule, xrefs: 00007FF788773355
Failed to get address for PyErr_Clear, xrefs: 00007FF788773281
Failed to get address for Py_NoSiteFlag, xrefs: 00007FF788772FF9
Failed to get address for PyUnicode_Join, xrefs: 00007FF7887737A9
Failed to get address for Py_GetPath, xrefs: 00007FF7887731E1
Failed to get address for PyModule_GetDict, xrefs: 00007FF788773461
Failed to get address for Py_SetPythonHome, xrefs: 00007FF788773231
Py_NoUserSiteDirectory, xrefs: 00007FF788773005
Py_NoSiteFlag, xrefs: 00007FF788772FDD
Failed to get address for PyImport_ExecCodeModule, xrefs: 00007FF788773399
Py_OptimizeFlag, xrefs: 00007FF78877302D
Failed to get address for Py_UTF8Mode, xrefs: 00007FF7887730C9
Failed to get address for PyObject_Str, xrefs: 00007FF788773529
Py_FileSystemDefaultEncoding, xrefs: 00007FF788772F6B
Failed to get address for PyList_Append, xrefs: 00007FF7887733E9
Failed to get address for PyErr_Fetch, xrefs: 00007FF7887732F9
Failed to get address for Py_IgnoreEnvironmentFlag, xrefs: 00007FF788772FD1
Failed to get address for PyList_New, xrefs: 00007FF788773411
Py_Finalize, xrefs: 00007FF788773125
Py_DecodeLocale, xrefs: 00007FF78877369D
Py_FrozenFlag, xrefs: 00007FF788772F90
PyErr_Fetch, xrefs: 00007FF7887732DD
Failed to get address for PyErr_NormalizeException, xrefs: 00007FF788773349
Failed to get address for Py_VerboseFlag, xrefs: 00007FF788773071
PyList_Append, xrefs: 00007FF7887733CD
Failed to get address for PyRun_SimpleStringFlags, xrefs: 00007FF788773551
Failed to get address for PyImport_AddModule, xrefs: 00007FF788773371
PyImport_ExecCodeModule, xrefs: 00007FF78877337D
PyUnicode_AsUTF8, xrefs: 00007FF788773765
Failed to get address for PyObject_SetAttrString, xrefs: 00007FF7887734D9
Failed to get address for Py_IncRef, xrefs: 00007FF788773169

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for PyDict_GetItemString$Failed to get address for PyErr_Clear$Failed to get address for PyErr_Fetch$Failed to get address for PyErr_NormalizeException$Failed to get address for PyErr_Occurred$Failed to get address for PyErr_Print$Failed to get address for PyErr_Restore$Failed to get address for PyEval_EvalCode$Failed to get address for PyImport_AddModule$Failed to get address for PyImport_ExecCodeModule$Failed to get address for PyImport_ImportModule$Failed to get address for PyList_Append$Failed to get address for PyList_New$Failed to get address for PyLong_AsLong$Failed to get address for PyMarshal_ReadObjectFromString$Failed to get address for PyMem_RawFree$Failed to get address for PyModule_GetDict$Failed to get address for PyObject_CallFunction$Failed to get address for PyObject_CallFunctionObjArgs$Failed to get address for PyObject_GetAttrString$Failed to get address for PyObject_SetAttrString$Failed to get address for PyObject_Str$Failed to get address for PyRun_SimpleStringFlags$Failed to get address for PySys_AddWarnOption$Failed to get address for PySys_GetObject$Failed to get address for PySys_SetArgvEx$Failed to get address for PySys_SetObject$Failed to get address for PySys_SetPath$Failed to get address for PyUnicode_AsUTF8$Failed to get address for PyUnicode_Decode$Failed to get address for PyUnicode_DecodeFSDefault$Failed to get address for PyUnicode_FromFormat$Failed to get address for PyUnicode_FromString$Failed to get address for PyUnicode_Join$Failed to get address for PyUnicode_Replace$Failed to get address for Py_BuildValue$Failed to get address for Py_DecRef$Failed to get address for Py_DecodeLocale$Failed to get address for Py_DontWriteBytecodeFlag$Failed to get address for Py_FileSystemDefaultEncoding$Failed to get address for Py_Finalize$Failed to get address for Py_FrozenFlag$Failed to get address for Py_GetPath$Failed to get address for Py_IgnoreEnvironmentFlag$Failed to get address for Py_IncRef$Failed to get address for Py_Initialize$Failed to get address for Py_NoSiteFlag$Failed to get address for Py_NoUserSiteDirectory$Failed to get address for Py_OptimizeFlag$Failed to get address for Py_SetPath$Failed to get address for Py_SetProgramName$Failed to get address for Py_SetPythonHome$Failed to get address for Py_UTF8Mode$Failed to get address for Py_UnbufferedStdioFlag$Failed to get address for Py_VerboseFlag$GetProcAddress$PyDict_GetItemString$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyList_New$PyLong_AsLong$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyRun_SimpleStringFlags$PySys_AddWarnOption$PySys_GetObject$PySys_SetArgvEx$PySys_SetObject$PySys_SetPath$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_BuildValue$Py_DecRef$Py_DecodeLocale$Py_DontWriteBytecodeFlag$Py_FileSystemDefaultEncoding$Py_Finalize$Py_FrozenFlag$Py_GetPath$Py_IgnoreEnvironmentFlag$Py_IncRef$Py_Initialize$Py_NoSiteFlag$Py_NoUserSiteDirectory$Py_OptimizeFlag$Py_SetPath$Py_SetProgramName$Py_SetPythonHome$Py_UTF8Mode$Py_UnbufferedStdioFlag$Py_VerboseFlag
API String ID: 190572456-3109299426
Opcode ID: 3d8788b48c699204fb620db4b6681a167f3e5177f9efbc96361098fa63709e71
Instruction ID: 913835995822e15adc95e55c424f9de91654b743c29c1e3c0a81f3e6e31da0bb
Opcode Fuzzy Hash: 3d8788b48c699204fb620db4b6681a167f3e5177f9efbc96361098fa63709e71
Instruction Fuzzy Hash: 18429264A8EB0391EA15FBA9AD50174E2B1BF0C790BF45175C81E063A8FF7CE548D328

Function 00007FF78879324C Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF78879329A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF788793906
_invalid_parameter_noinfo.LIBCMT ref: 00007FF788793A7C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF788793D3A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF788793F5A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF788794197
memcpy_s.LIBCPMT ref: 00007FF788794272
memcpy_s.LIBCPMT ref: 00007FF78879431D
memcpy_s.LIBCPMT ref: 00007FF7887943EC

Strings

1#IND, xrefs: 00007FF788793387
1#QNAN, xrefs: 00007FF7887933B3
1#INF, xrefs: 00007FF7887933C3
1#SNAN, xrefs: 00007FF7887933AA

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 94a7ddbc9dfde8fb095d9bbce1265888f255539b2e0e0fd568165e141f3b5970
Instruction ID: ca2bcbfd6393730e3ec29e3eec3c828516d594f39a8341542d7c560fc139e1a0
Opcode Fuzzy Hash: 94a7ddbc9dfde8fb095d9bbce1265888f255539b2e0e0fd568165e141f3b5970
Instruction Fuzzy Hash: 80B2D472A582828BE764DEB4D8407FDF7B1FB58388FA06135DA1D57A84DB3CA900CB54

Function 00007FF788776670 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 52windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(WideCharToMultiByte,00007FF788771CE4,?,?,00000000,00007FF788776904), ref: 00007FF788776697
FormatMessageW.KERNEL32 ref: 00007FF7887766C6
WideCharToMultiByte.KERNEL32 ref: 00007FF78877671C

Part of subcall function 00007FF788771CB0: GetLastError.KERNEL32(?,?,00000000,00007FF788776904,?,?,?,?,?,?,?,?,?,?,?,00007FF788771023), ref: 00007FF788771CD7

Strings

PyInstaller: pyi_win32_utils_to_utf8 failed., xrefs: 00007FF788776739
PyInstaller: FormatMessageW failed., xrefs: 00007FF7887766E3
Failed to encode wchar_t as UTF-8., xrefs: 00007FF788776726
No error messages generated., xrefs: 00007FF7887766D0
WideCharToMultiByte, xrefs: 00007FF788776670, 00007FF78877672D
FormatMessageW, xrefs: 00007FF7887766D7

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: ErrorLast$ByteCharFormatMessageMultiWide
String ID: Failed to encode wchar_t as UTF-8.$FormatMessageW$No error messages generated.$PyInstaller: FormatMessageW failed.$PyInstaller: pyi_win32_utils_to_utf8 failed.$WideCharToMultiByte
API String ID: 2383786077-2573406579
Opcode ID: ee4750cad08e904e569e44cd6da303e01fcfffc44399732fd87d74f29f2688a4
Instruction ID: 5a3c580bd022a9cb0aa229dc47822488d61b71263ee1cb79edd71fa83302ddba
Opcode Fuzzy Hash: ee4750cad08e904e569e44cd6da303e01fcfffc44399732fd87d74f29f2688a4
Instruction Fuzzy Hash: 8121A471A48A4281FB60BBA4EC54376E775FB8D384FE40034D54D826A8EF3CE104C728

Function 00007FF78877AA2C Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF78877AA48
RtlCaptureContext.KERNEL32 ref: 00007FF78877AA75
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF78877AA8F
RtlVirtualUnwind.KERNEL32 ref: 00007FF78877AAD0
IsDebuggerPresent.KERNEL32 ref: 00007FF78877AB24
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF78877AB45
UnhandledExceptionFilter.KERNEL32 ref: 00007FF78877AB50

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 414c3b7d1a52ef3ba5408d69683659119c26abb58edcf35ad0cee906abb0d3fb
Instruction ID: 24137f0c12913dfae8f2e654578cd7ce623fcbacafce13cbb3867e3601e403e8
Opcode Fuzzy Hash: 414c3b7d1a52ef3ba5408d69683659119c26abb58edcf35ad0cee906abb0d3fb
Instruction Fuzzy Hash: 01315072659A8186EB60AFA0E9403EDF371FB88744F94403ADA4D47A98EF3CD548C724

Function 00007FF788789C44 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF788789CBD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF788789CD5
RtlVirtualUnwind.KERNEL32 ref: 00007FF788789D10
IsDebuggerPresent.KERNEL32 ref: 00007FF788789D49
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF788789D53
UnhandledExceptionFilter.KERNEL32 ref: 00007FF788789D5E

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 5dfb057c3f1a11160ff10646ccc1b52b02cf652cbed9a545e94d4dbf2c44da7d
Instruction ID: e62e7179dd978e457198ef22bfb4e103cfa90b64f920cd892a8822e1a8c08712
Opcode Fuzzy Hash: 5dfb057c3f1a11160ff10646ccc1b52b02cf652cbed9a545e94d4dbf2c44da7d
Instruction Fuzzy Hash: AD315032658B8186E760EB65E8402AEF3B0FB88754FA00135EA9D43B95DF3CC555CB14

Function 00007FF788790A34 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF788790A80
FindFirstFileExW.KERNEL32 ref: 00007FF788790B8A

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: ced153bd746da3696451066ca553fc750e98195ae426049d21287c39b66479d4
Instruction ID: d1b8fb5d2b7e7486f4ecc551450bc512768da6211d1d00cfaa1358c09b7a25df
Opcode Fuzzy Hash: ced153bd746da3696451066ca553fc750e98195ae426049d21287c39b66479d4
Instruction Fuzzy Hash: BAB1C822B6869241EA60ABB59C006B9E371FF49BE4FA44131ED5E07BC5DE3CE441C728

Function 00007FF788792DB0 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF788792E16
memcpy_s.LIBCPMT ref: 00007FF788792E41

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction ID: 068391a4f1d2259a87090af710bc62eb9079f646fe3a7339ae53fadfd6cb78cd
Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction Fuzzy Hash: 00C12772B5868687E724DFB9A44466AF7A1F788B84F909134DB5E43744DB3DE801CB04

Function 00007FF788798BE8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF788798E37
RaiseException.KERNEL32 ref: 00007FF788798E48

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: ce95b3d84f14f29cd4e01f3d624d654ffebb0793079cdf733c9da6505e2ad06c
Instruction ID: 4a98c513b0288ee62fe491f6754d7b3433f8e71a2b8c44375019c04de06d9129
Opcode Fuzzy Hash: ce95b3d84f14f29cd4e01f3d624d654ffebb0793079cdf733c9da6505e2ad06c
Instruction Fuzzy Hash: 62B14B73604B898AEB25DF29C846368BBB0F748B48F688921DB5D83BA4CB3DD451C714

Function 00007FF788782A18 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF788782B86
, xrefs: 00007FF788782DC8

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 12f3629fc0db3b94ce06ee7fe38b00bcc3d57b8cb20d1c91e47922b02d0d68b8
Instruction ID: 4ed0fc3398c80c5cfc50202f304af61494b4f9834bb3ac6c7369845eafdad803
Opcode Fuzzy Hash: 12f3629fc0db3b94ce06ee7fe38b00bcc3d57b8cb20d1c91e47922b02d0d68b8
Instruction Fuzzy Hash: 32E1C53296964686EB68AE658150139F7B0FF4DB4BFB44135CE0E076A4DF39E841C72C

Function 00007FF78878D1F8 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

e+000, xrefs: 00007FF78878D305
gfff, xrefs: 00007FF78878D382

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: 7f3e0c3824b7b5cf876389fd48d0d53d421d0873473af5a4edca9f3cc5d4c2f0
Instruction ID: c5646ef2243ddcf3d327e5e60b84efaa4a16dfef770b26941139cd9e318ca756
Opcode Fuzzy Hash: 7f3e0c3824b7b5cf876389fd48d0d53d421d0873473af5a4edca9f3cc5d4c2f0
Instruction Fuzzy Hash: 26516922B186C186E7259EB5980176DFBA1F748B94F988231CB9C47ED6CF7DD440C718

Function 00007FF78878FA88 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: 5009b892dd91bf519e8c559ea5e1b5aef6c23d832387be5e86a00ec78a3f8015
Instruction ID: 9779948414b76436afe84e030d2e1c7c8f4c8e8b92715646cc2c5deeab625d8d
Opcode Fuzzy Hash: 5009b892dd91bf519e8c559ea5e1b5aef6c23d832387be5e86a00ec78a3f8015
Instruction Fuzzy Hash: 6C02DF21A9D64281FA54BBA19850279E6B0BF5DB90FF48635ED6D463D2DE3CE801C33C

Function 00007FF78878CD64 Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF78878D0A6

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: 7cb6c3f32e91a926ccbf64ab8ba01f2a38c928c6639247976dccb01524fe6e1b
Instruction ID: ea08b25596d62509613ef161a862dfdcc4cf9db4bce4f8fc6dd7dd8a40c22020
Opcode Fuzzy Hash: 7cb6c3f32e91a926ccbf64ab8ba01f2a38c928c6639247976dccb01524fe6e1b
Instruction Fuzzy Hash: 94A15763B087CA46EB61DB65A0107A9FBA0FB98B84F648132DE4D47786DA3DD402C719

Function 00007FF7887870FC Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

TMP, xrefs: 00007FF78878711B

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: TMP
API String ID: 3215553584-3125297090
Opcode ID: 19d64b0ab773cbfbd487bca6893bb747c2215c781c74349dcac5785039621920
Instruction ID: 643dae9a31514dbaa5f726cf69a6f2465f49e5c4ad8286e933a45593ee955c71
Opcode Fuzzy Hash: 19d64b0ab773cbfbd487bca6893bb747c2215c781c74349dcac5785039621920
Instruction Fuzzy Hash: 9F51A111F8824241FA64BAA6591117AD2F1BF99BD4FE84034EE0F47BD5EE3CE442C22C

Function 00007FF788792620 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF788792624

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 5644672d7aec8b178d5bd48a95ace976e45fdc56d1edf0a539dccc581205543b
Instruction ID: 330d055a8d59f762f4538ced9a2d05a34d5af238a54cb8fe9dc98a95ddb52108
Opcode Fuzzy Hash: 5644672d7aec8b178d5bd48a95ace976e45fdc56d1edf0a539dccc581205543b
Instruction Fuzzy Hash: 0BB09220E47B42C2EA083BA16D82614E2B57F5CB10FE80138C40C40320DF2C24EA9724

Function 00007FF7887821DC Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d7d821e27f440e8d5d3622ff09e7c05bc36f3fd6b9038f787498be69d76432a
Instruction ID: 65adff29fb20d681e902744b8cea6ec637a365805d7178ab6825881eec905c13
Opcode Fuzzy Hash: 7d7d821e27f440e8d5d3622ff09e7c05bc36f3fd6b9038f787498be69d76432a
Instruction Fuzzy Hash: 4FE1E532AA860285E764AAA9C56437CE7B1FB4DB57FB44231CE1D066D5CF38D881C32C

Function 00007FF788782614 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2f3b43ccd68eb767627d2655b116bae7479589a7f74a5058ab0c91b2e39ac12
Instruction ID: 3221935c26eda123cecfe5180c9ae73466395146c2f7cae9df7d9b6e22ae9cb3
Opcode Fuzzy Hash: c2f3b43ccd68eb767627d2655b116bae7479589a7f74a5058ab0c91b2e39ac12
Instruction Fuzzy Hash: 43D1E822A6864286EB68AAA5815023DE7B1FF1DB4BFB84135CE0D177D4CF39D841C72C

Function 00007FF788777420 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b723f182358e09e7314f6f73ac964ac7abcdc7414507ad18988289416ad7b41b
Instruction ID: e73503c58bd64e9e3785873fd62f1cd8c51661ae716f8c213b0c49bba0dda365
Opcode Fuzzy Hash: b723f182358e09e7314f6f73ac964ac7abcdc7414507ad18988289416ad7b41b
Instruction Fuzzy Hash: 73C1F6722241E04BE688EB29F45987A73E2F788349FD9403AEB8747785CA3DE414D760

Function 00007FF78878132C Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c5c392cbfffe41992f0743bc4a0c2c3fe46246456b6811ff0c5dafdd99ec142
Instruction ID: 904616ceab1625df6bd53f74075562e2af80dc60f44e90a3a9d5ab9378ebb794
Opcode Fuzzy Hash: 6c5c392cbfffe41992f0743bc4a0c2c3fe46246456b6811ff0c5dafdd99ec142
Instruction Fuzzy Hash: 6AB1BE72A6864185E764AF69C05423DFBB0FB0AB48FA84135CA8E87399CF29D440C73D

Function 00007FF7887816C4 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85060b88648c64536cd03416e20448513b0a4375a109c0566769b76d71526d0c
Instruction ID: f661f91484348d2749011adb4540045c71a79723247305159a95a055af03876f
Opcode Fuzzy Hash: 85060b88648c64536cd03416e20448513b0a4375a109c0566769b76d71526d0c
Instruction Fuzzy Hash: 8EB19A72A68A8186E7649F69C09027CBBB4FB19B48FB80135CA4E83395CF39D441C73D

Function 00007FF78878D878 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59ad0bfc87d4107bda453f5e7c9a116e1e97c6e992cf3a610b4e267b4cffcaca
Instruction ID: 79b74db0fac94bcd99baa512a0c878278bb61fddfcaf426988eca6ef48aee9e9
Opcode Fuzzy Hash: 59ad0bfc87d4107bda453f5e7c9a116e1e97c6e992cf3a610b4e267b4cffcaca
Instruction Fuzzy Hash: E981E472A4C7818AEB74DB599480369EEB1FB49794FA44235DA9D43F8ACF3DD400CB18

Function 00007FF7887958A0 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2033a98ce9b9ae1b6fcbd26cbe8033cb2e42881aa268c02d842b0e820a1bc4f5
Instruction ID: b261988c3a37e360505c1f81a91d863065400cf181464996fbd444666e05edd1
Opcode Fuzzy Hash: 2033a98ce9b9ae1b6fcbd26cbe8033cb2e42881aa268c02d842b0e820a1bc4f5
Instruction Fuzzy Hash: 8B612C22E5C2E245F764A5B8888123DE9A1FF58730FF80235DA5E466C5DE6DE800D72C

Function 00007FF788780354 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e0632a4a7e014686f42235b66fbebb9a54d6c0d44d943c89546efb0de6bc1d6
Instruction ID: 8a9b6e888ad963cad1e0d15b9743d8b66e6e8bf9693c537e75f258b1953bc30a
Opcode Fuzzy Hash: 4e0632a4a7e014686f42235b66fbebb9a54d6c0d44d943c89546efb0de6bc1d6
Instruction Fuzzy Hash: 8151B132A98A5186E7249B69C04423CF3B0FB49B68F744135CE8C17BA5CB3AE853C75C

Function 00007FF78877FF44 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a7d583fdacf7a8c68166448a21aae8e03012e85621840fd7aae1b2904462282
Instruction ID: 8bb73d67599d67adb31a197ebf8577467e960f77dfa642df481db52e53f9b110
Opcode Fuzzy Hash: 9a7d583fdacf7a8c68166448a21aae8e03012e85621840fd7aae1b2904462282
Instruction Fuzzy Hash: C7519F36A58A5586E724AB69C040238F7B0FB49B68F744131CE9D17795CF3AE843C758

Function 00007FF788780764 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e009b45869f76b4bc0fd62373217406c0429eee7efa8b33e1f678da67ddd1256
Instruction ID: 78e8cf527ff4912ded65fe7bc42306c83773bdaab6bac06884770e86cb9fef0b
Opcode Fuzzy Hash: e009b45869f76b4bc0fd62373217406c0429eee7efa8b33e1f678da67ddd1256
Instruction Fuzzy Hash: D6517136A5965186EB249B69C04423CF3B0FB58F68F784131CA4D57795CB3AE883CB9C

Function 00007FF788780150 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8fed526c0ef6e22bd960d06d2221fad266d41c34a47db8c9ca14c01ed2528e2
Instruction ID: 9088e31efadf018b9b4da574a894eb31a54d6a83c4e6b56d2f206080446c2111
Opcode Fuzzy Hash: e8fed526c0ef6e22bd960d06d2221fad266d41c34a47db8c9ca14c01ed2528e2
Instruction Fuzzy Hash: DC51AE36A59A5186E7649B69C04023CE7B1FB4DB68FB44131CE4C177A8CF3AE892C758

Function 00007FF78877FD40 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1122cbedd3da6cae4974dcedcaf2c480ad91f4dcca857e3bd784bf5366bd6c74
Instruction ID: 07599334c165148e1ff97356a17d1ee31b710cb2e09e434ec2c495462d176761
Opcode Fuzzy Hash: 1122cbedd3da6cae4974dcedcaf2c480ad91f4dcca857e3bd784bf5366bd6c74
Instruction Fuzzy Hash: 9151BE32A58A5986E724AB69C150328E7B0FF4DB58FB44131CA4C177A5CB3AEC42C798

Function 00007FF788780560 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbc3e59ea296ef31dc5cb467e3ef236485a99d13d7a42ba6bd49c72ea64a61b5
Instruction ID: d972bc06af846f6ee0e3deb8e85068249b3d3e946f190e119713466b5943dfca
Opcode Fuzzy Hash: bbc3e59ea296ef31dc5cb467e3ef236485a99d13d7a42ba6bd49c72ea64a61b5
Instruction Fuzzy Hash: A551B036B5865586E724DB68C044628E7B0FB8DB58FB84131CE4D177A4CF3AE843C768

Function 00007FF788784FC0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e13b74b0b529d91a8ac9ee6727b9f2d590474870fceb05c3e17ea5803dfc50d
Instruction ID: 318cd716306bd225632d88da4d2c5d17de3770957f1089666fc6c29fc1609ab7
Opcode Fuzzy Hash: 7e13b74b0b529d91a8ac9ee6727b9f2d590474870fceb05c3e17ea5803dfc50d
Instruction Fuzzy Hash: C1410A52CCD7CA44E9559BA805007B4EAA0FF26BE0DF862B4DCA9573C7DC0D6587C12C

Function 00007FF788788D00 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 71af8a295fdb51eaf04f4fd3d3cb7b5e4e2b88d375af3dc160b99af84fd8c420
Instruction ID: ec0fe99183e2c7629e74a35010bfb52e560b191961817bc62bb840fc03f89a9b
Opcode Fuzzy Hash: 71af8a295fdb51eaf04f4fd3d3cb7b5e4e2b88d375af3dc160b99af84fd8c420
Instruction Fuzzy Hash: 9B412962B14A5482FF14DF6AD9541AAF3A1B74CFD0B949032EE1D87B64EE3CD542C308

Function 00007FF7887866C4 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d783e1a3e72e92f8cc360288f3ef248e1cc566027f67d0610760681409bc4687
Instruction ID: d21ee0cec809cc6c9ada8173bc70f96154c8cf6245e5be846e251ff25c7543ef
Opcode Fuzzy Hash: d783e1a3e72e92f8cc360288f3ef248e1cc566027f67d0610760681409bc4687
Instruction Fuzzy Hash: 2431A772B58B4241E714AF65684413DE6E5BF88BA0FA84238EA5D53BD5DF3CE402C71C

Function 00007FF788798A30 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a7304cda62ef4e3fce1e8e531a8e9660a3231e70ec23179b9d25e44c0445acc
Instruction ID: 04c62b3ac6fd6a1018c150f43e81ccc8bb99762138c86ecc404775b99ba86eba
Opcode Fuzzy Hash: 0a7304cda62ef4e3fce1e8e531a8e9660a3231e70ec23179b9d25e44c0445acc
Instruction Fuzzy Hash: F9F068717582568AEBA89FA9A802629BBE1F71C3C0F948039D68D83B05D63C9050CF18

Function 00007FF78877ABD4 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53f093bed3a5d0e4e42a94d80c7232e3ca8df1b9ab80f13d9c22a8443e6849f1
Instruction ID: c884b8aff12374d897954ab686706638d4951fbf99524eccb870efff4576d1ca
Opcode Fuzzy Hash: 53f093bed3a5d0e4e42a94d80c7232e3ca8df1b9ab80f13d9c22a8443e6849f1
Instruction Fuzzy Hash: 76A00125989803D0E644AB90AA60020E231BB58304BA40131D54D410B0EE2CA840C268

Function 00007FF788774730 Relevance: 166.5, APIs: 31, Strings: 64, Instructions: 287libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF788776310: LoadLibraryExW.KERNEL32(?,?,00000000,00007FF7887722DE,?,?,?,?), ref: 00007FF788776333

GetProcAddress.KERNEL32 ref: 00007FF7887750C7
GetProcAddress.KERNEL32 ref: 00007FF788775106
GetProcAddress.KERNEL32 ref: 00007FF78877512B
GetProcAddress.KERNEL32 ref: 00007FF788775150
GetProcAddress.KERNEL32 ref: 00007FF788775178
GetProcAddress.KERNEL32 ref: 00007FF7887751A0
GetProcAddress.KERNEL32 ref: 00007FF7887751C8
GetProcAddress.KERNEL32 ref: 00007FF7887751F0
GetProcAddress.KERNEL32 ref: 00007FF788775218

Strings

Tcl_Init, xrefs: 00007FF7887750C0
Tcl_EvalObjv, xrefs: 00007FF7887754DE
Failed to get address for Tcl_MutexLock, xrefs: 00007FF788775252
Failed to get address for Tk_Init, xrefs: 00007FF788775572
Tcl_NewByteArrayObj, xrefs: 00007FF788775416
Failed to get address for Tcl_NewByteArrayObj, xrefs: 00007FF788775432
Tk_GetNumMainWindows, xrefs: 00007FF78877557E
Failed to get address for Tcl_FindExecutable, xrefs: 00007FF78877513D
Failed to get address for Tcl_Finalize, xrefs: 00007FF78877518A
Tcl_Alloc, xrefs: 00007FF788775506
Tcl_FindExecutable, xrefs: 00007FF788775121
Tcl_MutexUnlock, xrefs: 00007FF78877525E
Failed to get address for Tcl_FinalizeThread, xrefs: 00007FF7887751B2
Tcl_FinalizeThread, xrefs: 00007FF788775196
Tcl_GetCurrentThread, xrefs: 00007FF78877520E
GetProcAddress, xrefs: 00007FF7887750E0
Failed to get address for Tcl_NewStringObj, xrefs: 00007FF78877540A
Tcl_Finalize, xrefs: 00007FF78877516E
Failed to get address for Tcl_Alloc, xrefs: 00007FF788775522
Tcl_GetObjResult, xrefs: 00007FF788775466
Failed to get address for Tcl_ConditionWait, xrefs: 00007FF7887752F2
Failed to get address for Tcl_EvalFile, xrefs: 00007FF7887754AA
Tcl_CreateInterp, xrefs: 00007FF7887750FC
Failed to get address for Tcl_Init, xrefs: 00007FF7887750D9
Tcl_GetString, xrefs: 00007FF7887753C6
Tcl_DeleteInterp, xrefs: 00007FF7887751BE
Failed to get address for Tcl_CreateObjCommand, xrefs: 00007FF7887753BA
Failed to get address for Tcl_Free, xrefs: 00007FF78877554A
Failed to get address for Tcl_EvalEx, xrefs: 00007FF7887754D2
Tk_Init, xrefs: 00007FF788775556
Failed to get address for Tcl_GetCurrentThread, xrefs: 00007FF78877522A
Tcl_ConditionFinalize, xrefs: 00007FF788775286
Failed to get address for Tcl_EvalObjv, xrefs: 00007FF7887754FA
Tcl_ConditionNotify, xrefs: 00007FF7887752AE
Failed to get address for Tcl_GetString, xrefs: 00007FF7887753E2
Failed to get address for Tcl_CreateInterp, xrefs: 00007FF788775118
Tcl_DoOneEvent, xrefs: 00007FF788775146
LOADER: Failed to load tcl/tk libraries, xrefs: 00007FF78877477A
Tcl_CreateThread, xrefs: 00007FF7887751E6
Tcl_Free, xrefs: 00007FF78877552E
Failed to get address for Tcl_GetObjResult, xrefs: 00007FF788775482
Tcl_GetVar2, xrefs: 00007FF78877534E
Tcl_SetVar2Ex, xrefs: 00007FF78877543E
Failed to get address for Tcl_DeleteInterp, xrefs: 00007FF7887751DA
Tcl_MutexLock, xrefs: 00007FF788775236
Failed to get address for Tcl_ConditionNotify, xrefs: 00007FF7887752CA
Tcl_ConditionWait, xrefs: 00007FF7887752D6
Tcl_SetVar2, xrefs: 00007FF788775376
Tcl_CreateObjCommand, xrefs: 00007FF78877539E
Tcl_ThreadQueueEvent, xrefs: 00007FF7887752FE
Tcl_ThreadAlert, xrefs: 00007FF788775326
Tcl_EvalFile, xrefs: 00007FF78877548E
Failed to get address for Tcl_SetVar2Ex, xrefs: 00007FF78877545A
Failed to get address for Tcl_DoOneEvent, xrefs: 00007FF788775162
Failed to get address for Tcl_ConditionFinalize, xrefs: 00007FF7887752A2
Failed to get address for Tcl_SetVar2, xrefs: 00007FF788775392
Tcl_NewStringObj, xrefs: 00007FF7887753EE
Failed to get address for Tcl_CreateThread, xrefs: 00007FF788775202
Tcl_EvalEx, xrefs: 00007FF7887754B6
Failed to get address for Tcl_ThreadAlert, xrefs: 00007FF788775342
Failed to get address for Tcl_MutexUnlock, xrefs: 00007FF78877527A
Failed to get address for Tk_GetNumMainWindows, xrefs: 00007FF78877559A
Failed to get address for Tcl_GetVar2, xrefs: 00007FF78877536A
Failed to get address for Tcl_ThreadQueueEvent, xrefs: 00007FF78877531A

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: Failed to get address for Tcl_Alloc$Failed to get address for Tcl_ConditionFinalize$Failed to get address for Tcl_ConditionNotify$Failed to get address for Tcl_ConditionWait$Failed to get address for Tcl_CreateInterp$Failed to get address for Tcl_CreateObjCommand$Failed to get address for Tcl_CreateThread$Failed to get address for Tcl_DeleteInterp$Failed to get address for Tcl_DoOneEvent$Failed to get address for Tcl_EvalEx$Failed to get address for Tcl_EvalFile$Failed to get address for Tcl_EvalObjv$Failed to get address for Tcl_Finalize$Failed to get address for Tcl_FinalizeThread$Failed to get address for Tcl_FindExecutable$Failed to get address for Tcl_Free$Failed to get address for Tcl_GetCurrentThread$Failed to get address for Tcl_GetObjResult$Failed to get address for Tcl_GetString$Failed to get address for Tcl_GetVar2$Failed to get address for Tcl_Init$Failed to get address for Tcl_MutexLock$Failed to get address for Tcl_MutexUnlock$Failed to get address for Tcl_NewByteArrayObj$Failed to get address for Tcl_NewStringObj$Failed to get address for Tcl_SetVar2$Failed to get address for Tcl_SetVar2Ex$Failed to get address for Tcl_ThreadAlert$Failed to get address for Tcl_ThreadQueueEvent$Failed to get address for Tk_GetNumMainWindows$Failed to get address for Tk_Init$GetProcAddress$LOADER: Failed to load tcl/tk libraries$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 2238633743-1453502826
Opcode ID: 387b05963c1573a630a89e02a7d3e5c8a0eed87054fdcdadb8995d5c72bb8a89
Instruction ID: 5faa5308fe38eeb74b5df8f6694ebcc9621f669aadd90b9aa33b9b38797f8b19
Opcode Fuzzy Hash: 387b05963c1573a630a89e02a7d3e5c8a0eed87054fdcdadb8995d5c72bb8a89
Instruction Fuzzy Hash: 36E1B160A8AB4391FE15FBA8AD50274E3B6BF5C790BF45035C81E06364EF6CE548D368

Function 00007FF788776BF0 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 113COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF788776C2C

Part of subcall function 00007FF788771CB0: GetLastError.KERNEL32(?,?,00000000,00007FF788776904,?,?,?,?,?,?,?,?,?,?,?,00007FF788771023), ref: 00007FF788771CD7

Strings

Failed to get ANSI buffer size., xrefs: 00007FF788776CED
Failed to get wchar_t buffer size., xrefs: 00007FF788776C39
MultiByteToWideChar, xrefs: 00007FF788776C40, 00007FF788776CAD
win32_utils_from_utf8, xrefs: 00007FF788776C69
Failed to encode filename as ANSI., xrefs: 00007FF788776D45
WideCharToMultiByte, xrefs: 00007FF788776D4C
Failed to decode wchar_t from UTF-8, xrefs: 00007FF788776CA6
Out of memory., xrefs: 00007FF788776C70, 00007FF788776D12
win32_wcs_to_mbs, xrefs: 00007FF788776D0B

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID: Failed to decode wchar_t from UTF-8$Failed to encode filename as ANSI.$Failed to get ANSI buffer size.$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$WideCharToMultiByte$win32_utils_from_utf8$win32_wcs_to_mbs
API String ID: 203985260-1562484376
Opcode ID: 3862dad7a734e1b5327f1da3e4475b8c5beb01cc5423311b44373fd47d1e8b31
Instruction ID: 3e9ec167223b084d9fbdef6e345a8913fed002b5f5cc04939055fd96b46d528e
Opcode Fuzzy Hash: 3862dad7a734e1b5327f1da3e4475b8c5beb01cc5423311b44373fd47d1e8b31
Instruction Fuzzy Hash: F1415421A8CA4342EA20BBA5AC40179E6B1BF9CBD0FE44135D94D477A9EF3CE505C728

Function 00007FF78877F5C8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF78877F608
_invalid_parameter_noinfo.LIBCMT ref: 00007FF78877F9D0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF78877FC6F

Strings

f, xrefs: 00007FF78877F855
f, xrefs: 00007FF78877F70A
f, xrefs: 00007FF78877F6A0
p, xrefs: 00007FF78877F712
p, xrefs: 00007FF78877F6AD

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: 5b8d5396a44c552a0cc4e48ad8092be8cf806d396b8c8f6251230df5f0eb9214
Instruction ID: 8f2851315a8d050e86bf585d362265128d8e5f721060da5d17948e364bb2335d
Opcode Fuzzy Hash: 5b8d5396a44c552a0cc4e48ad8092be8cf806d396b8c8f6251230df5f0eb9214
Instruction Fuzzy Hash: 5D12B422E4C24B85FB207AA4D2547BAF2B1FF58754FE44032D699466D4DF3CE480DB29

Function 00007FF7887712B0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 106COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7887713E2
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF788771312
malloc, xrefs: 00007FF788771353
Failed to extract %s: failed to open archive file!, xrefs: 00007FF7887712E2
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF78877134C
fread, xrefs: 00007FF7887713E9
fseek, xrefs: 00007FF788771319

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID:
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 0-3659356012
Opcode ID: 10f526c2ff5c455780097855da84ddc8bd92fc37151a2808746bad80a4acf650
Instruction ID: 924fa46cd3ce181b95145d76cc7868bdc15a371cb41df9c70e6dee3ef83b7f9d
Opcode Fuzzy Hash: 10f526c2ff5c455780097855da84ddc8bd92fc37151a2808746bad80a4acf650
Instruction Fuzzy Hash: BF418F22B8964281EA14FB91E8416B9E3B0FB487D4FE44432DE4D87B55EF3CE542C328

Function 00007FF78877CF90 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF78877CFED

Part of subcall function 00007FF78877DF00: __GetUnwindTryBlock.LIBCMT ref: 00007FF78877DF43
Part of subcall function 00007FF78877DF00: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF78877DF68

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF78877D0C5
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF78877D31A
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF78877D426

Strings

csm, xrefs: 00007FF78877D06E
csm, xrefs: 00007FF78877D0E8
csm, xrefs: 00007FF78877D007

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: c9717f7599358984fa081211ebe6d8e8a7f2fe77f13a54a703b9fcdffbee59eb
Instruction ID: c28d6b4b293eb74c2f05b7dc09d09e14019d3df69625319a5514488678528c99
Opcode Fuzzy Hash: c9717f7599358984fa081211ebe6d8e8a7f2fe77f13a54a703b9fcdffbee59eb
Instruction Fuzzy Hash: BCE18032A4874186EB20BBA5D4402ADFBB0FB8C788F600135EE4D57B5ACF38E491C754

Function 00007FF7887767C0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF788771023), ref: 00007FF78877685F
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF788771023), ref: 00007FF7887768AF

Strings

win32_utils_to_utf8, xrefs: 00007FF7887768E8
Failed to get UTF-8 buffer size., xrefs: 00007FF7887768F1
Failed to encode wchar_t as UTF-8., xrefs: 00007FF7887768D8
WideCharToMultiByte, xrefs: 00007FF7887768F8
Out of memory., xrefs: 00007FF7887768E1

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 626452242-27947307
Opcode ID: 02e5b0b248b44fa656670cb4dcae359b0766aafddf42063cad3b4e8aee1a8378
Instruction ID: 24810c703084adfed3a6f65ec866fe3a002c6ad13f0d294aab2f5ce7c0a7301a
Opcode Fuzzy Hash: 02e5b0b248b44fa656670cb4dcae359b0766aafddf42063cad3b4e8aee1a8378
Instruction Fuzzy Hash: CA419532A4CB8286E660FF95B840169F7B5FB98790FA44135DA8D43B98EF3CE055C718

Function 00007FF788776EC0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00007FF788772D35,?,?,?,?,?,?), ref: 00007FF788776F01

Part of subcall function 00007FF788771CB0: GetLastError.KERNEL32(?,?,00000000,00007FF788776904,?,?,?,?,?,?,?,?,?,?,?,00007FF788771023), ref: 00007FF788771CD7

WideCharToMultiByte.KERNEL32(00000000,00007FF788772D35,?,?,?,?,?,?), ref: 00007FF788776F75

Strings

win32_utils_to_utf8, xrefs: 00007FF788776F42
Failed to get UTF-8 buffer size., xrefs: 00007FF788776F0E
Failed to encode wchar_t as UTF-8., xrefs: 00007FF788776F7F
WideCharToMultiByte, xrefs: 00007FF788776F15, 00007FF788776F86
Out of memory., xrefs: 00007FF788776F3B

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 1717984340-27947307
Opcode ID: d869b65ad41923ea885775a182ffbbb4fa8a6a55f9429b012359a23964d7bd56
Instruction ID: dcc9b6c30be8843f9ed0c5b9e3fbf10f69d17c5f8952b1ef46833169396a101f
Opcode Fuzzy Hash: d869b65ad41923ea885775a182ffbbb4fa8a6a55f9429b012359a23964d7bd56
Instruction Fuzzy Hash: 1E217E21A48B4285EB20FBA5AC40179F775BB88B90BE44135DA4D837A9EF3CF504C328

Function 00007FF7887893C4 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF788789407
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7887897F4
_invalid_parameter_noinfo.LIBCMT ref: 00007FF788789A90

Strings

p, xrefs: 00007FF788789531
f, xrefs: 00007FF788789529
p, xrefs: 00007FF7887894B9

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$p$p
API String ID: 3215553584-1995029353
Opcode ID: d478605e8072a694eb9a9d804e4987f1596106984b5661be3eee2fb972e34d58
Instruction ID: 9b0306b815dcc7409587b52278638256297dd88d97b281521e8b2f03bb4746ec
Opcode Fuzzy Hash: d478605e8072a694eb9a9d804e4987f1596106984b5661be3eee2fb972e34d58
Instruction Fuzzy Hash: 89129F22E4C14386FB20BA95D0543B9F6B1FB98754FE84035E69A466C4DB3CED81DB2C

Function 00007FF788776FB0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF788777045
MultiByteToWideChar.KERNEL32 ref: 00007FF788777087

Strings

Failed to get wchar_t buffer size., xrefs: 00007FF7887770C6
MultiByteToWideChar, xrefs: 00007FF7887770CD
win32_utils_from_utf8, xrefs: 00007FF7887770BD
Failed to decode wchar_t from UTF-8, xrefs: 00007FF7887770AD
Out of memory., xrefs: 00007FF7887770B6

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
API String ID: 626452242-876015163
Opcode ID: 9c6e19a5a84aeb67727d60a37d4bc604be489eb4fd0075111d56c9fa607bfdf6
Instruction ID: 06cde90cff2c4d1447dee610560de93a2437f03f0bda5d5ca113a46256985e1f
Opcode Fuzzy Hash: 9c6e19a5a84aeb67727d60a37d4bc604be489eb4fd0075111d56c9fa607bfdf6
Instruction Fuzzy Hash: 7A419332A49B4282E620FF65A840279F6B5FB88B90FA44135DE5D47BA4EF3CD452C718

Function 00007FF78877C248 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF78877C4FA,?,?,?,00007FF78877C1EC,?,?,00000001,00007FF78877BE09), ref: 00007FF78877C2CD
GetLastError.KERNEL32(?,?,?,00007FF78877C4FA,?,?,?,00007FF78877C1EC,?,?,00000001,00007FF78877BE09), ref: 00007FF78877C2DB
LoadLibraryExW.KERNEL32(?,?,?,00007FF78877C4FA,?,?,?,00007FF78877C1EC,?,?,00000001,00007FF78877BE09), ref: 00007FF78877C305
FreeLibrary.KERNEL32(?,?,?,00007FF78877C4FA,?,?,?,00007FF78877C1EC,?,?,00000001,00007FF78877BE09), ref: 00007FF78877C34B
GetProcAddress.KERNEL32(?,?,?,00007FF78877C4FA,?,?,?,00007FF78877C1EC,?,?,00000001,00007FF78877BE09), ref: 00007FF78877C357

Strings

api-ms-, xrefs: 00007FF78877C2ED

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 9ce77a0163c425c367fd7c26c9c82fe5a817cd2dfec158d19dd861a4531b58f3
Instruction ID: 7d0fa3547cb09baad6612aa326fab9f70292af7ffad437a53786d2714bdf0c0a
Opcode Fuzzy Hash: 9ce77a0163c425c367fd7c26c9c82fe5a817cd2dfec158d19dd861a4531b58f3
Instruction Fuzzy Hash: 5831C621B4A64281EE51BB96A800579E3B4FF4DBA0FA90535DD2D46340EF3CE444C729

Function 00007FF7887755E0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF788776DB0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?), ref: 00007FF788776DEA

ExpandEnvironmentStringsW.KERNEL32(00000000,00007FF78877592F,?,00000000,?,TokenIntegrityLevel), ref: 00007FF78877563F

Strings

LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF788775616
LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF788775653
LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF78877569A

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMultiStringsWide
String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
API String ID: 2001182103-3498232454
Opcode ID: fdd7dde3b259d5c85a5860e4beb10e1e90b11722a954db2bd89b45fefe27c6de
Instruction ID: 3e7b51f66d8a52a856cf089d5deca7b5f1c8de558caadfb189daabd1c4612fa2
Opcode Fuzzy Hash: fdd7dde3b259d5c85a5860e4beb10e1e90b11722a954db2bd89b45fefe27c6de
Instruction Fuzzy Hash: 49319551B597C280FA20B7A599553BAD2B1BF9D7C0FE40035DA0E82786FE2CE104C72C

Function 00007FF788776DB0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?), ref: 00007FF788776DEA

Part of subcall function 00007FF788771CB0: GetLastError.KERNEL32(?,?,00000000,00007FF788776904,?,?,?,?,?,?,?,?,?,?,?,00007FF788771023), ref: 00007FF788771CD7

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?), ref: 00007FF788776E70

Strings

Failed to get wchar_t buffer size., xrefs: 00007FF788776DF7
MultiByteToWideChar, xrefs: 00007FF788776DFE, 00007FF788776E81
win32_utils_from_utf8, xrefs: 00007FF788776E39
Failed to decode wchar_t from UTF-8, xrefs: 00007FF788776E7A
Out of memory., xrefs: 00007FF788776E32

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
API String ID: 1717984340-876015163
Opcode ID: 7f54e5da8ee4cb54e1cd0e604769d215f15cea2374718bc11fd99751b49c0007
Instruction ID: 02f16c72fc895eebc0123a64903ebce6081ae419d4db6dfa5eaffd404900e1e1
Opcode Fuzzy Hash: 7f54e5da8ee4cb54e1cd0e604769d215f15cea2374718bc11fd99751b49c0007
Instruction Fuzzy Hash: 1E216521B48A4242EF50EB69F800165E771FB8D7C4FA84135DB5C83B69EF2CE551C718

Function 00007FF78878A780 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF7887924B3,?,?,?,00007FF78878CCEC,?,?,00000000,00007FF78878386F,?,?,?,00007FF788789473), ref: 00007FF78878A78F
FlsGetValue.KERNEL32(?,?,?,00007FF7887924B3,?,?,?,00007FF78878CCEC,?,?,00000000,00007FF78878386F,?,?,?,00007FF788789473), ref: 00007FF78878A7A4
FlsSetValue.KERNEL32(?,?,?,00007FF7887924B3,?,?,?,00007FF78878CCEC,?,?,00000000,00007FF78878386F,?,?,?,00007FF788789473), ref: 00007FF78878A7C5
FlsSetValue.KERNEL32(?,?,?,00007FF7887924B3,?,?,?,00007FF78878CCEC,?,?,00000000,00007FF78878386F,?,?,?,00007FF788789473), ref: 00007FF78878A7F2
FlsSetValue.KERNEL32(?,?,?,00007FF7887924B3,?,?,?,00007FF78878CCEC,?,?,00000000,00007FF78878386F,?,?,?,00007FF788789473), ref: 00007FF78878A803
FlsSetValue.KERNEL32(?,?,?,00007FF7887924B3,?,?,?,00007FF78878CCEC,?,?,00000000,00007FF78878386F,?,?,?,00007FF788789473), ref: 00007FF78878A814
SetLastError.KERNEL32(?,?,?,00007FF7887924B3,?,?,?,00007FF78878CCEC,?,?,00000000,00007FF78878386F,?,?,?,00007FF788789473), ref: 00007FF78878A82F

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: c556bcea9941d530c195de90c7ce9b2392d0a01d085d118c12b8cb389224617b
Instruction ID: 465359d6503f8b812241494b0ba2586e8ce8030f315bb2a72b11d2243adc4c6e
Opcode Fuzzy Hash: c556bcea9941d530c195de90c7ce9b2392d0a01d085d118c12b8cb389224617b
Instruction Fuzzy Hash: 36217C20E8864242FA5973E1A681139E5727F4C7B0FB84734E93E47AC6DE2CA441C22E

Function 00007FF7887970EC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF78879711D
GetLastError.KERNEL32 ref: 00007FF788797129
CloseHandle.KERNEL32 ref: 00007FF788797141
CreateFileW.KERNEL32 ref: 00007FF78879716C
WriteConsoleW.KERNEL32 ref: 00007FF78879718B

Strings

CONOUT$, xrefs: 00007FF78879714D

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 900c1da012dee1dfb60ea43974335527b3f6c3b56b4e810762f126343bdfd55c
Instruction ID: d9e2e8ee1ddc546faafdb15665962540908f3207f7e4d17dd3b816a11a57151f
Opcode Fuzzy Hash: 900c1da012dee1dfb60ea43974335527b3f6c3b56b4e810762f126343bdfd55c
Instruction Fuzzy Hash: D3118121A58A4186E350AB96FC54329E6B1FB8CBE4FA40234DA5D87794EF3CD414C758

Function 00007FF78878A8F8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF788786091,?,?,?,?,00007FF78878DF1F,?,?,00000000,00007FF78878AA16,?,?,?), ref: 00007FF78878A907
FlsSetValue.KERNEL32(?,?,?,00007FF788786091,?,?,?,?,00007FF78878DF1F,?,?,00000000,00007FF78878AA16,?,?,?), ref: 00007FF78878A93D
FlsSetValue.KERNEL32(?,?,?,00007FF788786091,?,?,?,?,00007FF78878DF1F,?,?,00000000,00007FF78878AA16,?,?,?), ref: 00007FF78878A96A
FlsSetValue.KERNEL32(?,?,?,00007FF788786091,?,?,?,?,00007FF78878DF1F,?,?,00000000,00007FF78878AA16,?,?,?), ref: 00007FF78878A97B
FlsSetValue.KERNEL32(?,?,?,00007FF788786091,?,?,?,?,00007FF78878DF1F,?,?,00000000,00007FF78878AA16,?,?,?), ref: 00007FF78878A98C
SetLastError.KERNEL32(?,?,?,00007FF788786091,?,?,?,?,00007FF78878DF1F,?,?,00000000,00007FF78878AA16,?,?,?), ref: 00007FF78878A9A7

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 145da5da8bf5c56ab714606efba7c2bb83000df48059acb1bf9ac444d479a10e
Instruction ID: c7bfc034d2d1e443546d06a38e6091769e2780f86998b3f186822ee22af76330
Opcode Fuzzy Hash: 145da5da8bf5c56ab714606efba7c2bb83000df48059acb1bf9ac444d479a10e
Instruction Fuzzy Hash: 4C11CD20B8C64242FA5477E29641139E2727F8D7B0FB54734EC6E477D6DE2CA481C22E

Function 00007FF78877BC08 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF78877BC33
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF78877BCC8
RtlUnwindEx.KERNEL32 ref: 00007FF78877BD17

Strings

f, xrefs: 00007FF78877BC46
csm, xrefs: 00007FF78877BCAE

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: e4cc0f9b1589dd73a5d4f416534ce71b9b3e94dd2aede877d85d93aa73312820
Instruction ID: f10410b5a174d2badf3fbd176be22ab00f217c3a141b926cc93428790ca97633
Opcode Fuzzy Hash: e4cc0f9b1589dd73a5d4f416534ce71b9b3e94dd2aede877d85d93aa73312820
Instruction Fuzzy Hash: B451C132A496028AEB14FF65E404A79F7B5FB48B88FA08531DB5E47748DF39E841C718

Function 00007FF788788A40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF788788A65
GetProcAddress.KERNEL32 ref: 00007FF788788A7B
FreeLibrary.KERNEL32 ref: 00007FF788788AA2

Strings

mscoree.dll, xrefs: 00007FF788788A5C
CorExitProcess, xrefs: 00007FF788788A74

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 78a1a69aac29132cf000f84d0d5f993c26bceca4d1e4e1c3cfa2e89eec15c9a9
Instruction ID: c666a9d5e2b908501de8cdee70fa68fcf1dc633d4b262388b87e498d82d4d311
Opcode Fuzzy Hash: 78a1a69aac29132cf000f84d0d5f993c26bceca4d1e4e1c3cfa2e89eec15c9a9
Instruction Fuzzy Hash: 4DF04421649B0241FA206BA5EC45339D370BF4D761FA40635CA6E451E4DF3CD448D328

Function 00007FF788798824 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF78879884C
_set_statfp.LIBCMT ref: 00007FF788798867
_set_statfp.LIBCMT ref: 00007FF788798883
_set_statfp.LIBCMT ref: 00007FF7887988BF

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 69d38c35bd33e64192705e47d806ebaffe6519085bb8d16871af39b095092657
Instruction ID: 59b09443ab64ea3fe7550b559d5a8a6516030b4a9c9b812a8b228bbe47d896bf
Opcode Fuzzy Hash: 69d38c35bd33e64192705e47d806ebaffe6519085bb8d16871af39b095092657
Instruction Fuzzy Hash: D8118222EE8A0341F67431B8DC85775D1627F5C364EAA0638E97E4A7D7CE3CA840C138

Function 00007FF78878A9C0 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF788789BD3,?,?,00000000,00007FF788789E6E,?,?,?,?,?,00007FF788781A40), ref: 00007FF78878A9DF
FlsSetValue.KERNEL32(?,?,?,00007FF788789BD3,?,?,00000000,00007FF788789E6E,?,?,?,?,?,00007FF788781A40), ref: 00007FF78878A9FE
FlsSetValue.KERNEL32(?,?,?,00007FF788789BD3,?,?,00000000,00007FF788789E6E,?,?,?,?,?,00007FF788781A40), ref: 00007FF78878AA26
FlsSetValue.KERNEL32(?,?,?,00007FF788789BD3,?,?,00000000,00007FF788789E6E,?,?,?,?,?,00007FF788781A40), ref: 00007FF78878AA37
FlsSetValue.KERNEL32(?,?,?,00007FF788789BD3,?,?,00000000,00007FF788789E6E,?,?,?,?,?,00007FF788781A40), ref: 00007FF78878AA48

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: fe685267061b1d7826c58759cf3d75ed099b9be309ea2abb6383fb5ceaf5ba53
Instruction ID: 802f2c5a33544dfaa7e8056ae98faaab89a9d532ac85a79af9f93c9419a1500d
Opcode Fuzzy Hash: fe685267061b1d7826c58759cf3d75ed099b9be309ea2abb6383fb5ceaf5ba53
Instruction Fuzzy Hash: 99113D11A8864241FA58B3E59681279E5627F4C7F0FA44334E83E47AD6DE2CE841C62E

Function 00007FF78878A854 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7887924B3,?,?,?,00007FF78878CCEC,?,?,00000000,00007FF78878386F), ref: 00007FF78878A865
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7887924B3,?,?,?,00007FF78878CCEC,?,?,00000000,00007FF78878386F), ref: 00007FF78878A884
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7887924B3,?,?,?,00007FF78878CCEC,?,?,00000000,00007FF78878386F), ref: 00007FF78878A8AC
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7887924B3,?,?,?,00007FF78878CCEC,?,?,00000000,00007FF78878386F), ref: 00007FF78878A8BD
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF7887924B3,?,?,?,00007FF78878CCEC,?,?,00000000,00007FF78878386F), ref: 00007FF78878A8CE

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 46640cf929105097b223292b0b206d62ba136b58cd2f6612e783bcd6201db716
Instruction ID: 907826abcd9529a4294c5fb0005a2c0404b54d248f469e08df5066141cdd1514
Opcode Fuzzy Hash: 46640cf929105097b223292b0b206d62ba136b58cd2f6612e783bcd6201db716
Instruction Fuzzy Hash: 9611D610E8860341F9A972E56592279E1726F4D360FB84734D93E4A6D3DE2CB482C23E

Function 00007FF78878F218 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF78878F4F7

Part of subcall function 00007FF7887954F4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF788795511

Strings

UTF-8, xrefs: 00007FF78878F476
ccs, xrefs: 00007FF78878F432
UTF-16LEUNICODE, xrefs: 00007FF78878F495

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: fa9c2c0b9e0b51f4f192ae3b8b8b95ed4a793ff286fdede4dba764f85164dfb1
Instruction ID: f0684abdd02a4338f954b7ef4c13df6dce0a2f628c8803bf8d87a9d48dd659a9
Opcode Fuzzy Hash: fa9c2c0b9e0b51f4f192ae3b8b8b95ed4a793ff286fdede4dba764f85164dfb1
Instruction Fuzzy Hash: B381A272E8820285F7A47EA5C154278F6B0BF19B84FF58032DA0DD7A95CB2DE941D32D

Function 00007FF78877D468 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF78877D4B4
_CallSETranslator.LIBVCRUNTIME ref: 00007FF78877D503

Strings

RCC, xrefs: 00007FF78877D4D1
MOC, xrefs: 00007FF78877D4C8

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: f09742bcba9082defbae069630545238114b431a0e4fd7be58dd8469a5d7fef1
Instruction ID: ad112efbc37ef7d317ca95eb9a5265a97a9f9feed28a38ccb94fae0fec48a5b3
Opcode Fuzzy Hash: f09742bcba9082defbae069630545238114b431a0e4fd7be58dd8469a5d7fef1
Instruction Fuzzy Hash: FF618972A08A858AE710EFA5D4403ADBBB0FB49B8CF644235EE4D13B99DF38E055C714

Function 00007FF78877D7C4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF78877D7EC
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF78877D8D4

Strings

csm, xrefs: 00007FF78877D80E
csm, xrefs: 00007FF78877D926

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: a3990994d2fbb822c09bdc2a35b5fa2b647080e9aebb1a5b00e12dffe7bfe986
Instruction ID: 8156a7135d11b3983da4b8bb41441f8a6c55bf052b7976a82c4b763eaea7ec2d
Opcode Fuzzy Hash: a3990994d2fbb822c09bdc2a35b5fa2b647080e9aebb1a5b00e12dffe7bfe986
Instruction Fuzzy Hash: 7351A53294824286EB64BF519584378FBB0FB99B94FA44135DA9C47BDACF3CE450CB18

Function 00007FF788772CD0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,00007FF7887727C9,?,?,?,?,?,?), ref: 00007FF788772D01

Part of subcall function 00007FF788771CB0: GetLastError.KERNEL32(?,?,00000000,00007FF788776904,?,?,?,?,?,?,?,?,?,?,?,00007FF788771023), ref: 00007FF788771CD7

Strings

GetModuleFileNameW, xrefs: 00007FF788772D12
Failed to get executable path., xrefs: 00007FF788772D0B
Failed to convert executable path to UTF-8., xrefs: 00007FF788772D3A

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
API String ID: 2776309574-1977442011
Opcode ID: 7987a5ce4ff3c8cba7d8c38c60f2d05ca27952d1a3ea66f3204455115dc1ef10
Instruction ID: b1af1a631ab846f22043f40529ccae9c8aee66a3160260051db749d422291f88
Opcode Fuzzy Hash: 7987a5ce4ff3c8cba7d8c38c60f2d05ca27952d1a3ea66f3204455115dc1ef10
Instruction Fuzzy Hash: 11018420BAD64245FA61B7A0D8153F5D2B1BF5C3C0FE00031D84E8A296EE5CE104C738

Function 00007FF78878BBD0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF78878BC4F
WriteFile.KERNEL32 ref: 00007FF78878BF17
WriteFile.KERNEL32 ref: 00007FF78878BF5D
GetLastError.KERNEL32 ref: 00007FF78878C013

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 47f9f7c1e3185106a498671fedee26090088e719dd8e44b73d57f810765c87d4
Instruction ID: 38458e930b701bc0b968b256e6657084bfda7250781033b11bd36e2ea6650285
Opcode Fuzzy Hash: 47f9f7c1e3185106a498671fedee26090088e719dd8e44b73d57f810765c87d4
Instruction Fuzzy Hash: 81D1E072B18A8589E710DFA5D4402ACF7B5FB487D8BA04236CF5E97B99DE38D006C718

Function 00007FF788794DBC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF788790920: _invalid_parameter_noinfo.LIBCMT ref: 00007FF788790953

_get_daylight.LIBCMT ref: 00007FF788794ED4
_get_daylight.LIBCMT ref: 00007FF788794EE5

Strings

?, xrefs: 00007FF788794E65

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 610c018c2ed3d43a6dc6b39dfd7623f8c002a97b49fdc2d3a9d4eaa2ab755e24
Instruction ID: 7539351b4ab64d9876b8dcda744cf2b9b933c6fb9fc82d9e17eb1da383ecea6f
Opcode Fuzzy Hash: 610c018c2ed3d43a6dc6b39dfd7623f8c002a97b49fdc2d3a9d4eaa2ab755e24
Instruction Fuzzy Hash: 20411E32AA828241FB64ABB59841379D670FF88BA4F744235EE5C07AD5DF3CD481C718

Function 00007FF788787FD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF788788002

Part of subcall function 00007FF788789F78: RtlFreeHeap.NTDLL(?,?,?,00007FF788791EC2,?,?,?,00007FF788791EFF,?,?,00000000,00007FF7887923C5,?,?,00000000,00007FF7887922F7), ref: 00007FF788789F8E
Part of subcall function 00007FF788789F78: GetLastError.KERNEL32(?,?,?,00007FF788791EC2,?,?,?,00007FF788791EFF,?,?,00000000,00007FF7887923C5,?,?,00000000,00007FF7887922F7), ref: 00007FF788789F98

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF78877A485), ref: 00007FF788788020

Strings

C:\Users\user\Desktop\54Oa5PcvK1.exe, xrefs: 00007FF78878800E

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\54Oa5PcvK1.exe
API String ID: 3580290477-651273546
Opcode ID: 87397ab4d942c93eb7ecf5272dbc7224ab3e9c0a5ace0b49458789d652eb9e0d
Instruction ID: 1483f088819f5974ab432a7c47e80e1c4356b374feab3c595140be73758f7dfc
Opcode Fuzzy Hash: 87397ab4d942c93eb7ecf5272dbc7224ab3e9c0a5ace0b49458789d652eb9e0d
Instruction Fuzzy Hash: 83416132A8864285F714AF61D8411B9F3B5FF487D4BA44035EA4E47B95DF3DE441C328

Function 00007FF78878C268 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF78878C37F
GetLastError.KERNEL32 ref: 00007FF78878C3A1

Strings

U, xrefs: 00007FF78878C32B

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 3868b3aae24abb70b6c7ced641cfa87b6d54125405e373b4c87f7bfc476be08b
Instruction ID: bcb166d6383145293a162039711eae07cfbb0c43253169c4642e0515b071c31b
Opcode Fuzzy Hash: 3868b3aae24abb70b6c7ced641cfa87b6d54125405e373b4c87f7bfc476be08b
Instruction Fuzzy Hash: 2741C722B18A4185EB60EFA5E8443AAF770FB98794FA44031EE4D87B98DF3CD441D758

Function 00007FF78878E588 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF78878E5C8
GetCurrentDirectoryW.KERNEL32 ref: 00007FF78878E61A

Strings

:, xrefs: 00007FF78878E5DE

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 18b7638caf06c09ebc69002de91f62cb772c0954a617d485b77ce50a76d6b06e
Instruction ID: 86500980749a7816713edb6f60d477c2796ef1b2fc5f1327337b21982cc93d38
Opcode Fuzzy Hash: 18b7638caf06c09ebc69002de91f62cb772c0954a617d485b77ce50a76d6b06e
Instruction Fuzzy Hash: 9B21CE63B4828181EB20AB51D44426EF3B2FB88B84FE58035DA8D43285DF7CE945CB69

Function 00007FF78877E310 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF78877E354
RaiseException.KERNEL32 ref: 00007FF78877E39A

Strings

csm, xrefs: 00007FF78877E387

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: ee4cd62d6736e0f26efa3482034fbaa09f2706f16dc7c85cfdea4997af4e44da
Instruction ID: ea91264fd502427c9ef1cd79e84088bbe0f759e19e62bcf86cfd2f365a4b2b34
Opcode Fuzzy Hash: ee4cd62d6736e0f26efa3482034fbaa09f2706f16dc7c85cfdea4997af4e44da
Instruction Fuzzy Hash: 17113A32648B4182EB209F25F940269F7B4FB88B84F684231EE8D07768DF3CD551CB04

Function 00007FF78878F08C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF78878F0BC
GetDriveTypeW.KERNEL32 ref: 00007FF78878F0FC

Strings

:, xrefs: 00007FF78878F0E5

Memory Dump Source

Source File: 00000000.00000002.1918359018.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000000.00000002.1918314428.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918408147.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918455625.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1918535599.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 231bdef7d4e4c9a314d514652501e8a1bb3d1d6653b2e53c967e9d93a887682d
Instruction ID: f38bfe74bddd6410cdff3019d28e6eb305edd97ea475694ea42e777eeee511ff
Opcode Fuzzy Hash: 231bdef7d4e4c9a314d514652501e8a1bb3d1d6653b2e53c967e9d93a887682d
Instruction Fuzzy Hash: 93018F61A586028AF720BFA0946127EE3B0FF4C714FE40036D56D46681EE2CE545DA3C

Analysis Process: 54Oa5PcvK1.exePID: 5216, Parent PID: 6756COMMON

Execution Graph

Execution Coverage:	7.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1925
Total number of Limit Nodes:	57

Executed Functions

Function 00007FF788794EA0 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF788794EE5

Part of subcall function 00007FF788794838: _invalid_parameter_noinfo.LIBCMT ref: 00007FF78879484C

Part of subcall function 00007FF788789F78: HeapFree.KERNEL32(?,?,?,00007FF788791EC2,?,?,?,00007FF788791EFF,?,?,00000000,00007FF7887923C5,?,?,00000000,00007FF7887922F7), ref: 00007FF788789F8E
Part of subcall function 00007FF788789F78: GetLastError.KERNEL32(?,?,?,00007FF788791EC2,?,?,?,00007FF788791EFF,?,?,00000000,00007FF7887923C5,?,?,00000000,00007FF7887922F7), ref: 00007FF788789F98

Part of subcall function 00007FF788789F30: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF788789F0F,?,?,?,?,?,00007FF788781A40), ref: 00007FF788789F39
Part of subcall function 00007FF788789F30: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF788789F0F,?,?,?,?,?,00007FF788781A40), ref: 00007FF788789F5E

_get_daylight.LIBCMT ref: 00007FF788794ED4

Part of subcall function 00007FF788794898: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7887948AC

_get_daylight.LIBCMT ref: 00007FF78879514A
_get_daylight.LIBCMT ref: 00007FF78879515B
_get_daylight.LIBCMT ref: 00007FF78879516C
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7887953AC), ref: 00007FF788795193

Strings

Eastern Summer Time, xrefs: 00007FF788795251
Eastern Standard Time, xrefs: 00007FF788795239

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 4070488512-239921721
Opcode ID: efd6bd86b0a9241ba49c40c51702d4a4216664c1cf6d90fa3e70e8402c69cba8
Instruction ID: 06864b94738b1f235a632702068a5f04d127175c8542b00ffb86ee308194361a
Opcode Fuzzy Hash: efd6bd86b0a9241ba49c40c51702d4a4216664c1cf6d90fa3e70e8402c69cba8
Instruction Fuzzy Hash: 27D1C122A9829286E724BFB5D8905B9E771FF4C784FE44136EA0D47686DF3CE441C368

Function 00007FF788795DEC Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF788795B20: _invalid_parameter_noinfo.LIBCMT ref: 00007FF788795B61
Part of subcall function 00007FF788795B20: _invalid_parameter_noinfo.LIBCMT ref: 00007FF788795BDF
Part of subcall function 00007FF788795B20: _invalid_parameter_noinfo.LIBCMT ref: 00007FF788795C30

CreateFileW.KERNEL32 ref: 00007FF788795EF2
CreateFileW.KERNEL32 ref: 00007FF788795F42
GetLastError.KERNEL32 ref: 00007FF788795F72
GetFileType.KERNEL32 ref: 00007FF788795F87
GetLastError.KERNEL32 ref: 00007FF788795F91
CloseHandle.KERNEL32 ref: 00007FF788795FC4
CloseHandle.KERNEL32 ref: 00007FF788796127
CreateFileW.KERNEL32 ref: 00007FF78879615C
GetLastError.KERNEL32 ref: 00007FF78879616B

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: 52a4378cdb78c32285671ba8c66096e739a338fe2dbd84037285ee5c330aca07
Instruction ID: 0a02657588f10ec07e75d1fe71a8dd0d2c3d11126ca9e83330320f104238c341
Opcode Fuzzy Hash: 52a4378cdb78c32285671ba8c66096e739a338fe2dbd84037285ee5c330aca07
Instruction Fuzzy Hash: 0DC1C232B68A4285EB10DFB8C8915ACB771FB48B98FA10325DA2E5B795DF3CE055C314

Function 00007FF78879511C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF78879514A

Part of subcall function 00007FF788794898: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7887948AC

_get_daylight.LIBCMT ref: 00007FF78879515B

Part of subcall function 00007FF788794838: _invalid_parameter_noinfo.LIBCMT ref: 00007FF78879484C

_get_daylight.LIBCMT ref: 00007FF78879516C

Part of subcall function 00007FF788794868: _invalid_parameter_noinfo.LIBCMT ref: 00007FF78879487C

Part of subcall function 00007FF788789F78: HeapFree.KERNEL32(?,?,?,00007FF788791EC2,?,?,?,00007FF788791EFF,?,?,00000000,00007FF7887923C5,?,?,00000000,00007FF7887922F7), ref: 00007FF788789F8E
Part of subcall function 00007FF788789F78: GetLastError.KERNEL32(?,?,?,00007FF788791EC2,?,?,?,00007FF788791EFF,?,?,00000000,00007FF7887923C5,?,?,00000000,00007FF7887922F7), ref: 00007FF788789F98

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7887953AC), ref: 00007FF788795193

Strings

Eastern Summer Time, xrefs: 00007FF788795251
Eastern Standard Time, xrefs: 00007FF788795239

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3458911817-239921721
Opcode ID: 7e198542f45e47f797bfdedd3dcdeb77a56801e9e6762daf8462a5b391b5a0a3
Instruction ID: ce6f3861426675179223b125059aecda14246e08625bd5edf74d603a14e756fa
Opcode Fuzzy Hash: 7e198542f45e47f797bfdedd3dcdeb77a56801e9e6762daf8462a5b391b5a0a3
Instruction Fuzzy Hash: C0518B32A9868286E710FFB1E8805A9E771BB5C784FA04136EA4D43796DF3CE440C768

Function 00007FF7887717B0 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fread_nolock.LIBCMT ref: 00007FF78877185C
_fread_nolock.LIBCMT ref: 00007FF78877190E

Part of subcall function 00007FF78877E6D0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF78877E6E4

Strings

Error on file., xrefs: 00007FF78877193D
malloc, xrefs: 00007FF7887718EA
fseek, xrefs: 00007FF788771836
Cannot read Table of Contents., xrefs: 00007FF788771995
MEI, xrefs: 00007FF7887717EF
Could not allocate buffer for TOC!, xrefs: 00007FF7887718E3
Could not read full TOC!, xrefs: 00007FF788771919
fread, xrefs: 00007FF78877186E
Failed to seek to cookie position!, xrefs: 00007FF78877182F
Failed to read cookie!, xrefs: 00007FF788771867

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: _fread_nolock$_invalid_parameter_noinfo
String ID: Cannot read Table of Contents.$Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$fread$fseek$malloc
API String ID: 3405171723-4158440160
Opcode ID: 3be0a05a6a146284022477d506af850cce134aaf41d26f3dbf09e76eb624e4ef
Instruction ID: eb7087569641941b5b3e19d6ed2dc5c073145162d75ce73e6e58eb6693eae9cc
Opcode Fuzzy Hash: 3be0a05a6a146284022477d506af850cce134aaf41d26f3dbf09e76eb624e4ef
Instruction Fuzzy Hash: 15517C72A4960286EB54FFA4D490278F3B0FB5CB58BA18135DA0D87399DF3CE441CB68

Function 00007FF7887712B0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7887713E2
malloc, xrefs: 00007FF788771353
fseek, xrefs: 00007FF788771319
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF78877134C
fread, xrefs: 00007FF7887713E9
Failed to extract %s: failed to open archive file!, xrefs: 00007FF7887712E2
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF788771312

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID:
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 0-3659356012
Opcode ID: a47acfe53d5c3275ed8562c98a931b77cdc59a940d9d4ebdee28d468d9ce5435
Instruction ID: 924fa46cd3ce181b95145d76cc7868bdc15a371cb41df9c70e6dee3ef83b7f9d
Opcode Fuzzy Hash: a47acfe53d5c3275ed8562c98a931b77cdc59a940d9d4ebdee28d468d9ce5435
Instruction Fuzzy Hash: BF418F22B8964281EA14FB91E8416B9E3B0FB487D4FE44432DE4D87B55EF3CE542C328

Function 00007FF788771000 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 274
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF788772CD0: GetModuleFileNameW.KERNEL32(?,00007FF7887727C9,?,?,?,?,?,?), ref: 00007FF788772D01

SetDllDirectoryW.KERNEL32 ref: 00007FF7887729D5

Part of subcall function 00007FF788775AF0: GetEnvironmentVariableW.KERNEL32(00007FF788772817,?,?,?,?,?,?), ref: 00007FF788775B2A
Part of subcall function 00007FF788775AF0: ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,?), ref: 00007FF788775B47

Strings

Cannot side-load external archive %s (code %d)!, xrefs: 00007FF78877295C
_PYI_ONEDIR_MODE, xrefs: 00007FF78877282C, 00007FF788772857
MEI, xrefs: 00007FF788772917
Failed to convert DLL search path!, xrefs: 00007FF7887729BD
_MEIPASS2, xrefs: 00007FF788772803, 00007FF78877286C, 00007FF788772B1B, 00007FF788772B2B
Cannot open PyInstaller archive from executable (%s) or external archive (%s), xrefs: 00007FF7887728BE

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: Environment$DirectoryExpandFileModuleNameStringsVariable
String ID: Cannot open PyInstaller archive from executable (%s) or external archive (%s)$Cannot side-load external archive %s (code %d)!$Failed to convert DLL search path!$MEI$_MEIPASS2$_PYI_ONEDIR_MODE
API String ID: 2344891160-3602715111
Opcode ID: 803f2701319f7643a3910e49abf785d1810e6245a7014e2bf220fcd699411652
Instruction ID: 3fbe6bd7377509fe40c208ccf1ed25806e4ac57aeab84a11bb45177a587d28da
Opcode Fuzzy Hash: 803f2701319f7643a3910e49abf785d1810e6245a7014e2bf220fcd699411652
Instruction Fuzzy Hash: C9C19621AAC68341FA24BBA195502FDD3B1FF5C784FE44031EA5E4769AEF2CE505C728

Function 00007FF788771050 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

malloc, xrefs: 00007FF7887710F8, 00007FF788771126
1.2.13, xrefs: 00007FF78877107E
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF78877111F
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF7887710F1
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF788771249
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF7887710B4

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID:
String ID: 1.2.13$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 0-1655038675
Opcode ID: 2b09f6334a8bfda232a9d87c2ffbb95a37d11d00bf3c57212093748cc921ba53
Instruction ID: 72f63e3cbf160c4b51c14696116fa26c1c6972fe8ef93c15f182e0a28c65607e
Opcode Fuzzy Hash: 2b09f6334a8bfda232a9d87c2ffbb95a37d11d00bf3c57212093748cc921ba53
Instruction Fuzzy Hash: 2351C422B8964281EA60FB91D8403B9E2B1FB89794FE44131DD4DC7795EF3CE545C728

Function 00007FF78878B08C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF78878B4B9

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 6ace3fbad8ddd1cd05ed41dddf3a6c6a2c6962649ba5052cc4813f441b9b9292
Instruction ID: 26727775064b3454a86e1a6692d31858b7b64182a9cf4bfc5a2243ec0df0a342
Opcode Fuzzy Hash: 6ace3fbad8ddd1cd05ed41dddf3a6c6a2c6962649ba5052cc4813f441b9b9292
Instruction Fuzzy Hash: 46C1E422A8C68A91E720AB9194412BDF771FB89B80FE54135DB5D07791CE7CE849C32C

Function 00007FF78878E95C Relevance: 6.2, APIs: 4, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF78878EA4C
_get_daylight.LIBCMT ref: 00007FF78878EA5D
_get_daylight.LIBCMT ref: 00007FF78878EA6E
_isindst.LIBCMT ref: 00007FF78878EB39

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 993f4cb53d01987759aa9ab87d439edc94425a62c6450610c4994d1423bcdf7f
Instruction ID: b54488ba40f4a0db6ba43926e2abd0ed5ce2c76352051eb2e46cec664e08b529
Opcode Fuzzy Hash: 993f4cb53d01987759aa9ab87d439edc94425a62c6450610c4994d1423bcdf7f
Instruction Fuzzy Hash: B151F673F442118AEB14EFA49D85ABCEB71BB0835CFA40135DD1E56AE5DB38A442C718

Function 00007FF78878483C Relevance: 6.1, APIs: 4, Instructions: 119
pipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNEL32 ref: 00007FF78878486F
GetFileInformationByHandle.KERNEL32 ref: 00007FF7887848D1
GetLastError.KERNEL32 ref: 00007FF788784962
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00007FF788784774), ref: 00007FF7887849AE

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 81de7022a69b47ce39b5392d1784fece2718e2d2aab2765227a8e407644b98c7
Instruction ID: f928715efbf7e48fbf7cc5a126852401b7f05119d5e913e2e6cf2fcbc0ca36e9
Opcode Fuzzy Hash: 81de7022a69b47ce39b5392d1784fece2718e2d2aab2765227a8e407644b98c7
Instruction Fuzzy Hash: 9B518D22A886418AFB20EFB094513BDE3B1BB58B58FA08035DE4967789DF78D441C368

Function 00007FF7887846E8 Relevance: 6.1, APIs: 4, Instructions: 90
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF788784715
CreateFileW.KERNEL32 ref: 00007FF788784754
CloseHandle.KERNEL32 ref: 00007FF788784789

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: 58b178a13046118a9aa3eab3ad0445e857bf873c1952e3e12f7b4cc56e3b75ff
Instruction ID: f8fb023072568e62fb031e8cf524a16fa3327dc9f5c740ee1d531b3221e4c5e8
Opcode Fuzzy Hash: 58b178a13046118a9aa3eab3ad0445e857bf873c1952e3e12f7b4cc56e3b75ff
Instruction Fuzzy Hash: 2841B622D9878183E750ABA09510379F770FB99764F649334E69C03BD5EFACA5A0C728

Function 00007FF78877A51C Relevance: 4.6, APIs: 3, Instructions: 102COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF78877A530

Part of subcall function 00007FF78877A6FC: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF78877A71E

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF78877A545
__scrt_release_startup_lock.LIBCMT ref: 00007FF78877A5B3

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 3058843127-0
Opcode ID: 0a8c62a57e2cf59f1561fe537eeb51f2220189f8d74725526a3d26dbeb988a7e
Instruction ID: 9e0de20663d8b4324d398863b5fc90575a000ea3b82c281c8ba5a319650bc2c0
Opcode Fuzzy Hash: 0a8c62a57e2cf59f1561fe537eeb51f2220189f8d74725526a3d26dbeb988a7e
Instruction Fuzzy Hash: E1313C21E8924242FA54BBE0D6513B9E3B1BF8E784FE44435EA0D472D7DE2CA445C379

Function 00007FF78877E6FC Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF78877E740
_invalid_parameter_noinfo.LIBCMT ref: 00007FF78877E837

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 91f838de0bf1c0634cfb639a0c406c35748c40ae1573d712d08faa75350ec251
Instruction ID: dfc1145205c0d3efeafa65c0b869f4eea2ea31214b54c46dc0fc40625f13a773
Opcode Fuzzy Hash: 91f838de0bf1c0634cfb639a0c406c35748c40ae1573d712d08faa75350ec251
Instruction Fuzzy Hash: 1151E623B4924146F768BAE5940067AE2A1BF49FA4FA84634DE7C077C5CE3CE401C769

Function 00007FF78878BA48 Relevance: 3.1, APIs: 2, Instructions: 71COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FF78878BAC1
GetFileType.KERNEL32 ref: 00007FF78878BAD7

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 51d66a3ea3a1e5720d3031fa8d01ef1f6d3b4a26eee4bfd04239a76c9c1293a5
Instruction ID: 158d691e6c616d5f9248dc9c28a949691d4b33f1558042d21019253e4d6b090d
Opcode Fuzzy Hash: 51d66a3ea3a1e5720d3031fa8d01ef1f6d3b4a26eee4bfd04239a76c9c1293a5
Instruction Fuzzy Hash: D831D622A58B4A81D7209B548590178EA70FB4DBB4FB81339DB6E073E4CF38E491D31D

Function 00007FF78878B764 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,?,?,?,00007FF78878B750,00000000,?,?,?,00007FF788771023,00007FF78878B859), ref: 00007FF78878B7B0
GetLastError.KERNEL32(?,?,?,?,?,00007FF78878B750,00000000,?,?,?,00007FF788771023,00007FF78878B859), ref: 00007FF78878B7BA

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 7196098b30ecd42809471233c9619b7315c9fb41ce716e28bdee8d0b35162eb6
Instruction ID: a9f8659f0e787c087dc2e20c81c8ceeadc5d9c5092f520e59c2cb0c1d06f9ce4
Opcode Fuzzy Hash: 7196098b30ecd42809471233c9619b7315c9fb41ce716e28bdee8d0b35162eb6
Instruction Fuzzy Hash: A111C161618B8281DA10AB76A904169E371BB88BF4FA84332EE7D4B7D9CE3CD054C708

Function 00007FF7887849E4 Relevance: 3.0, APIs: 2, Instructions: 40timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7887848F9), ref: 00007FF788784A17
SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7887848F9), ref: 00007FF788784A2D

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: 5359c6eadbc125880de5eb3a516e79e0ad43a75e61374d6be107f92d83a7530b
Instruction ID: 6ed29d5f192712568142e5ad2e7a1abd621d8f948be6302eafdeabe3b60ceada
Opcode Fuzzy Hash: 5359c6eadbc125880de5eb3a516e79e0ad43a75e61374d6be107f92d83a7530b
Instruction Fuzzy Hash: 7811E33268C64281EB20AB50A40103BF7B0FB887A0FB00235F6AD85AD8EF6CD054DB1C

Function 00007FF78878A188 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,00007FF78878A005,?,?,00000000,00007FF78878A0BA), ref: 00007FF78878A1F6
GetLastError.KERNEL32(?,?,?,00007FF78878A005,?,?,00000000,00007FF78878A0BA), ref: 00007FF78878A200

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 6fe57093fbbb00cdf8389479e1e18e52ea82cce6ea34632ee61e1d7ac301845a
Instruction ID: cda6a7429926099457180346f8c0caeba85ce1ff2c8733b2bea62d1816014225
Opcode Fuzzy Hash: 6fe57093fbbb00cdf8389479e1e18e52ea82cce6ea34632ee61e1d7ac301845a
Instruction Fuzzy Hash: C421C210F5864241FA6077E19A94279E2B1BF8C7A4FA44234DE2E473C5DE6CA444C32E

Function 00007FF78878B4DC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF78878B504

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3cb10c43647639a768565940e1ce5c449de1869fbc1a92892aa118bde093882e
Instruction ID: 117d0353dbd16151432f47124aaf57a6f8959f1fea7a12b5e585d3a817b58e69
Opcode Fuzzy Hash: 3cb10c43647639a768565940e1ce5c449de1869fbc1a92892aa118bde093882e
Instruction Fuzzy Hash: A141B032A4824587EA24EB99E550279F3B0FB5AB40FB41131D78E836D5DF2CE402C76D

Function 00007FF788776360 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF78877640A

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: a906f97fa5c1c3e68ea4aaba72e37a718a084612bddaa449cc4850aa5fd8710a
Instruction ID: 4328651a35dcf3decaf87fe8556f29969863b88e3b72b76e7a3cb7446935a1bc
Opcode Fuzzy Hash: a906f97fa5c1c3e68ea4aaba72e37a718a084612bddaa449cc4850aa5fd8710a
Instruction Fuzzy Hash: B4216221B8869245EA14BB9269043BAE661BF49FD8FD84430EE0D0778ADF7CF145C618

Function 00007FF78878AF6C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF78878AFF2

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 215bf1b77ccde561eed8eea60c34a1d65fc1379a1c4c4c23abd8e86c97fd8e23
Instruction ID: 5d71915011892b49899071b47912a346a48028abe41f322ca66005d63fac2759
Opcode Fuzzy Hash: 215bf1b77ccde561eed8eea60c34a1d65fc1379a1c4c4c23abd8e86c97fd8e23
Instruction Fuzzy Hash: B7319E62A5860286E711BB95884437CE670BB88BA4FE10135EA3D073D2DE7CF846D73D

Function 00007FF788785538 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF78878549D

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 25f020cec256df429067bb606d051891f0f83e0bb8faa834007163ccabd97c9c
Instruction ID: 533fb270f6bbf8043efffe64a09a28e0a2d45165a0f1e528c06f491b29a3a0d9
Opcode Fuzzy Hash: 25f020cec256df429067bb606d051891f0f83e0bb8faa834007163ccabd97c9c
Instruction Fuzzy Hash: 77118121A5C68181EB61BF91940067DE2B0BF89B80FE44431EA8C57A86CF7DE841D76C

Function 00007FF7887957DC Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7887957FF

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e860bb9bc84c29a06dccfc010b7eb52daf61d2c250f48aeb7393b4a8ace16f10
Instruction ID: ed22d38186ef2b1748799f127303453be0194e266f77866bef4aac82fe7c0f66
Opcode Fuzzy Hash: e860bb9bc84c29a06dccfc010b7eb52daf61d2c250f48aeb7393b4a8ace16f10
Instruction Fuzzy Hash: 9F219532A18A8187DB61AF68D880779F6B0FB88B54FA44234EA6D476D5DF3CD401CB14

Function 00007FF78877E97C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF78877E9D0

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 298f7b2a666c55937c0a4044f00fb88544ba948c427ceaa5fd6043e577695ec0
Instruction ID: ecebca251f9b4d81c0372b97f25670e93856484d79739193c72677e71f8d6b8d
Opcode Fuzzy Hash: 298f7b2a666c55937c0a4044f00fb88544ba948c427ceaa5fd6043e577695ec0
Instruction Fuzzy Hash: C701C422A8875141EA44FBD29900179F6B5BF9AFE0FA84631DE6C17BD6CE3CE411C718

Function 00007FF788776310 Relevance: 1.5, APIs: 1, Instructions: 20libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF788776DB0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?), ref: 00007FF788776DEA

LoadLibraryExW.KERNEL32(?,?,00000000,00007FF7887722DE,?,?,?,?), ref: 00007FF788776333

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: ByteCharLibraryLoadMultiWide
String ID:
API String ID: 2592636585-0
Opcode ID: 4f2292e1e78b6b04c2ade65416a023b90951e6264d27b8cd69ba397aaf3470f3
Instruction ID: e38856b0d16868f1947c2add57924ee6b20d1b949d48ba692cb455c3383969fb
Opcode Fuzzy Hash: 4f2292e1e78b6b04c2ade65416a023b90951e6264d27b8cd69ba397aaf3470f3
Instruction Fuzzy Hash: EDE08621B1854142DE18A7ABA90546AE261FF4CBC0B989035DE0D47759DD2CD491CB08

Function 00007FF78878DEB8 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FF78878AA16,?,?,?,00007FF788789BD3,?,?,00000000,00007FF788789E6E), ref: 00007FF78878DF0D

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 69550027ed8e3bf035e7bef6798a6f7658c1153be72ca181ca789a5114add420
Instruction ID: fc645b730fe34994f66bba238299955edb4ee4519e712605822a38250d1f6484
Opcode Fuzzy Hash: 69550027ed8e3bf035e7bef6798a6f7658c1153be72ca181ca789a5114add420
Instruction Fuzzy Hash: 61F04940B8A20341FE597BE259502B4D6B17F9CB40FEC4430C91E87AD2EE2CE482D23C

Function 00007FF78878CC2C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF78877F1E4,?,?,?,00007FF7887806F6,?,?,?,?,?,00007FF78878275D), ref: 00007FF78878CC6A

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: b827a7ab023d1767f95784f6f7fefaf86c66ee15463514ccfd07e797832e7771
Instruction ID: a75b05323a084f7774ed1fef1a3ecc0b89d4364ff10573a73ba577075b87c034
Opcode Fuzzy Hash: b827a7ab023d1767f95784f6f7fefaf86c66ee15463514ccfd07e797832e7771
Instruction Fuzzy Hash: 5BF05E10B9A24640FEA976F15941675D1A1BFCD7A0FA80234D93E852D1DD2CA480D23C

Non-executed Functions

Function 00007FF7887758E0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 139COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(?,00000000,?,00007FF7887758AD), ref: 00007FF78877597A
GetCurrentProcessId.KERNEL32(?,00007FF7887758AD), ref: 00007FF788775980

Part of subcall function 00007FF788775AF0: GetEnvironmentVariableW.KERNEL32(00007FF788772817,?,?,?,?,?,?), ref: 00007FF788775B2A
Part of subcall function 00007FF788775AF0: ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,?), ref: 00007FF788775B47

Part of subcall function 00007FF788786818: _invalid_parameter_noinfo.LIBCMT ref: 00007FF788786831

SetEnvironmentVariableW.KERNEL32(?,TokenIntegrityLevel), ref: 00007FF788775A31

Strings

LOADER: Failed to set the TMP environment variable., xrefs: 00007FF788775958
_MEI%d, xrefs: 00007FF788775988
TMP, xrefs: 00007FF788775918, 00007FF7887759D9, 00007FF788775A67
TMP, xrefs: 00007FF78877593E

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: Environment$Variable$CurrentExpandPathProcessStringsTemp_invalid_parameter_noinfo
String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
API String ID: 1556224225-1116378104
Opcode ID: fb533de90983aa8ed4e0e2c1f6f0f309b68095ef9aabf4d2006ce4ee732b5443
Instruction ID: 4a444f0c98d4d48383542149edb824feb81c59e29dd1cda1aa9ee3f85523f489
Opcode Fuzzy Hash: fb533de90983aa8ed4e0e2c1f6f0f309b68095ef9aabf4d2006ce4ee732b5443
Instruction Fuzzy Hash: 5A517E10F9D68340FE54B7A2A9552BAD2A17F9DBC0FE54031EC0E4BB96ED6CE501C328

Function 00007FFDFABB18A0 Relevance: 13.9, APIs: 9, Instructions: 425COMMON

Download Yara Rule

APIs

PyMem_Malloc.PYTHON311 ref: 00007FFDFABB190B
PyType_IsSubtype.PYTHON311 ref: 00007FFDFABB19F5
PyType_IsSubtype.PYTHON311 ref: 00007FFDFABB1A52
PyUnicode_FromKindAndData.PYTHON311 ref: 00007FFDFABB1B2D
PyMem_Free.PYTHON311 ref: 00007FFDFABB1B3E
PyMem_Realloc.PYTHON311 ref: 00007FFDFABB1CF8

Memory Dump Source

Source File: 00000002.00000002.1914858610.00007FFDFABB1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFDFABB0000, based on PE: true

Associated: 00000002.00000002.1914813035.00007FFDFABB0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFABB5000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC12000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC5E000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC61000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC66000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFACC0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915209099.00007FFDFACC3000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915272815.00007FFDFACC5000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfabb0000_54Oa5PcvK1.jbxd

Similarity

API ID: Mem_$SubtypeType_$DataFreeFromKindMallocReallocUnicode_
String ID:
API String ID: 1742244024-0
Opcode ID: 5c1050c68e97de161cd6d8c48e9085a3eef7c228c5941944440c3b79a23d7220
Instruction ID: e0e630557c3d3b35e3991fe346cec0937ec07af0e485409272e066d07a127672
Opcode Fuzzy Hash: 5c1050c68e97de161cd6d8c48e9085a3eef7c228c5941944440c3b79a23d7220
Instruction Fuzzy Hash: 0402F372B0C59286E76C8B19E464A7F37A5EF447C8F944177DAAE46ADCEE2DE440C300

Function 00007FFDFABB3058 Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFDFABB3074
memset.VCRUNTIME140 ref: 00007FFDFABB3098
RtlCaptureContext.KERNEL32 ref: 00007FFDFABB30A1
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFDFABB30BB
RtlVirtualUnwind.KERNEL32 ref: 00007FFDFABB30FC
memset.VCRUNTIME140 ref: 00007FFDFABB312F
IsDebuggerPresent.KERNEL32 ref: 00007FFDFABB3150
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFDFABB3171
UnhandledExceptionFilter.KERNEL32 ref: 00007FFDFABB317C

Memory Dump Source

Source File: 00000002.00000002.1914858610.00007FFDFABB1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFDFABB0000, based on PE: true

Associated: 00000002.00000002.1914813035.00007FFDFABB0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFABB5000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC12000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC5E000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC61000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC66000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFACC0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915209099.00007FFDFACC3000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915272815.00007FFDFACC5000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfabb0000_54Oa5PcvK1.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: d5821aaf4936ad9aa18e348792a4e6496cc638c229f42c96d8f2983ca85ed40f
Instruction ID: 156dfc5c9751555f783744f5488d2ba62e1c8c624b735db33d8615a62760ac37
Opcode Fuzzy Hash: d5821aaf4936ad9aa18e348792a4e6496cc638c229f42c96d8f2983ca85ed40f
Instruction Fuzzy Hash: EE315E72709B8189EB648F60E8A07EE7364FB84784F84413ADA5E47BD9DF38D548C710

Function 00007FF78877AA2C Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF78877AA48
RtlCaptureContext.KERNEL32 ref: 00007FF78877AA75
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF78877AA8F
RtlVirtualUnwind.KERNEL32 ref: 00007FF78877AAD0
IsDebuggerPresent.KERNEL32 ref: 00007FF78877AB24
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF78877AB45
UnhandledExceptionFilter.KERNEL32 ref: 00007FF78877AB50

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 414c3b7d1a52ef3ba5408d69683659119c26abb58edcf35ad0cee906abb0d3fb
Instruction ID: 24137f0c12913dfae8f2e654578cd7ce623fcbacafce13cbb3867e3601e403e8
Opcode Fuzzy Hash: 414c3b7d1a52ef3ba5408d69683659119c26abb58edcf35ad0cee906abb0d3fb
Instruction Fuzzy Hash: 01315072659A8186EB60AFA0E9403EDF371FB88744F94403ADA4D47A98EF3CD548C724

Function 00007FF788789C44 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF788789CBD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF788789CD5
RtlVirtualUnwind.KERNEL32 ref: 00007FF788789D10
IsDebuggerPresent.KERNEL32 ref: 00007FF788789D49
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF788789D53
UnhandledExceptionFilter.KERNEL32 ref: 00007FF788789D5E

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 5dfb057c3f1a11160ff10646ccc1b52b02cf652cbed9a545e94d4dbf2c44da7d
Instruction ID: e62e7179dd978e457198ef22bfb4e103cfa90b64f920cd892a8822e1a8c08712
Opcode Fuzzy Hash: 5dfb057c3f1a11160ff10646ccc1b52b02cf652cbed9a545e94d4dbf2c44da7d
Instruction Fuzzy Hash: AD315032658B8186E760EB65E8402AEF3B0FB88754FA00135EA9D43B95DF3CC555CB14

Function 00007FF788790A34 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF788790A80
FindFirstFileExW.KERNEL32 ref: 00007FF788790B8A

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 9f9ca1d73139302c1f8dadc28b774b2f708e59aaaf6a5032caa9291e182b955e
Instruction ID: d1b8fb5d2b7e7486f4ecc551450bc512768da6211d1d00cfaa1358c09b7a25df
Opcode Fuzzy Hash: 9f9ca1d73139302c1f8dadc28b774b2f708e59aaaf6a5032caa9291e182b955e
Instruction Fuzzy Hash: BAB1C822B6869241EA60ABB59C006B9E371FF49BE4FA44131ED5E07BC5DE3CE441C728

Function 00007FF788772F20 Relevance: 291.0, APIs: 55, Strings: 111, Instructions: 457libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,00000000,00007FF7887722DE,?,?,?,?), ref: 00007FF788772F36
GetProcAddress.KERNEL32(?,?,00000000,00007FF7887722DE,?,?,?,?), ref: 00007FF788772F75
GetProcAddress.KERNEL32(?,?,00000000,00007FF7887722DE,?,?,?,?), ref: 00007FF788772F9A
GetProcAddress.KERNEL32(?,?,00000000,00007FF7887722DE,?,?,?,?), ref: 00007FF788772FBF
GetProcAddress.KERNEL32(?,?,00000000,00007FF7887722DE,?,?,?,?), ref: 00007FF788772FE7
GetProcAddress.KERNEL32(?,?,00000000,00007FF7887722DE,?,?,?,?), ref: 00007FF78877300F
GetProcAddress.KERNEL32(?,?,00000000,00007FF7887722DE,?,?,?,?), ref: 00007FF788773037
GetProcAddress.KERNEL32(?,?,00000000,00007FF7887722DE,?,?,?,?), ref: 00007FF78877305F
GetProcAddress.KERNEL32(?,?,00000000,00007FF7887722DE,?,?,?,?), ref: 00007FF788773087

Strings

Failed to get address for PyRun_SimpleStringFlags, xrefs: 00007FF788773551
Failed to get address for PyObject_Str, xrefs: 00007FF788773529
Failed to get address for PyList_New, xrefs: 00007FF788773411
Py_SetProgramName, xrefs: 00007FF7887731ED
Failed to get address for PyLong_AsLong, xrefs: 00007FF788773439
Failed to get address for Py_DontWriteBytecodeFlag, xrefs: 00007FF788772F48
PyErr_Restore, xrefs: 00007FF788773305
PyImport_AddModule, xrefs: 00007FF788773355
Py_UnbufferedStdioFlag, xrefs: 00007FF78877307D
PyMarshal_ReadObjectFromString, xrefs: 00007FF78877364D
Failed to get address for Py_UTF8Mode, xrefs: 00007FF7887730C9
PyUnicode_FromFormat, xrefs: 00007FF7887736ED
Failed to get address for PyImport_ExecCodeModule, xrefs: 00007FF788773399
Failed to get address for PyEval_EvalCode, xrefs: 00007FF788773641
Failed to get address for PyErr_Print, xrefs: 00007FF7887732D1
Failed to get address for Py_DecRef, xrefs: 00007FF788773119
Failed to get address for PyUnicode_Decode, xrefs: 00007FF788773731
Failed to get address for PyUnicode_AsUTF8, xrefs: 00007FF788773781
Failed to get address for Py_BuildValue, xrefs: 00007FF7887730F1
Failed to get address for Py_GetPath, xrefs: 00007FF7887731E1
Failed to get address for PyImport_AddModule, xrefs: 00007FF788773371
Failed to get address for PyMarshal_ReadObjectFromString, xrefs: 00007FF788773669
PyList_Append, xrefs: 00007FF7887733CD
Failed to get address for PySys_SetPath, xrefs: 00007FF788773619
Failed to get address for PyErr_Restore, xrefs: 00007FF788773321
Failed to get address for PyObject_SetAttrString, xrefs: 00007FF7887734D9
Failed to get address for PyDict_GetItemString, xrefs: 00007FF788773259
Py_VerboseFlag, xrefs: 00007FF788773055
PyLong_AsLong, xrefs: 00007FF78877341D
Py_DecRef, xrefs: 00007FF7887730FD
PyUnicode_Replace, xrefs: 00007FF7887737B5
Failed to get address for Py_OptimizeFlag, xrefs: 00007FF788773049
PyUnicode_Decode, xrefs: 00007FF788773715
Failed to get address for Py_FileSystemDefaultEncoding, xrefs: 00007FF788772F87
Py_SetPath, xrefs: 00007FF78877319D
Failed to get address for PySys_AddWarnOption, xrefs: 00007FF788773579
Failed to get address for PyObject_GetAttrString, xrefs: 00007FF788773501
PySys_SetObject, xrefs: 00007FF7887735D5
Failed to get address for PyUnicode_Replace, xrefs: 00007FF7887737D1
PyErr_Fetch, xrefs: 00007FF7887732DD
Failed to get address for PyObject_CallFunctionObjArgs, xrefs: 00007FF7887734B1
Failed to get address for PyList_Append, xrefs: 00007FF7887733E9
Failed to get address for Py_IncRef, xrefs: 00007FF788773169
Failed to get address for Py_SetPythonHome, xrefs: 00007FF788773231
PyObject_SetAttrString, xrefs: 00007FF7887734BD
Py_SetPythonHome, xrefs: 00007FF788773215
GetProcAddress, xrefs: 00007FF788772F4F
Py_DecodeLocale, xrefs: 00007FF78877369D
PyObject_CallFunctionObjArgs, xrefs: 00007FF788773495
Failed to get address for Py_NoUserSiteDirectory, xrefs: 00007FF788773021
Failed to get address for PySys_SetObject, xrefs: 00007FF7887735F1
Failed to get address for PyErr_NormalizeException, xrefs: 00007FF788773349
Py_DontWriteBytecodeFlag, xrefs: 00007FF788772F2F
PyList_New, xrefs: 00007FF7887733F5
Py_BuildValue, xrefs: 00007FF7887730D5
PyUnicode_DecodeFSDefault, xrefs: 00007FF78877373D
PyDict_GetItemString, xrefs: 00007FF78877323D
Py_NoSiteFlag, xrefs: 00007FF788772FDD
PyObject_CallFunction, xrefs: 00007FF78877346D
Py_UTF8Mode, xrefs: 00007FF7887730AD
PyEval_EvalCode, xrefs: 00007FF788773625
Py_IncRef, xrefs: 00007FF78877314D
Failed to get address for PyUnicode_Join, xrefs: 00007FF7887737A9
Py_FileSystemDefaultEncoding, xrefs: 00007FF788772F6B
PySys_GetObject, xrefs: 00007FF7887735AD
Py_IgnoreEnvironmentFlag, xrefs: 00007FF788772FB5
Py_GetPath, xrefs: 00007FF7887731C5
Failed to get address for Py_UnbufferedStdioFlag, xrefs: 00007FF788773099
PyImport_ExecCodeModule, xrefs: 00007FF78877337D
Failed to get address for Py_NoSiteFlag, xrefs: 00007FF788772FF9
Failed to get address for Py_SetProgramName, xrefs: 00007FF788773209
PyMem_RawFree, xrefs: 00007FF7887736C5
Failed to get address for Py_SetPath, xrefs: 00007FF7887731B9
Failed to get address for PyMem_RawFree, xrefs: 00007FF7887736E1
PyUnicode_FromString, xrefs: 00007FF788773675
Failed to get address for PySys_GetObject, xrefs: 00007FF7887735C9
PyErr_NormalizeException, xrefs: 00007FF78877332D
PyRun_SimpleStringFlags, xrefs: 00007FF788773535
Failed to get address for Py_FrozenFlag, xrefs: 00007FF788772FAC
PyUnicode_Join, xrefs: 00007FF78877378D
Failed to get address for Py_Initialize, xrefs: 00007FF788773191
Failed to get address for PyImport_ImportModule, xrefs: 00007FF7887733C1
Failed to get address for Py_VerboseFlag, xrefs: 00007FF788773071
Failed to get address for Py_DecodeLocale, xrefs: 00007FF7887736B9
Py_OptimizeFlag, xrefs: 00007FF78877302D
Failed to get address for PyErr_Occurred, xrefs: 00007FF7887732A9
Py_Initialize, xrefs: 00007FF788773175
Failed to get address for PyObject_CallFunction, xrefs: 00007FF788773489
PyModule_GetDict, xrefs: 00007FF788773445
PyErr_Clear, xrefs: 00007FF788773265
Failed to get address for PySys_SetArgvEx, xrefs: 00007FF7887735A1
PyErr_Print, xrefs: 00007FF7887732B5
Failed to get address for PyErr_Fetch, xrefs: 00007FF7887732F9
Py_FrozenFlag, xrefs: 00007FF788772F90
Failed to get address for PyUnicode_FromString, xrefs: 00007FF788773691
PySys_SetArgvEx, xrefs: 00007FF788773585
Failed to get address for PyUnicode_FromFormat, xrefs: 00007FF788773709
Failed to get address for PyErr_Clear, xrefs: 00007FF788773281
PyObject_Str, xrefs: 00007FF78877350D
Py_NoUserSiteDirectory, xrefs: 00007FF788773005
PyErr_Occurred, xrefs: 00007FF78877328D
Failed to get address for Py_IgnoreEnvironmentFlag, xrefs: 00007FF788772FD1
PyImport_ImportModule, xrefs: 00007FF7887733A5
PyUnicode_AsUTF8, xrefs: 00007FF788773765
Py_Finalize, xrefs: 00007FF788773125
Failed to get address for PyUnicode_DecodeFSDefault, xrefs: 00007FF788773759
PyObject_GetAttrString, xrefs: 00007FF7887734E5
PySys_SetPath, xrefs: 00007FF7887735FD
Failed to get address for Py_Finalize, xrefs: 00007FF788773141
Failed to get address for PyModule_GetDict, xrefs: 00007FF788773461
PySys_AddWarnOption, xrefs: 00007FF78877355D

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address for PyDict_GetItemString$Failed to get address for PyErr_Clear$Failed to get address for PyErr_Fetch$Failed to get address for PyErr_NormalizeException$Failed to get address for PyErr_Occurred$Failed to get address for PyErr_Print$Failed to get address for PyErr_Restore$Failed to get address for PyEval_EvalCode$Failed to get address for PyImport_AddModule$Failed to get address for PyImport_ExecCodeModule$Failed to get address for PyImport_ImportModule$Failed to get address for PyList_Append$Failed to get address for PyList_New$Failed to get address for PyLong_AsLong$Failed to get address for PyMarshal_ReadObjectFromString$Failed to get address for PyMem_RawFree$Failed to get address for PyModule_GetDict$Failed to get address for PyObject_CallFunction$Failed to get address for PyObject_CallFunctionObjArgs$Failed to get address for PyObject_GetAttrString$Failed to get address for PyObject_SetAttrString$Failed to get address for PyObject_Str$Failed to get address for PyRun_SimpleStringFlags$Failed to get address for PySys_AddWarnOption$Failed to get address for PySys_GetObject$Failed to get address for PySys_SetArgvEx$Failed to get address for PySys_SetObject$Failed to get address for PySys_SetPath$Failed to get address for PyUnicode_AsUTF8$Failed to get address for PyUnicode_Decode$Failed to get address for PyUnicode_DecodeFSDefault$Failed to get address for PyUnicode_FromFormat$Failed to get address for PyUnicode_FromString$Failed to get address for PyUnicode_Join$Failed to get address for PyUnicode_Replace$Failed to get address for Py_BuildValue$Failed to get address for Py_DecRef$Failed to get address for Py_DecodeLocale$Failed to get address for Py_DontWriteBytecodeFlag$Failed to get address for Py_FileSystemDefaultEncoding$Failed to get address for Py_Finalize$Failed to get address for Py_FrozenFlag$Failed to get address for Py_GetPath$Failed to get address for Py_IgnoreEnvironmentFlag$Failed to get address for Py_IncRef$Failed to get address for Py_Initialize$Failed to get address for Py_NoSiteFlag$Failed to get address for Py_NoUserSiteDirectory$Failed to get address for Py_OptimizeFlag$Failed to get address for Py_SetPath$Failed to get address for Py_SetProgramName$Failed to get address for Py_SetPythonHome$Failed to get address for Py_UTF8Mode$Failed to get address for Py_UnbufferedStdioFlag$Failed to get address for Py_VerboseFlag$GetProcAddress$PyDict_GetItemString$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyList_New$PyLong_AsLong$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyRun_SimpleStringFlags$PySys_AddWarnOption$PySys_GetObject$PySys_SetArgvEx$PySys_SetObject$PySys_SetPath$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_BuildValue$Py_DecRef$Py_DecodeLocale$Py_DontWriteBytecodeFlag$Py_FileSystemDefaultEncoding$Py_Finalize$Py_FrozenFlag$Py_GetPath$Py_IgnoreEnvironmentFlag$Py_IncRef$Py_Initialize$Py_NoSiteFlag$Py_NoUserSiteDirectory$Py_OptimizeFlag$Py_SetPath$Py_SetProgramName$Py_SetPythonHome$Py_UTF8Mode$Py_UnbufferedStdioFlag$Py_VerboseFlag
API String ID: 190572456-3109299426
Opcode ID: 3d8788b48c699204fb620db4b6681a167f3e5177f9efbc96361098fa63709e71
Instruction ID: 913835995822e15adc95e55c424f9de91654b743c29c1e3c0a81f3e6e31da0bb
Opcode Fuzzy Hash: 3d8788b48c699204fb620db4b6681a167f3e5177f9efbc96361098fa63709e71
Instruction Fuzzy Hash: 18429264A8EB0391EA15FBA9AD50174E2B1BF0C790BF45175C81E063A8FF7CE548D328

Function 00007FF788774730 Relevance: 166.5, APIs: 31, Strings: 64, Instructions: 287libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF788776310: LoadLibraryExW.KERNEL32(?,?,00000000,00007FF7887722DE,?,?,?,?), ref: 00007FF788776333

GetProcAddress.KERNEL32 ref: 00007FF7887750C7
GetProcAddress.KERNEL32 ref: 00007FF788775106
GetProcAddress.KERNEL32 ref: 00007FF78877512B
GetProcAddress.KERNEL32 ref: 00007FF788775150
GetProcAddress.KERNEL32 ref: 00007FF788775178
GetProcAddress.KERNEL32 ref: 00007FF7887751A0
GetProcAddress.KERNEL32 ref: 00007FF7887751C8
GetProcAddress.KERNEL32 ref: 00007FF7887751F0
GetProcAddress.KERNEL32 ref: 00007FF788775218

Strings

Tk_GetNumMainWindows, xrefs: 00007FF78877557E
Tcl_ThreadQueueEvent, xrefs: 00007FF7887752FE
Tcl_CreateInterp, xrefs: 00007FF7887750FC
Tcl_ConditionNotify, xrefs: 00007FF7887752AE
Failed to get address for Tcl_CreateInterp, xrefs: 00007FF788775118
Failed to get address for Tcl_GetCurrentThread, xrefs: 00007FF78877522A
Tcl_Alloc, xrefs: 00007FF788775506
Failed to get address for Tcl_MutexLock, xrefs: 00007FF788775252
Tcl_Finalize, xrefs: 00007FF78877516E
Tcl_CreateObjCommand, xrefs: 00007FF78877539E
Failed to get address for Tcl_DeleteInterp, xrefs: 00007FF7887751DA
Tcl_Init, xrefs: 00007FF7887750C0
Failed to get address for Tcl_EvalFile, xrefs: 00007FF7887754AA
Failed to get address for Tk_GetNumMainWindows, xrefs: 00007FF78877559A
Tcl_FinalizeThread, xrefs: 00007FF788775196
Failed to get address for Tcl_Alloc, xrefs: 00007FF788775522
Failed to get address for Tcl_Finalize, xrefs: 00007FF78877518A
Failed to get address for Tk_Init, xrefs: 00007FF788775572
Tcl_CreateThread, xrefs: 00007FF7887751E6
Tcl_ConditionWait, xrefs: 00007FF7887752D6
Tcl_ThreadAlert, xrefs: 00007FF788775326
Tcl_GetCurrentThread, xrefs: 00007FF78877520E
Failed to get address for Tcl_ConditionWait, xrefs: 00007FF7887752F2
Failed to get address for Tcl_FindExecutable, xrefs: 00007FF78877513D
Failed to get address for Tcl_NewStringObj, xrefs: 00007FF78877540A
Failed to get address for Tcl_NewByteArrayObj, xrefs: 00007FF788775432
Tcl_Free, xrefs: 00007FF78877552E
Tk_Init, xrefs: 00007FF788775556
Tcl_EvalEx, xrefs: 00007FF7887754B6
Failed to get address for Tcl_SetVar2Ex, xrefs: 00007FF78877545A
Failed to get address for Tcl_Free, xrefs: 00007FF78877554A
Failed to get address for Tcl_CreateThread, xrefs: 00007FF788775202
Tcl_GetString, xrefs: 00007FF7887753C6
Tcl_EvalObjv, xrefs: 00007FF7887754DE
Failed to get address for Tcl_MutexUnlock, xrefs: 00007FF78877527A
Tcl_NewByteArrayObj, xrefs: 00007FF788775416
Tcl_DeleteInterp, xrefs: 00007FF7887751BE
Tcl_EvalFile, xrefs: 00007FF78877548E
Failed to get address for Tcl_GetObjResult, xrefs: 00007FF788775482
Failed to get address for Tcl_SetVar2, xrefs: 00007FF788775392
Tcl_NewStringObj, xrefs: 00007FF7887753EE
Failed to get address for Tcl_EvalObjv, xrefs: 00007FF7887754FA
LOADER: Failed to load tcl/tk libraries, xrefs: 00007FF78877477A
Failed to get address for Tcl_Init, xrefs: 00007FF7887750D9
Tcl_FindExecutable, xrefs: 00007FF788775121
Tcl_MutexLock, xrefs: 00007FF788775236
Tcl_ConditionFinalize, xrefs: 00007FF788775286
Failed to get address for Tcl_CreateObjCommand, xrefs: 00007FF7887753BA
Failed to get address for Tcl_EvalEx, xrefs: 00007FF7887754D2
Failed to get address for Tcl_ConditionFinalize, xrefs: 00007FF7887752A2
Failed to get address for Tcl_GetString, xrefs: 00007FF7887753E2
Tcl_GetObjResult, xrefs: 00007FF788775466
Failed to get address for Tcl_ConditionNotify, xrefs: 00007FF7887752CA
Tcl_MutexUnlock, xrefs: 00007FF78877525E
Tcl_DoOneEvent, xrefs: 00007FF788775146
Tcl_SetVar2, xrefs: 00007FF788775376
Failed to get address for Tcl_GetVar2, xrefs: 00007FF78877536A
GetProcAddress, xrefs: 00007FF7887750E0
Failed to get address for Tcl_ThreadAlert, xrefs: 00007FF788775342
Tcl_SetVar2Ex, xrefs: 00007FF78877543E
Failed to get address for Tcl_FinalizeThread, xrefs: 00007FF7887751B2
Failed to get address for Tcl_ThreadQueueEvent, xrefs: 00007FF78877531A
Failed to get address for Tcl_DoOneEvent, xrefs: 00007FF788775162
Tcl_GetVar2, xrefs: 00007FF78877534E

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: Failed to get address for Tcl_Alloc$Failed to get address for Tcl_ConditionFinalize$Failed to get address for Tcl_ConditionNotify$Failed to get address for Tcl_ConditionWait$Failed to get address for Tcl_CreateInterp$Failed to get address for Tcl_CreateObjCommand$Failed to get address for Tcl_CreateThread$Failed to get address for Tcl_DeleteInterp$Failed to get address for Tcl_DoOneEvent$Failed to get address for Tcl_EvalEx$Failed to get address for Tcl_EvalFile$Failed to get address for Tcl_EvalObjv$Failed to get address for Tcl_Finalize$Failed to get address for Tcl_FinalizeThread$Failed to get address for Tcl_FindExecutable$Failed to get address for Tcl_Free$Failed to get address for Tcl_GetCurrentThread$Failed to get address for Tcl_GetObjResult$Failed to get address for Tcl_GetString$Failed to get address for Tcl_GetVar2$Failed to get address for Tcl_Init$Failed to get address for Tcl_MutexLock$Failed to get address for Tcl_MutexUnlock$Failed to get address for Tcl_NewByteArrayObj$Failed to get address for Tcl_NewStringObj$Failed to get address for Tcl_SetVar2$Failed to get address for Tcl_SetVar2Ex$Failed to get address for Tcl_ThreadAlert$Failed to get address for Tcl_ThreadQueueEvent$Failed to get address for Tk_GetNumMainWindows$Failed to get address for Tk_Init$GetProcAddress$LOADER: Failed to load tcl/tk libraries$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 2238633743-1453502826
Opcode ID: 387b05963c1573a630a89e02a7d3e5c8a0eed87054fdcdadb8995d5c72bb8a89
Instruction ID: 5faa5308fe38eeb74b5df8f6694ebcc9621f669aadd90b9aa33b9b38797f8b19
Opcode Fuzzy Hash: 387b05963c1573a630a89e02a7d3e5c8a0eed87054fdcdadb8995d5c72bb8a89
Instruction Fuzzy Hash: 36E1B160A8AB4391FE15FBA8AD50274E3B6BF5C790BF45035C81E06364EF6CE548D368

Function 00007FF788776BF0 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 113COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF788776C2C

Part of subcall function 00007FF788771CB0: GetLastError.KERNEL32(?,?,00000000,00007FF788776904,?,?,?,?,?,?,?,?,?,?,?,00007FF788771023), ref: 00007FF788771CD7

Strings

WideCharToMultiByte, xrefs: 00007FF788776D4C
win32_utils_from_utf8, xrefs: 00007FF788776C69
win32_wcs_to_mbs, xrefs: 00007FF788776D0B
Failed to encode filename as ANSI., xrefs: 00007FF788776D45
Failed to decode wchar_t from UTF-8, xrefs: 00007FF788776CA6
Failed to get wchar_t buffer size., xrefs: 00007FF788776C39
Failed to get ANSI buffer size., xrefs: 00007FF788776CED
Out of memory., xrefs: 00007FF788776C70, 00007FF788776D12
MultiByteToWideChar, xrefs: 00007FF788776C40, 00007FF788776CAD

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID: Failed to decode wchar_t from UTF-8$Failed to encode filename as ANSI.$Failed to get ANSI buffer size.$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$WideCharToMultiByte$win32_utils_from_utf8$win32_wcs_to_mbs
API String ID: 203985260-1562484376
Opcode ID: 4738581143a7505b28abcd57c7c993806daa07168fe16da415c29e9b13c2df9d
Instruction ID: 3e9ec167223b084d9fbdef6e345a8913fed002b5f5cc04939055fd96b46d528e
Opcode Fuzzy Hash: 4738581143a7505b28abcd57c7c993806daa07168fe16da415c29e9b13c2df9d
Instruction Fuzzy Hash: F1415421A8CA4342EA20BBA5AC40179E6B1BF9CBD0FE44135D94D477A9EF3CE505C728

Function 00007FFDFABB48C4 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 94COMMON

Download Yara Rule

APIs

_PyUnicode_Ready.PYTHON311 ref: 00007FFDFABB48F1
PyUnicode_CompareWithASCIIString.PYTHON311 ref: 00007FFDFABB4923
PyUnicode_Compare.PYTHON311 ref: 00007FFDFABB4986
_Py_Dealloc.PYTHON311 ref: 00007FFDFABB4997
PyUnicode_CompareWithASCIIString.PYTHON311 ref: 00007FFDFABB49AB
PyUnicode_CompareWithASCIIString.PYTHON311 ref: 00007FFDFABB49CB
PyUnicode_CompareWithASCIIString.PYTHON311 ref: 00007FFDFABB49E3
PyErr_SetString.PYTHON311 ref: 00007FFDFABB4A06

Strings

invalid normalization form, xrefs: 00007FFDFABB49FC
NFKC, xrefs: 00007FFDFABB49A1
NFC, xrefs: 00007FFDFABB4913
NFD, xrefs: 00007FFDFABB49C1
NFKD, xrefs: 00007FFDFABB49D9

Memory Dump Source

Source File: 00000002.00000002.1914858610.00007FFDFABB1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFDFABB0000, based on PE: true

Associated: 00000002.00000002.1914813035.00007FFDFABB0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFABB5000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC12000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC5E000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC61000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC66000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFACC0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915209099.00007FFDFACC3000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915272815.00007FFDFACC5000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfabb0000_54Oa5PcvK1.jbxd

Similarity

API ID: Unicode_$CompareString$With$DeallocErr_Ready
String ID: NFC$NFD$NFKC$NFKD$invalid normalization form
API String ID: 1067165228-3528878251
Opcode ID: 84b6ee6fd32b1749266b3b3277a0080e416e3c06d1c571da1b6b520214c44c91
Instruction ID: f4b8257e3cccc7a434c5c30d08cde1048d2ad8fe6871d9155de43ae16422a1e6
Opcode Fuzzy Hash: 84b6ee6fd32b1749266b3b3277a0080e416e3c06d1c571da1b6b520214c44c91
Instruction Fuzzy Hash: CE412E21B0CA4799EB5C8B11A864A3B63A4BF45BC4FC445B6CDAF477E9DF2CE4449301

Function 00007FF788771440 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 133COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to read data chunk!, xrefs: 00007FF7887715E5
malloc, xrefs: 00007FF788771560
Failed to extract %s: failed to open target file!, xrefs: 00007FF78877148A
fseek, xrefs: 00007FF788771500
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF788771559
fwrite, xrefs: 00007FF7887715DC
fread, xrefs: 00007FF7887715EC
Failed to extract %s: failed to open archive file!, xrefs: 00007FF7887714CA
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF7887715D5
fopen, xrefs: 00007FF788771491
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF7887714F9

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID:
String ID: Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 0-666925554
Opcode ID: a0af457b7bbfc407ccfbc1c94cd0b20c2703364556a7e62a8338bbd4754aee84
Instruction ID: 1855476c67a55dd3937e9d22cd5a8be8b49de755e683e19bfd8f7f3a96632b78
Opcode Fuzzy Hash: a0af457b7bbfc407ccfbc1c94cd0b20c2703364556a7e62a8338bbd4754aee84
Instruction Fuzzy Hash: 6751A761B8864281EA10FBA1A9406B9E3B0BF4ABD4FE44431DE1D87795EF3CE545C338

Function 00007FF788776A60 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00007FF7887759BA,?,00007FF7887758AD), ref: 00007FF788776AA0
OpenProcessToken.ADVAPI32(?,00007FF7887758AD), ref: 00007FF788776AB1
GetTokenInformation.ADVAPI32(?,00007FF7887758AD(TokenIntegrityLevel)), ref: 00007FF788776AD3
GetLastError.KERNEL32(?,TokenIntegrityLevel), ref: 00007FF788776ADD
GetTokenInformation.ADVAPI32(?,TokenIntegrityLevel), ref: 00007FF788776B1A
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF788776B2C
CloseHandle.KERNEL32(?,00007FF7887758AD), ref: 00007FF788776B44
LocalFree.KERNEL32(?,00007FF7887758AD), ref: 00007FF788776B76
ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FF788776B9D
CreateDirectoryW.KERNEL32(?,00007FF7887758AD), ref: 00007FF788776BAE

Strings

S-1-3-4, xrefs: 00007FF788776B4F
D:(A;;FA;;;%s), xrefs: 00007FF788776B59

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: Token$ConvertDescriptorInformationProcessSecurityString$CloseCreateCurrentDirectoryErrorFreeHandleLastLocalOpen
String ID: D:(A;;FA;;;%s)$S-1-3-4
API String ID: 4998090-2855260032
Opcode ID: e3ae2089cc123d46b594be8ff950cb64da25cc15db14cd9a57b660644dd56c7b
Instruction ID: ee80df555ee3b25f34cffd7df380571d715919db5325a7bc084b8b6ff0cc9a40
Opcode Fuzzy Hash: e3ae2089cc123d46b594be8ff950cb64da25cc15db14cd9a57b660644dd56c7b
Instruction Fuzzy Hash: E941A63165C64282E710BFA5E8456AAF371FB89794FE00231EA5E476D8DF3CE408C714

Function 00007FFDFABB24D0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 73COMMON

Download Yara Rule

APIs

PyModule_AddStringConstant.PYTHON311 ref: 00007FFDFABB24F0
PyType_FromSpec.PYTHON311 ref: 00007FFDFABB2505
PyModule_AddType.PYTHON311 ref: 00007FFDFABB251D
_Py_Dealloc.PYTHON311 ref: 00007FFDFABB3EBB

Part of subcall function 00007FFDFABB25B0: _PyObject_GC_New.PYTHON311(?,?,00000000,00007FFDFABB2533), ref: 00007FFDFABB25B6
Part of subcall function 00007FFDFABB25B0: PyObject_GC_Track.PYTHON311(?,?,00000000,00007FFDFABB2533), ref: 00007FFDFABB25E8

PyModule_AddObject.PYTHON311 ref: 00007FFDFABB2552
PyModule_AddObjectRef.PYTHON311 ref: 00007FFDFABB257A
_Py_Dealloc.PYTHON311 ref: 00007FFDFABB3ECA
_Py_Dealloc.PYTHON311 ref: 00007FFDFABB3EE8

Part of subcall function 00007FFDFABB2620: PyMem_Malloc.PYTHON311(?,?,00000000,00007FFDFABB2565), ref: 00007FFDFABB262B
Part of subcall function 00007FFDFABB2620: PyCapsule_New.PYTHON311(?,?,00000000,00007FFDFABB2565), ref: 00007FFDFABB2668

Strings

ucd_3_2_0, xrefs: 00007FFDFABB2548
14.0.0, xrefs: 00007FFDFABB24DF
unidata_version, xrefs: 00007FFDFABB24E9
_ucnhash_CAPI, xrefs: 00007FFDFABB2570

Memory Dump Source

Source File: 00000002.00000002.1914858610.00007FFDFABB1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFDFABB0000, based on PE: true

Associated: 00000002.00000002.1914813035.00007FFDFABB0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFABB5000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC12000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC5E000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC61000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC66000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFACC0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915209099.00007FFDFACC3000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915272815.00007FFDFACC5000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfabb0000_54Oa5PcvK1.jbxd

Similarity

API ID: Module_$Dealloc$ObjectObject_$Capsule_ConstantFromMallocMem_SpecStringTrackTypeType_
String ID: 14.0.0$_ucnhash_CAPI$ucd_3_2_0$unidata_version
API String ID: 288921926-1430584071
Opcode ID: 093a6e99f6c7ac6b9da6a92ec34a7c46fe80505c17f2a94d6c5583e06f8421e3
Instruction ID: 616944dafb33cd1aad7c0cf3e06212e264d3220bfb03b46541c18999dff9372b
Opcode Fuzzy Hash: 093a6e99f6c7ac6b9da6a92ec34a7c46fe80505c17f2a94d6c5583e06f8421e3
Instruction Fuzzy Hash: 8B213C71F1CA0381FB5D9B25A87497A2298AF49BD0FC852B3C92F067DDDE2CE0019711

Function 00007FFDFABB1090 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

PyUnicode_CompareWithASCIIString.PYTHON311 ref: 00007FFDFABB10BD
PyUnicode_CompareWithASCIIString.PYTHON311 ref: 00007FFDFABB10D5
PyType_IsSubtype.PYTHON311 ref: 00007FFDFABB10FD

Part of subcall function 00007FFDFABB11D0: PyMem_Malloc.PYTHON311 ref: 00007FFDFABB1252
Part of subcall function 00007FFDFABB11D0: PyMem_Free.PYTHON311 ref: 00007FFDFABB136E

PyUnicode_CompareWithASCIIString.PYTHON311 ref: 00007FFDFABB366E

Strings

invalid normalization form, xrefs: 00007FFDFABB36F6
NFKC, xrefs: 00007FFDFABB10CB
NFC, xrefs: 00007FFDFABB10B3
NFD, xrefs: 00007FFDFABB3664
NFKD, xrefs: 00007FFDFABB36A6

Memory Dump Source

Source File: 00000002.00000002.1914858610.00007FFDFABB1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFDFABB0000, based on PE: true

Associated: 00000002.00000002.1914813035.00007FFDFABB0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFABB5000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC12000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC5E000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC61000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC66000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFACC0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915209099.00007FFDFACC3000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915272815.00007FFDFACC5000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfabb0000_54Oa5PcvK1.jbxd

Similarity

API ID: CompareStringUnicode_With$Mem_$FreeMallocSubtypeType_
String ID: NFC$NFD$NFKC$NFKD$invalid normalization form
API String ID: 1723213316-3528878251
Opcode ID: 810bdfc32914a6b9f3e7d28e4da211caf2deacae3ab60a26b15fea2458299ecb
Instruction ID: e97be931db55d980192e88a5968cf2c3bbbc9e0669c806c7a2051e5ac3f506ce
Opcode Fuzzy Hash: 810bdfc32914a6b9f3e7d28e4da211caf2deacae3ab60a26b15fea2458299ecb
Instruction Fuzzy Hash: 5D517E61B1C65281FB6C8B16B834E7B5654AF42BC8F9451B3DD7E47BDACE2CE4019700

Function 00007FFDFABB45FC Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 62COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON311 ref: 00007FFDFABB462F
_PyArg_BadArgument.PYTHON311 ref: 00007FFDFABB4664
_PyUnicode_Ready.PYTHON311 ref: 00007FFDFABB4674
_PyUnicode_ToDigit.PYTHON311 ref: 00007FFDFABB4699
PyErr_SetString.PYTHON311 ref: 00007FFDFABB46B9

Strings

a unicode character, xrefs: 00007FFDFABB464F
digit, xrefs: 00007FFDFABB4628, 00007FFDFABB4656
not a digit, xrefs: 00007FFDFABB46AF
argument 1, xrefs: 00007FFDFABB465D

Memory Dump Source

Source File: 00000002.00000002.1914858610.00007FFDFABB1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFDFABB0000, based on PE: true

Associated: 00000002.00000002.1914813035.00007FFDFABB0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFABB5000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC12000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC5E000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC61000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC66000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFACC0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915209099.00007FFDFACC3000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915272815.00007FFDFACC5000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfabb0000_54Oa5PcvK1.jbxd

Similarity

API ID: Arg_Unicode_$ArgumentCheckDigitErr_PositionalReadyString
String ID: a unicode character$argument 1$digit$not a digit
API String ID: 3305933226-4278345224
Opcode ID: 3217a924504a57fe459749e66487c061ed53d5ecb5f468087b61bf9f04998d2c
Instruction ID: fd38afac0566f66175ce8b2b535b94be5a53ad3ed979c0b70ab441cf24458f48
Opcode Fuzzy Hash: 3217a924504a57fe459749e66487c061ed53d5ecb5f468087b61bf9f04998d2c
Instruction Fuzzy Hash: B0210A21B0CA4691EB589B21E86497A6364FB84BC4F8445B2C92F476EDDF2CE455D300

Function 00007FFDFABB2730 Relevance: 16.7, APIs: 11, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFDFABB2758
__scrt_initialize_crt.LIBCMT ref: 00007FFDFABB279D
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFDFABB27AA
_RTC_Initialize.LIBCMT ref: 00007FFDFABB27D8
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFDFABB27FE
__scrt_release_startup_lock.LIBCMT ref: 00007FFDFABB2829

Memory Dump Source

Source File: 00000002.00000002.1914858610.00007FFDFABB1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFDFABB0000, based on PE: true

Associated: 00000002.00000002.1914813035.00007FFDFABB0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFABB5000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC12000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC5E000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC61000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC66000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFACC0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915209099.00007FFDFACC3000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915272815.00007FFDFACC5000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfabb0000_54Oa5PcvK1.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
String ID:
API String ID: 349153199-0
Opcode ID: 5ae4ae1fad975d5487a8dd9099fd26104a61e4c8513e68d9fc499fd676c40ec1
Instruction ID: 3af8d7f7ae9ee2903057d24753c8bcf160a0a2eada30b02485c94ab6b98a98e1
Opcode Fuzzy Hash: 5ae4ae1fad975d5487a8dd9099fd26104a61e4c8513e68d9fc499fd676c40ec1
Instruction Fuzzy Hash: 0381CD20F1C2434AF75CAB269871ABB2690AF857C0FC485B7D96D477DEDE2CE8458700

Function 00007FFDFABB1000 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 61COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON311 ref: 00007FFDFABB359B
_PyArg_BadArgument.PYTHON311 ref: 00007FFDFABB35C2
_PyUnicode_Ready.PYTHON311 ref: 00007FFDFABB35CF
_PyArg_BadArgument.PYTHON311 ref: 00007FFDFABB35F7
_PyUnicode_Ready.PYTHON311 ref: 00007FFDFABB3604

Part of subcall function 00007FFDFABB1090: PyUnicode_CompareWithASCIIString.PYTHON311 ref: 00007FFDFABB10BD
Part of subcall function 00007FFDFABB1090: PyUnicode_CompareWithASCIIString.PYTHON311 ref: 00007FFDFABB10D5
Part of subcall function 00007FFDFABB1090: PyType_IsSubtype.PYTHON311 ref: 00007FFDFABB10FD

Strings

argument 2, xrefs: 00007FFDFABB35F0
str, xrefs: 00007FFDFABB35AD, 00007FFDFABB35E2
normalize, xrefs: 00007FFDFABB358E, 00007FFDFABB35B4, 00007FFDFABB35E9
argument 1, xrefs: 00007FFDFABB35BB

Memory Dump Source

Source File: 00000002.00000002.1914858610.00007FFDFABB1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFDFABB0000, based on PE: true

Associated: 00000002.00000002.1914813035.00007FFDFABB0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFABB5000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC12000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC5E000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC61000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC66000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFACC0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915209099.00007FFDFACC3000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915272815.00007FFDFACC5000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfabb0000_54Oa5PcvK1.jbxd

Similarity

API ID: Unicode_$Arg_$ArgumentCompareReadyStringWith$CheckPositionalSubtypeType_
String ID: argument 1$argument 2$normalize$str
API String ID: 3621440800-1320425463
Opcode ID: 94348148c340fa5468beab9ef1746397c69e42e894d14843631ab3fa4ea44381
Instruction ID: ce2d9029bbb0ef7198bb3235422512611df6e3f08e451ba2067f28031785302e
Opcode Fuzzy Hash: 94348148c340fa5468beab9ef1746397c69e42e894d14843631ab3fa4ea44381
Instruction Fuzzy Hash: 99216171B1C68291E7588B15E8649BA2350EF44BD8FD942B3D97E476ECCF2CE446D300

Function 00007FFDFABB47D8 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 58COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON311 ref: 00007FFDFABB4804
_PyArg_BadArgument.PYTHON311 ref: 00007FFDFABB4839
_PyUnicode_Ready.PYTHON311 ref: 00007FFDFABB4849
_PyArg_BadArgument.PYTHON311 ref: 00007FFDFABB4888
_PyUnicode_Ready.PYTHON311 ref: 00007FFDFABB4898

Strings

argument 2, xrefs: 00007FFDFABB4881
str, xrefs: 00007FFDFABB4824, 00007FFDFABB4873
is_normalized, xrefs: 00007FFDFABB47F7, 00007FFDFABB482B, 00007FFDFABB487A
argument 1, xrefs: 00007FFDFABB4832

Memory Dump Source

Source File: 00000002.00000002.1914858610.00007FFDFABB1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFDFABB0000, based on PE: true

Associated: 00000002.00000002.1914813035.00007FFDFABB0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFABB5000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC12000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC5E000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC61000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC66000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFACC0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915209099.00007FFDFACC3000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915272815.00007FFDFACC5000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfabb0000_54Oa5PcvK1.jbxd

Similarity

API ID: Arg_$ArgumentReadyUnicode_$CheckPositional
String ID: argument 1$argument 2$is_normalized$str
API String ID: 396090033-184702317
Opcode ID: 083d934e8de19c9f3ecc87de63ad9be438488cb32d0c3822875fb99c87d5c9cf
Instruction ID: 92c4cdc99320730714943b4ccc5dbeba03e595681f00fa1985705e05927ac232
Opcode Fuzzy Hash: 083d934e8de19c9f3ecc87de63ad9be438488cb32d0c3822875fb99c87d5c9cf
Instruction Fuzzy Hash: C6219421B0CBC695E7588B15E860A7A2750BF44BD8FD442B2D97E476ECCF2CD44AC300

Function 00007FF788776670 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 52windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(WideCharToMultiByte,00007FF788771CE4,?,?,00000000,00007FF788776904), ref: 00007FF788776697
FormatMessageW.KERNEL32 ref: 00007FF7887766C6
WideCharToMultiByte.KERNEL32 ref: 00007FF78877671C

Part of subcall function 00007FF788771CB0: GetLastError.KERNEL32(?,?,00000000,00007FF788776904,?,?,?,?,?,?,?,?,?,?,?,00007FF788771023), ref: 00007FF788771CD7

Strings

No error messages generated., xrefs: 00007FF7887766D0
FormatMessageW, xrefs: 00007FF7887766D7
WideCharToMultiByte, xrefs: 00007FF788776670, 00007FF78877672D
PyInstaller: pyi_win32_utils_to_utf8 failed., xrefs: 00007FF788776739
Failed to encode wchar_t as UTF-8., xrefs: 00007FF788776726
PyInstaller: FormatMessageW failed., xrefs: 00007FF7887766E3

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: ErrorLast$ByteCharFormatMessageMultiWide
String ID: Failed to encode wchar_t as UTF-8.$FormatMessageW$No error messages generated.$PyInstaller: FormatMessageW failed.$PyInstaller: pyi_win32_utils_to_utf8 failed.$WideCharToMultiByte
API String ID: 2383786077-2573406579
Opcode ID: ee4750cad08e904e569e44cd6da303e01fcfffc44399732fd87d74f29f2688a4
Instruction ID: 5a3c580bd022a9cb0aa229dc47822488d61b71263ee1cb79edd71fa83302ddba
Opcode Fuzzy Hash: ee4750cad08e904e569e44cd6da303e01fcfffc44399732fd87d74f29f2688a4
Instruction Fuzzy Hash: 8121A471A48A4281FB60BBA4EC54376E775FB8D384FE40034D54D826A8EF3CE104C728

Function 00007FF78877F5C8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF78877F608
_invalid_parameter_noinfo.LIBCMT ref: 00007FF78877F9D0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF78877FC6F

Strings

f, xrefs: 00007FF78877F6A0
p, xrefs: 00007FF78877F6AD
p, xrefs: 00007FF78877F712
f, xrefs: 00007FF78877F855
f, xrefs: 00007FF78877F70A

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: 5b8d5396a44c552a0cc4e48ad8092be8cf806d396b8c8f6251230df5f0eb9214
Instruction ID: 8f2851315a8d050e86bf585d362265128d8e5f721060da5d17948e364bb2335d
Opcode Fuzzy Hash: 5b8d5396a44c552a0cc4e48ad8092be8cf806d396b8c8f6251230df5f0eb9214
Instruction Fuzzy Hash: 5D12B422E4C24B85FB207AA4D2547BAF2B1FF58754FE44032D699466D4DF3CE480DB29

Function 00007FF788776130 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 90processsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF788776DB0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?), ref: 00007FF788776DEA

SetConsoleCtrlHandler.KERNEL32(00000000,00007FF788772B60,?,?,?,?,?,?), ref: 00007FF78877617F
GetStartupInfoW.KERNEL32 ref: 00007FF78877619E

Part of subcall function 00007FF7887892E4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7887892F8

Part of subcall function 00007FF78878705C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7887870C3

GetCommandLineW.KERNEL32 ref: 00007FF78877623E
CreateProcessW.KERNEL32 ref: 00007FF788776280
WaitForSingleObject.KERNEL32 ref: 00007FF788776294
GetExitCodeProcess.KERNEL32 ref: 00007FF7887762A4

Strings

CreateProcessW, xrefs: 00007FF7887762B7
Error creating child process!, xrefs: 00007FF7887762B0

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
String ID: CreateProcessW$Error creating child process!
API String ID: 2895956056-3524285272
Opcode ID: d5693698e4819ce5d510509d5cda6c943b390b1bcdb6e918232fd1435297541c
Instruction ID: f599b94f4519b6d03e401a2790c35ba37adc728b3685c66de57a10705988ca84
Opcode Fuzzy Hash: d5693698e4819ce5d510509d5cda6c943b390b1bcdb6e918232fd1435297541c
Instruction Fuzzy Hash: C9411531A4878281DA20ABA4F9552AAF374FF99360FA00335E6AD47BD5DF7CD044CB54

Function 00007FF78877CF90 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF78877CFED

Part of subcall function 00007FF78877DF00: __GetUnwindTryBlock.LIBCMT ref: 00007FF78877DF43
Part of subcall function 00007FF78877DF00: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF78877DF68

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF78877D0C5
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF78877D31A
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF78877D426

Strings

csm, xrefs: 00007FF78877D007
csm, xrefs: 00007FF78877D0E8
csm, xrefs: 00007FF78877D06E

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: c9717f7599358984fa081211ebe6d8e8a7f2fe77f13a54a703b9fcdffbee59eb
Instruction ID: c28d6b4b293eb74c2f05b7dc09d09e14019d3df69625319a5514488678528c99
Opcode Fuzzy Hash: c9717f7599358984fa081211ebe6d8e8a7f2fe77f13a54a703b9fcdffbee59eb
Instruction Fuzzy Hash: BCE18032A4874186EB20BBA5D4402ADFBB0FB8C788F600135EE4D57B5ACF38E491C754

Function 00007FFDFABB16E0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 129COMMON

Download Yara Rule

APIs

PyType_IsSubtype.PYTHON311 ref: 00007FFDFABB17C0
PyUnicode_FromString.PYTHON311 ref: 00007FFDFABB1824
_PyArg_BadArgument.PYTHON311 ref: 00007FFDFABB391A
_PyUnicode_Ready.PYTHON311 ref: 00007FFDFABB392B

Strings

category, xrefs: 00007FFDFABB3913
a unicode character, xrefs: 00007FFDFABB3905
argument, xrefs: 00007FFDFABB390C

Memory Dump Source

Source File: 00000002.00000002.1914858610.00007FFDFABB1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFDFABB0000, based on PE: true

Associated: 00000002.00000002.1914813035.00007FFDFABB0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFABB5000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC12000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC5E000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC61000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC66000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFACC0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915209099.00007FFDFACC3000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915272815.00007FFDFACC5000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfabb0000_54Oa5PcvK1.jbxd

Similarity

API ID: Unicode_$Arg_ArgumentFromReadyStringSubtypeType_
String ID: a unicode character$argument$category
API String ID: 2803103377-2068800536
Opcode ID: a6d96ab8f4d74e2785bc45c139f4dad4c1c002ec39197cd78705e508cfcb3221
Instruction ID: 54cd00f53750e833e4faa4435157a25fd9e7d3e93dcc473faca14fe2a66b4715
Opcode Fuzzy Hash: a6d96ab8f4d74e2785bc45c139f4dad4c1c002ec39197cd78705e508cfcb3221
Instruction Fuzzy Hash: 2F51D661B08A4646EB5C8B09E860A7A67A1FF44BC8F944176DAAE477DCDF3CE845C300

Function 00007FF78878DF30 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,00000000,?,00007FF78878E2CA,?,?,0000014E9A17DE18,00007FF78878A383,?,?,?,00007FF78878A27A,?,?,?,00007FF7887854E2), ref: 00007FF78878E0AC
GetProcAddress.KERNEL32(?,00000000,?,00007FF78878E2CA,?,?,0000014E9A17DE18,00007FF78878A383,?,?,?,00007FF78878A27A,?,?,?,00007FF7887854E2), ref: 00007FF78878E0B8

Strings

ext-ms-, xrefs: 00007FF78878E009
api-ms-, xrefs: 00007FF78878DFF6

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 5d4014bca18f9f9ee9ee76f308e7221266f6712ab36b1d3e30b229e2872ef72f
Instruction ID: def85f34f1569cf54f57e9704a062d9b221cb8462026d10972336e748f34f483
Opcode Fuzzy Hash: 5d4014bca18f9f9ee9ee76f308e7221266f6712ab36b1d3e30b229e2872ef72f
Instruction Fuzzy Hash: 2A410622B5A60241FA11AB969900575E3B1BF0CB90FB84535DD2D87784EF3DE445C32C

Function 00007FFDFABB1590 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 112COMMON

Download Yara Rule

APIs

PyType_IsSubtype.PYTHON311 ref: 00007FFDFABB1668
PyUnicode_FromString.PYTHON311 ref: 00007FFDFABB168D
_PyArg_BadArgument.PYTHON311 ref: 00007FFDFABB38AE
_PyUnicode_Ready.PYTHON311 ref: 00007FFDFABB38BE

Strings

a unicode character, xrefs: 00007FFDFABB3899
argument, xrefs: 00007FFDFABB38A0
bidirectional, xrefs: 00007FFDFABB38A7

Memory Dump Source

Source File: 00000002.00000002.1914858610.00007FFDFABB1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFDFABB0000, based on PE: true

Associated: 00000002.00000002.1914813035.00007FFDFABB0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFABB5000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC12000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC5E000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC61000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC66000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFACC0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915209099.00007FFDFACC3000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915272815.00007FFDFACC5000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfabb0000_54Oa5PcvK1.jbxd

Similarity

API ID: Unicode_$Arg_ArgumentFromReadyStringSubtypeType_
String ID: a unicode character$argument$bidirectional
API String ID: 2803103377-2110215792
Opcode ID: 36da06cb25986c62c4c3f8f899b6a59008b4eccd6e6682e03f445f584b43c37d
Instruction ID: e381aa195192377b4b6be73927af8bed287ea687e6b49b5d281f9df854123b0b
Opcode Fuzzy Hash: 36da06cb25986c62c4c3f8f899b6a59008b4eccd6e6682e03f445f584b43c37d
Instruction Fuzzy Hash: 1B41D061B1C64282EB5C8B15E870A7B23A1EF44BC8F984176DA6F436DCEF2DE8459300

Function 00007FF7887767C0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF788771023), ref: 00007FF78877685F
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF788771023), ref: 00007FF7887768AF

Strings

WideCharToMultiByte, xrefs: 00007FF7887768F8
Failed to encode wchar_t as UTF-8., xrefs: 00007FF7887768D8
Out of memory., xrefs: 00007FF7887768E1
Failed to get UTF-8 buffer size., xrefs: 00007FF7887768F1
win32_utils_to_utf8, xrefs: 00007FF7887768E8

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 626452242-27947307
Opcode ID: 6005c3c3b021663ea81aa36166b0848140842be883a1b4f62739566592ce7020
Instruction ID: 24810c703084adfed3a6f65ec866fe3a002c6ad13f0d294aab2f5ce7c0a7301a
Opcode Fuzzy Hash: 6005c3c3b021663ea81aa36166b0848140842be883a1b4f62739566592ce7020
Instruction Fuzzy Hash: CA419532A4CB8286E660FF95B840169F7B5FB98790FA44135DA8D43B98EF3CE055C718

Function 00007FFDFABB4494 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 87COMMON

Download Yara Rule

APIs

PyType_IsSubtype.PYTHON311 ref: 00007FFDFABB44CB
PyUnicode_FromString.PYTHON311 ref: 00007FFDFABB44E7
memcpy.VCRUNTIME140 ref: 00007FFDFABB4563
PyOS_snprintf.PYTHON311 ref: 00007FFDFABB45A5
PyUnicode_FromStringAndSize.PYTHON311 ref: 00007FFDFABB45D2

Strings

, xrefs: 00007FFDFABB457B
%04X, xrefs: 00007FFDFABB4590

Memory Dump Source

Source File: 00000002.00000002.1914858610.00007FFDFABB1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFDFABB0000, based on PE: true

Associated: 00000002.00000002.1914813035.00007FFDFABB0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFABB5000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC12000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC5E000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC61000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC66000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFACC0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915209099.00007FFDFACC3000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915272815.00007FFDFACC5000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfabb0000_54Oa5PcvK1.jbxd

Similarity

API ID: FromStringUnicode_$S_snprintfSizeSubtypeType_memcpy
String ID: $%04X
API String ID: 762632776-4013080060
Opcode ID: efaac3812b1e45b0806d1ffd24ca6100d0016fb643bf3bb04f79384b0d54b902
Instruction ID: 5c49871a8299f8ba8cf20f41e87b360a3825b1d21330f8b71b91e0e41d03b82d
Opcode Fuzzy Hash: efaac3812b1e45b0806d1ffd24ca6100d0016fb643bf3bb04f79384b0d54b902
Instruction Fuzzy Hash: 7431A372B08A8141EB698B14E824BBA63A1FF45BD4F880376DA7E476D9DF3CE5458300

Function 00007FF788776EC0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00007FF788772D35,?,?,?,?,?,?), ref: 00007FF788776F01

Part of subcall function 00007FF788771CB0: GetLastError.KERNEL32(?,?,00000000,00007FF788776904,?,?,?,?,?,?,?,?,?,?,?,00007FF788771023), ref: 00007FF788771CD7

WideCharToMultiByte.KERNEL32(00000000,00007FF788772D35,?,?,?,?,?,?), ref: 00007FF788776F75

Strings

WideCharToMultiByte, xrefs: 00007FF788776F15, 00007FF788776F86
Failed to encode wchar_t as UTF-8., xrefs: 00007FF788776F7F
Out of memory., xrefs: 00007FF788776F3B
Failed to get UTF-8 buffer size., xrefs: 00007FF788776F0E
win32_utils_to_utf8, xrefs: 00007FF788776F42

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
API String ID: 1717984340-27947307
Opcode ID: d869b65ad41923ea885775a182ffbbb4fa8a6a55f9429b012359a23964d7bd56
Instruction ID: dcc9b6c30be8843f9ed0c5b9e3fbf10f69d17c5f8952b1ef46833169396a101f
Opcode Fuzzy Hash: d869b65ad41923ea885775a182ffbbb4fa8a6a55f9429b012359a23964d7bd56
Instruction Fuzzy Hash: 1E217E21A48B4285EB20FBA5AC40179F775BB88B90BE44135DA4D837A9EF3CF504C328

Function 00007FFDFABB4A40 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 40COMMON

Download Yara Rule

APIs

_PyArg_BadArgument.PYTHON311 ref: 00007FFDFABB4A79
_PyUnicode_Ready.PYTHON311 ref: 00007FFDFABB4A8C
PyErr_Occurred.PYTHON311 ref: 00007FFDFABB4AB6
PyLong_FromLong.PYTHON311 ref: 00007FFDFABB4AC3

Strings

mirrored, xrefs: 00007FFDFABB4A72
a unicode character, xrefs: 00007FFDFABB4A64
argument, xrefs: 00007FFDFABB4A6B

Memory Dump Source

Source File: 00000002.00000002.1914858610.00007FFDFABB1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFDFABB0000, based on PE: true

Associated: 00000002.00000002.1914813035.00007FFDFABB0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFABB5000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC12000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC5E000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC61000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC66000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFACC0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915209099.00007FFDFACC3000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915272815.00007FFDFACC5000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfabb0000_54Oa5PcvK1.jbxd

Similarity

API ID: Arg_ArgumentErr_FromLongLong_OccurredReadyUnicode_
String ID: a unicode character$argument$mirrored
API String ID: 3097524968-4001128513
Opcode ID: 77cb7ad6de355ad8668d3817cb236b2b5105f7e73bd8a590f5e838a9add7c01f
Instruction ID: 4baa5c5a860b9ed478e46e7909f0d711a5306076665fe2199ac6595f2b66d903
Opcode Fuzzy Hash: 77cb7ad6de355ad8668d3817cb236b2b5105f7e73bd8a590f5e838a9add7c01f
Instruction Fuzzy Hash: 2A018820B0C68345EB5C9B25A86097A2354BF48BD4FC412B2D93E466DDDF3CD4848304

Function 00007FFDFABB41C4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 40COMMON

Download Yara Rule

APIs

_PyArg_BadArgument.PYTHON311 ref: 00007FFDFABB41FD
_PyUnicode_Ready.PYTHON311 ref: 00007FFDFABB4210
PyErr_Occurred.PYTHON311 ref: 00007FFDFABB423A
PyLong_FromLong.PYTHON311 ref: 00007FFDFABB4247

Strings

a unicode character, xrefs: 00007FFDFABB41E8
combining, xrefs: 00007FFDFABB41F6
argument, xrefs: 00007FFDFABB41EF

Memory Dump Source

Source File: 00000002.00000002.1914858610.00007FFDFABB1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFDFABB0000, based on PE: true

Associated: 00000002.00000002.1914813035.00007FFDFABB0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFABB5000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC12000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC5E000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC61000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC66000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFACC0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915209099.00007FFDFACC3000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915272815.00007FFDFACC5000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfabb0000_54Oa5PcvK1.jbxd

Similarity

API ID: Arg_ArgumentErr_FromLongLong_OccurredReadyUnicode_
String ID: a unicode character$argument$combining
API String ID: 3097524968-4202047184
Opcode ID: 6ee8f634c8bf377dd992d2f0ff6affb9e81d614e22d3a0a0852f92623d6c53f6
Instruction ID: c36f39a75cfc2a919dfe77dfe94090884ed5934dadd01fba81dbb4ef2ca7853e
Opcode Fuzzy Hash: 6ee8f634c8bf377dd992d2f0ff6affb9e81d614e22d3a0a0852f92623d6c53f6
Instruction Fuzzy Hash: 2001A124F1C64346EB5C9F60A860A7A2290BF49BD8FC402B2D93E472EDDF3CE4849300

Function 00007FF7887893C4 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF788789407
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7887897F4
_invalid_parameter_noinfo.LIBCMT ref: 00007FF788789A90

Strings

p, xrefs: 00007FF7887894B9
p, xrefs: 00007FF788789531
f, xrefs: 00007FF788789529

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$p$p
API String ID: 3215553584-1995029353
Opcode ID: d478605e8072a694eb9a9d804e4987f1596106984b5661be3eee2fb972e34d58
Instruction ID: 9b0306b815dcc7409587b52278638256297dd88d97b281521e8b2f03bb4746ec
Opcode Fuzzy Hash: d478605e8072a694eb9a9d804e4987f1596106984b5661be3eee2fb972e34d58
Instruction Fuzzy Hash: 89129F22E4C14386FB20BA95D0543B9F6B1FB98754FE84035E69A466C4DB3CED81DB2C

Function 00007FFDFABB11D0 Relevance: 10.8, APIs: 7, Instructions: 321COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFABB18A0: PyMem_Malloc.PYTHON311 ref: 00007FFDFABB190B
Part of subcall function 00007FFDFABB18A0: PyType_IsSubtype.PYTHON311 ref: 00007FFDFABB19F5
Part of subcall function 00007FFDFABB18A0: PyType_IsSubtype.PYTHON311 ref: 00007FFDFABB1A52

PyMem_Malloc.PYTHON311 ref: 00007FFDFABB1252
PyMem_Free.PYTHON311 ref: 00007FFDFABB136E
PyErr_NoMemory.PYTHON311 ref: 00007FFDFABB387A
_Py_Dealloc.PYTHON311 ref: 00007FFDFABB3889

Memory Dump Source

Source File: 00000002.00000002.1914858610.00007FFDFABB1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFDFABB0000, based on PE: true

Associated: 00000002.00000002.1914813035.00007FFDFABB0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFABB5000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC12000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC5E000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC61000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC66000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFACC0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915209099.00007FFDFACC3000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915272815.00007FFDFACC5000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfabb0000_54Oa5PcvK1.jbxd

Similarity

API ID: Mem_$MallocSubtypeType_$DeallocErr_FreeMemory
String ID:
API String ID: 4139299733-0
Opcode ID: 28f3761f3b9b36c355cab414f80724fd73af126df89ae3bbe0a4b4c216283ad1
Instruction ID: 54c15cf228e57353012031e31852e334e60418e310898f9558e547e5ddb78e03
Opcode Fuzzy Hash: 28f3761f3b9b36c355cab414f80724fd73af126df89ae3bbe0a4b4c216283ad1
Instruction Fuzzy Hash: 60D1DE72B1C95281EB288B15A464DBE67A5FF447C8F9401B3DA6E46AC9EF7CE841C700

Function 00007FF788776FB0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF788777045
MultiByteToWideChar.KERNEL32 ref: 00007FF788777087

Strings

win32_utils_from_utf8, xrefs: 00007FF7887770BD
Failed to decode wchar_t from UTF-8, xrefs: 00007FF7887770AD
Failed to get wchar_t buffer size., xrefs: 00007FF7887770C6
Out of memory., xrefs: 00007FF7887770B6
MultiByteToWideChar, xrefs: 00007FF7887770CD

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
API String ID: 626452242-876015163
Opcode ID: 15182e71835fbe62ed04ed96ffee69818c29c72be0e860e28e8d56ff05f5ea04
Instruction ID: 06cde90cff2c4d1447dee610560de93a2437f03f0bda5d5ca113a46256985e1f
Opcode Fuzzy Hash: 15182e71835fbe62ed04ed96ffee69818c29c72be0e860e28e8d56ff05f5ea04
Instruction Fuzzy Hash: 7A419332A49B4282E620FF65A840279F6B5FB88B90FA44135DE5D47BA4EF3CD452C718

Function 00007FF7887755E0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF788776DB0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?), ref: 00007FF788776DEA

ExpandEnvironmentStringsW.KERNEL32(00000000,00007FF78877592F,?,00000000,?,TokenIntegrityLevel), ref: 00007FF78877563F

Strings

LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF78877569A
LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF788775653
LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF788775616

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMultiStringsWide
String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
API String ID: 2001182103-3498232454
Opcode ID: a1120828b3476f260000b83a15022e52e527ac597b894c2c5ce775141fa959ef
Instruction ID: 3e7b51f66d8a52a856cf089d5deca7b5f1c8de558caadfb189daabd1c4612fa2
Opcode Fuzzy Hash: a1120828b3476f260000b83a15022e52e527ac597b894c2c5ce775141fa959ef
Instruction Fuzzy Hash: 49319551B597C280FA20B7A599553BAD2B1BF9D7C0FE40035DA0E82786FE2CE104C72C

Function 00007FF78877C248 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF78877C4FA,?,?,?,00007FF78877C1EC,?,?,00000001,00007FF78877BE09), ref: 00007FF78877C2CD
GetLastError.KERNEL32(?,?,?,00007FF78877C4FA,?,?,?,00007FF78877C1EC,?,?,00000001,00007FF78877BE09), ref: 00007FF78877C2DB
LoadLibraryExW.KERNEL32(?,?,?,00007FF78877C4FA,?,?,?,00007FF78877C1EC,?,?,00000001,00007FF78877BE09), ref: 00007FF78877C305
FreeLibrary.KERNEL32(?,?,?,00007FF78877C4FA,?,?,?,00007FF78877C1EC,?,?,00000001,00007FF78877BE09), ref: 00007FF78877C34B
GetProcAddress.KERNEL32(?,?,?,00007FF78877C4FA,?,?,?,00007FF78877C1EC,?,?,00000001,00007FF78877BE09), ref: 00007FF78877C357

Strings

api-ms-, xrefs: 00007FF78877C2ED

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 9ce77a0163c425c367fd7c26c9c82fe5a817cd2dfec158d19dd861a4531b58f3
Instruction ID: 7d0fa3547cb09baad6612aa326fab9f70292af7ffad437a53786d2714bdf0c0a
Opcode Fuzzy Hash: 9ce77a0163c425c367fd7c26c9c82fe5a817cd2dfec158d19dd861a4531b58f3
Instruction Fuzzy Hash: 5831C621B4A64281EE51BB96A800579E3B4FF4DBA0FA90535DD2D46340EF3CE444C729

Function 00007FF788776DB0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 68COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?), ref: 00007FF788776DEA

Part of subcall function 00007FF788771CB0: GetLastError.KERNEL32(?,?,00000000,00007FF788776904,?,?,?,?,?,?,?,?,?,?,?,00007FF788771023), ref: 00007FF788771CD7

MultiByteToWideChar.KERNEL32(?,?,?,?,?,?), ref: 00007FF788776E70

Strings

win32_utils_from_utf8, xrefs: 00007FF788776E39
Failed to decode wchar_t from UTF-8, xrefs: 00007FF788776E7A
Failed to get wchar_t buffer size., xrefs: 00007FF788776DF7
Out of memory., xrefs: 00007FF788776E32
MultiByteToWideChar, xrefs: 00007FF788776DFE, 00007FF788776E81

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
API String ID: 1717984340-876015163
Opcode ID: 7f54e5da8ee4cb54e1cd0e604769d215f15cea2374718bc11fd99751b49c0007
Instruction ID: 02f16c72fc895eebc0123a64903ebce6081ae419d4db6dfa5eaffd404900e1e1
Opcode Fuzzy Hash: 7f54e5da8ee4cb54e1cd0e604769d215f15cea2374718bc11fd99751b49c0007
Instruction Fuzzy Hash: 1E216521B48A4242EF50EB69F800165E771FB8D7C4FA84135DB5C83B69EF2CE551C718

Function 00007FF78878A780 Relevance: 10.6, APIs: 7, Instructions: 62COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF7887924B3,?,?,?,00007FF78878CCEC,?,?,00000000,00007FF78878386F,?,?,?,00007FF788789473), ref: 00007FF78878A78F
FlsGetValue.KERNEL32(?,?,?,00007FF7887924B3,?,?,?,00007FF78878CCEC,?,?,00000000,00007FF78878386F,?,?,?,00007FF788789473), ref: 00007FF78878A7A4
FlsSetValue.KERNEL32(?,?,?,00007FF7887924B3,?,?,?,00007FF78878CCEC,?,?,00000000,00007FF78878386F,?,?,?,00007FF788789473), ref: 00007FF78878A7C5
FlsSetValue.KERNEL32(?,?,?,00007FF7887924B3,?,?,?,00007FF78878CCEC,?,?,00000000,00007FF78878386F,?,?,?,00007FF788789473), ref: 00007FF78878A7F2
FlsSetValue.KERNEL32(?,?,?,00007FF7887924B3,?,?,?,00007FF78878CCEC,?,?,00000000,00007FF78878386F,?,?,?,00007FF788789473), ref: 00007FF78878A803
FlsSetValue.KERNEL32(?,?,?,00007FF7887924B3,?,?,?,00007FF78878CCEC,?,?,00000000,00007FF78878386F,?,?,?,00007FF788789473), ref: 00007FF78878A814
SetLastError.KERNEL32(?,?,?,00007FF7887924B3,?,?,?,00007FF78878CCEC,?,?,00000000,00007FF78878386F,?,?,?,00007FF788789473), ref: 00007FF78878A82F

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 78cf2455f8789f49a255dc6ffb64301edc27073bb37ec47cc96fd54928eaf598
Instruction ID: 465359d6503f8b812241494b0ba2586e8ce8030f315bb2a72b11d2243adc4c6e
Opcode Fuzzy Hash: 78cf2455f8789f49a255dc6ffb64301edc27073bb37ec47cc96fd54928eaf598
Instruction Fuzzy Hash: 36217C20E8864242FA5973E1A681139E5727F4C7B0FB84734E93E47AC6DE2CA441C22E

Function 00007FFDFABB4B3C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 52COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON311 ref: 00007FFDFABB4B77
_PyArg_BadArgument.PYTHON311 ref: 00007FFDFABB4BAC
_PyUnicode_Ready.PYTHON311 ref: 00007FFDFABB4BBD

Strings

a unicode character, xrefs: 00007FFDFABB4B97
name, xrefs: 00007FFDFABB4B70, 00007FFDFABB4B9E
argument 1, xrefs: 00007FFDFABB4BA5

Memory Dump Source

Source File: 00000002.00000002.1914858610.00007FFDFABB1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFDFABB0000, based on PE: true

Associated: 00000002.00000002.1914813035.00007FFDFABB0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFABB5000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC12000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC5E000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC61000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC66000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFACC0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915209099.00007FFDFACC3000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915272815.00007FFDFACC5000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfabb0000_54Oa5PcvK1.jbxd

Similarity

API ID: Arg_$ArgumentCheckPositionalReadyUnicode_
String ID: a unicode character$argument 1$name
API String ID: 3545102714-4190364640
Opcode ID: 98823aa8ffd1578c5263bbca0bedab94c0d76701b0ad0a7228cb953a239c43b9
Instruction ID: 1ba266d973b49cba775639227d1e7a2d69fd118ec538f4be13adf0f7a34cbbc6
Opcode Fuzzy Hash: 98823aa8ffd1578c5263bbca0bedab94c0d76701b0ad0a7228cb953a239c43b9
Instruction Fuzzy Hash: E1216F31B08A82C5EB689F11E560AAA7364FB44BC8F8441B2DB6D477ADCF3DE445C300

Function 00007FFDFABB42B8 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 52COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON311 ref: 00007FFDFABB42F3
_PyArg_BadArgument.PYTHON311 ref: 00007FFDFABB4328
_PyUnicode_Ready.PYTHON311 ref: 00007FFDFABB4339

Strings

a unicode character, xrefs: 00007FFDFABB4313
decimal, xrefs: 00007FFDFABB42EC, 00007FFDFABB431A
argument 1, xrefs: 00007FFDFABB4321

Memory Dump Source

Source File: 00000002.00000002.1914858610.00007FFDFABB1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFDFABB0000, based on PE: true

Associated: 00000002.00000002.1914813035.00007FFDFABB0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFABB5000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC12000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC5E000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC61000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC66000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFACC0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915209099.00007FFDFACC3000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915272815.00007FFDFACC5000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfabb0000_54Oa5PcvK1.jbxd

Similarity

API ID: Arg_$ArgumentCheckPositionalReadyUnicode_
String ID: a unicode character$argument 1$decimal
API String ID: 3545102714-2474051849
Opcode ID: f4a4db4005ce5b44fbbedd951a978a9de4f901ebc22dc2e68f9535657243f817
Instruction ID: 33e185a75b7650641149e01446101f773812ec6ad6a5cb33755e2769023247fc
Opcode Fuzzy Hash: f4a4db4005ce5b44fbbedd951a978a9de4f901ebc22dc2e68f9535657243f817
Instruction Fuzzy Hash: AF214D31B1CA8296EB589B11E4619AA6364FB44BC4FD841B2DA6D437EDCF38E555C300

Function 00007FFDFABB4C8C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 52COMMON

Download Yara Rule

APIs

_PyArg_CheckPositional.PYTHON311 ref: 00007FFDFABB4CC7
_PyArg_BadArgument.PYTHON311 ref: 00007FFDFABB4CFC
_PyUnicode_Ready.PYTHON311 ref: 00007FFDFABB4D0D

Strings

numeric, xrefs: 00007FFDFABB4CC0, 00007FFDFABB4CEE
a unicode character, xrefs: 00007FFDFABB4CE7
argument 1, xrefs: 00007FFDFABB4CF5

Memory Dump Source

Source File: 00000002.00000002.1914858610.00007FFDFABB1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFDFABB0000, based on PE: true

Associated: 00000002.00000002.1914813035.00007FFDFABB0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFABB5000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC12000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC5E000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC61000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC66000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFACC0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915209099.00007FFDFACC3000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915272815.00007FFDFACC5000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfabb0000_54Oa5PcvK1.jbxd

Similarity

API ID: Arg_$ArgumentCheckPositionalReadyUnicode_
String ID: a unicode character$argument 1$numeric
API String ID: 3545102714-2385192657
Opcode ID: 9cf334a25039c3b0788d85340cb18b310c84a749129293f830eaee71995b6e63
Instruction ID: 112d979c9d67770f314375f25e852b81271ee692735cac381ece0c4516d7e616
Opcode Fuzzy Hash: 9cf334a25039c3b0788d85340cb18b310c84a749129293f830eaee71995b6e63
Instruction Fuzzy Hash: 85214F31B08A8685EB589B11E46096A6364FB44BC4F9841B2DE6D477ADCF3CE955C700

Function 00007FF7887970EC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF78879711D
GetLastError.KERNEL32 ref: 00007FF788797129
CloseHandle.KERNEL32 ref: 00007FF788797141
CreateFileW.KERNEL32 ref: 00007FF78879716C
WriteConsoleW.KERNEL32 ref: 00007FF78879718B

Strings

CONOUT$, xrefs: 00007FF78879714D

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 900c1da012dee1dfb60ea43974335527b3f6c3b56b4e810762f126343bdfd55c
Instruction ID: d9e2e8ee1ddc546faafdb15665962540908f3207f7e4d17dd3b816a11a57151f
Opcode Fuzzy Hash: 900c1da012dee1dfb60ea43974335527b3f6c3b56b4e810762f126343bdfd55c
Instruction Fuzzy Hash: D3118121A58A4186E350AB96FC54329E6B1FB8CBE4FA40234DA5D87794EF3CD414C758

Function 00007FF78878A8F8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF788786091,?,?,?,?,00007FF78878DF1F,?,?,00000000,00007FF78878AA16,?,?,?), ref: 00007FF78878A907
FlsSetValue.KERNEL32(?,?,?,00007FF788786091,?,?,?,?,00007FF78878DF1F,?,?,00000000,00007FF78878AA16,?,?,?), ref: 00007FF78878A93D
FlsSetValue.KERNEL32(?,?,?,00007FF788786091,?,?,?,?,00007FF78878DF1F,?,?,00000000,00007FF78878AA16,?,?,?), ref: 00007FF78878A96A
FlsSetValue.KERNEL32(?,?,?,00007FF788786091,?,?,?,?,00007FF78878DF1F,?,?,00000000,00007FF78878AA16,?,?,?), ref: 00007FF78878A97B
FlsSetValue.KERNEL32(?,?,?,00007FF788786091,?,?,?,?,00007FF78878DF1F,?,?,00000000,00007FF78878AA16,?,?,?), ref: 00007FF78878A98C
SetLastError.KERNEL32(?,?,?,00007FF788786091,?,?,?,?,00007FF78878DF1F,?,?,00000000,00007FF78878AA16,?,?,?), ref: 00007FF78878A9A7

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 62dca5d10fd8524d44a9ca6b61b614a098d57abd4030ec328ef3c17f7e173edc
Instruction ID: c7bfc034d2d1e443546d06a38e6091769e2780f86998b3f186822ee22af76330
Opcode Fuzzy Hash: 62dca5d10fd8524d44a9ca6b61b614a098d57abd4030ec328ef3c17f7e173edc
Instruction Fuzzy Hash: 4C11CD20B8C64242FA5477E29641139E2727F8D7B0FB54734EC6E477D6DE2CA481C22E

Function 00007FF78877BC08 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF78877BC33
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF78877BCC8
RtlUnwindEx.KERNEL32 ref: 00007FF78877BD17

Strings

f, xrefs: 00007FF78877BC46
csm, xrefs: 00007FF78877BCAE

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: e4cc0f9b1589dd73a5d4f416534ce71b9b3e94dd2aede877d85d93aa73312820
Instruction ID: f10410b5a174d2badf3fbd176be22ab00f217c3a141b926cc93428790ca97633
Opcode Fuzzy Hash: e4cc0f9b1589dd73a5d4f416534ce71b9b3e94dd2aede877d85d93aa73312820
Instruction Fuzzy Hash: B451C132A496028AEB14FF65E404A79F7B5FB48B88FA08531DB5E47748DF39E841C718

Function 00007FFDFABB4D54 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

PyType_IsSubtype.PYTHON311 ref: 00007FFDFABB4D80
_PyUnicode_ToNumeric.PYTHON311 ref: 00007FFDFABB4DB3
PyErr_SetString.PYTHON311 ref: 00007FFDFABB4DDB
PyFloat_FromDouble.PYTHON311 ref: 00007FFDFABB4DED

Strings

not a numeric character, xrefs: 00007FFDFABB4DD1

Memory Dump Source

Source File: 00000002.00000002.1914858610.00007FFDFABB1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFDFABB0000, based on PE: true

Associated: 00000002.00000002.1914813035.00007FFDFABB0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFABB5000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC12000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC5E000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC61000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC66000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFACC0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915209099.00007FFDFACC3000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915272815.00007FFDFACC5000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfabb0000_54Oa5PcvK1.jbxd

Similarity

API ID: DoubleErr_Float_FromNumericStringSubtypeType_Unicode_
String ID: not a numeric character
API String ID: 1034370217-2058156748
Opcode ID: ae5864331190d99266549655542a2a8f2e04feb98f737cbb9499cc14618bbe38
Instruction ID: 3c682c6da40152badf7283cd0361cdbb51616b27fc847bbef0f6d152d30d6ddf
Opcode Fuzzy Hash: ae5864331190d99266549655542a2a8f2e04feb98f737cbb9499cc14618bbe38
Instruction Fuzzy Hash: 16118125B0C94681EB5D8B25E43093F63A5BF44BC4F9581B2C93F466EDDF2CECA58201

Function 00007FFDFABB4380 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

PyType_IsSubtype.PYTHON311 ref: 00007FFDFABB43AC
_PyUnicode_ToDecimalDigit.PYTHON311 ref: 00007FFDFABB43CB
PyErr_SetString.PYTHON311 ref: 00007FFDFABB43EB
PyLong_FromLong.PYTHON311 ref: 00007FFDFABB43FF

Strings

not a decimal, xrefs: 00007FFDFABB43E1

Memory Dump Source

Source File: 00000002.00000002.1914858610.00007FFDFABB1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFDFABB0000, based on PE: true

Associated: 00000002.00000002.1914813035.00007FFDFABB0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFABB5000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC12000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC5E000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC61000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC66000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFACC0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915209099.00007FFDFACC3000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915272815.00007FFDFACC5000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfabb0000_54Oa5PcvK1.jbxd

Similarity

API ID: DecimalDigitErr_FromLongLong_StringSubtypeType_Unicode_
String ID: not a decimal
API String ID: 3750391552-3590249192
Opcode ID: 456184b784fa7efc8fe9d8897fb77cbbb081413c450d27b41a848b68105fcfc3
Instruction ID: e8acc1b18e6d0a839e629c29ee3532673d027a845f04630d641320a0e410d8bd
Opcode Fuzzy Hash: 456184b784fa7efc8fe9d8897fb77cbbb081413c450d27b41a848b68105fcfc3
Instruction Fuzzy Hash: B4115121B1DA4281EB5D8B16E47493F63A5BF44BC4F8945B2C92F466EDDF2CE8558300

Function 00007FFDFABB46E4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON

Download Yara Rule

APIs

_PyArg_BadArgument.PYTHON311 ref: 00007FFDFABB471D
_PyUnicode_Ready.PYTHON311 ref: 00007FFDFABB4730

Strings

a unicode character, xrefs: 00007FFDFABB4708
argument, xrefs: 00007FFDFABB470F
east_asian_width, xrefs: 00007FFDFABB4716

Memory Dump Source

Source File: 00000002.00000002.1914858610.00007FFDFABB1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFDFABB0000, based on PE: true

Associated: 00000002.00000002.1914813035.00007FFDFABB0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFABB5000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC12000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC5E000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC61000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC66000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFACC0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915209099.00007FFDFACC3000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915272815.00007FFDFACC5000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfabb0000_54Oa5PcvK1.jbxd

Similarity

API ID: Arg_ArgumentReadyUnicode_
String ID: a unicode character$argument$east_asian_width
API String ID: 1875788646-3913127203
Opcode ID: e1dea5a4efee597cabc79f5f4f9b1c361292688d97fad454cab5bbac9e71014d
Instruction ID: 351418f28386f64f67f463ffea46e7ba47e534b1b897b999968cb78ca63c682c
Opcode Fuzzy Hash: e1dea5a4efee597cabc79f5f4f9b1c361292688d97fad454cab5bbac9e71014d
Instruction Fuzzy Hash: D101A720B08A8345EB589B22E9609761350FF46BD4F8451B2D97E062DEDF3CD445C300

Function 00007FFDFABB4418 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON

Download Yara Rule

APIs

_PyArg_BadArgument.PYTHON311 ref: 00007FFDFABB4451
_PyUnicode_Ready.PYTHON311 ref: 00007FFDFABB4464

Strings

a unicode character, xrefs: 00007FFDFABB443C
decomposition, xrefs: 00007FFDFABB444A
argument, xrefs: 00007FFDFABB4443

Memory Dump Source

Source File: 00000002.00000002.1914858610.00007FFDFABB1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFDFABB0000, based on PE: true

Associated: 00000002.00000002.1914813035.00007FFDFABB0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFABB5000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC12000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC5E000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC61000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC66000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFACC0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915209099.00007FFDFACC3000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915272815.00007FFDFACC5000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfabb0000_54Oa5PcvK1.jbxd

Similarity

API ID: Arg_ArgumentReadyUnicode_
String ID: a unicode character$argument$decomposition
API String ID: 1875788646-2471543666
Opcode ID: ac2962689f343f1b3e1879047209e348276c37b5dff3c3435d3d8175ead54011
Instruction ID: 1d75a43af396bb6e99092bb9ba22303058abf1a78f7f4aefdfab77570fc3c370
Opcode Fuzzy Hash: ac2962689f343f1b3e1879047209e348276c37b5dff3c3435d3d8175ead54011
Instruction Fuzzy Hash: 3801AD21B0CA8391EB588B11E860ABA2360BF44BD4F8411B2D97F062DDDF3CD4A98300

Function 00007FFDFABB2620 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

PyMem_Malloc.PYTHON311(?,?,00000000,00007FFDFABB2565), ref: 00007FFDFABB262B
PyCapsule_New.PYTHON311(?,?,00000000,00007FFDFABB2565), ref: 00007FFDFABB2668
PyErr_NoMemory.PYTHON311(?,?,00000000,00007FFDFABB2565), ref: 00007FFDFABB3EF4
PyMem_Free.PYTHON311(?,?,00000000,00007FFDFABB2565), ref: 00007FFDFABB3F04

Strings

unicodedata._ucnhash_CAPI, xrefs: 00007FFDFABB265D

Memory Dump Source

Source File: 00000002.00000002.1914858610.00007FFDFABB1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFDFABB0000, based on PE: true

Associated: 00000002.00000002.1914813035.00007FFDFABB0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFABB5000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC12000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC5E000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC61000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC66000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFACC0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915209099.00007FFDFACC3000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915272815.00007FFDFACC5000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfabb0000_54Oa5PcvK1.jbxd

Similarity

API ID: Mem_$Capsule_Err_FreeMallocMemory
String ID: unicodedata._ucnhash_CAPI
API String ID: 3673501854-3989975041
Opcode ID: 1ac5af153bf2bbb2bda3b9d9d9136918d1f6bd182a880703478f12c765018ae7
Instruction ID: 15265c0af4fc5fcb57fae80ffcf42da681839a73949e19b82573a9992cdf8de7
Opcode Fuzzy Hash: 1ac5af153bf2bbb2bda3b9d9d9136918d1f6bd182a880703478f12c765018ae7
Instruction Fuzzy Hash: 84F01960B0DB4295EB498B11A86097A62A8BF18BC4FC411B3C86F067EDEE3CE044D310

Function 00007FF788788A40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF788788A65
GetProcAddress.KERNEL32 ref: 00007FF788788A7B
FreeLibrary.KERNEL32 ref: 00007FF788788AA2

Strings

mscoree.dll, xrefs: 00007FF788788A5C
CorExitProcess, xrefs: 00007FF788788A74

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 78a1a69aac29132cf000f84d0d5f993c26bceca4d1e4e1c3cfa2e89eec15c9a9
Instruction ID: c666a9d5e2b908501de8cdee70fa68fcf1dc633d4b262388b87e498d82d4d311
Opcode Fuzzy Hash: 78a1a69aac29132cf000f84d0d5f993c26bceca4d1e4e1c3cfa2e89eec15c9a9
Instruction Fuzzy Hash: 4DF04421649B0241FA206BA5EC45339D370BF4D761FA40635CA6E451E4DF3CD448D328

Function 00007FF788798824 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF78879884C
_set_statfp.LIBCMT ref: 00007FF788798867
_set_statfp.LIBCMT ref: 00007FF788798883
_set_statfp.LIBCMT ref: 00007FF7887988BF

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 69d38c35bd33e64192705e47d806ebaffe6519085bb8d16871af39b095092657
Instruction ID: 59b09443ab64ea3fe7550b559d5a8a6516030b4a9c9b812a8b228bbe47d896bf
Opcode Fuzzy Hash: 69d38c35bd33e64192705e47d806ebaffe6519085bb8d16871af39b095092657
Instruction Fuzzy Hash: D8118222EE8A0341F67431B8DC85775D1627F5C364EAA0638E97E4A7D7CE3CA840C138

Function 00007FF78878A9C0 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF788789BD3,?,?,00000000,00007FF788789E6E,?,?,?,?,?,00007FF788781A40), ref: 00007FF78878A9DF
FlsSetValue.KERNEL32(?,?,?,00007FF788789BD3,?,?,00000000,00007FF788789E6E,?,?,?,?,?,00007FF788781A40), ref: 00007FF78878A9FE
FlsSetValue.KERNEL32(?,?,?,00007FF788789BD3,?,?,00000000,00007FF788789E6E,?,?,?,?,?,00007FF788781A40), ref: 00007FF78878AA26
FlsSetValue.KERNEL32(?,?,?,00007FF788789BD3,?,?,00000000,00007FF788789E6E,?,?,?,?,?,00007FF788781A40), ref: 00007FF78878AA37
FlsSetValue.KERNEL32(?,?,?,00007FF788789BD3,?,?,00000000,00007FF788789E6E,?,?,?,?,?,00007FF788781A40), ref: 00007FF78878AA48

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 358dba81be253043741c53dc9c404725d40e2bf31f5f8457cfbf7a8f66644627
Instruction ID: 802f2c5a33544dfaa7e8056ae98faaab89a9d532ac85a79af9f93c9419a1500d
Opcode Fuzzy Hash: 358dba81be253043741c53dc9c404725d40e2bf31f5f8457cfbf7a8f66644627
Instruction Fuzzy Hash: 99113D11A8864241FA58B3E59681279E5627F4C7F0FA44334E83E47AD6DE2CE841C62E

Function 00007FF78878F218 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF78878F4F7

Part of subcall function 00007FF7887954F4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF788795511

Strings

UTF-8, xrefs: 00007FF78878F476
UTF-16LEUNICODE, xrefs: 00007FF78878F495
ccs, xrefs: 00007FF78878F432

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: fa9c2c0b9e0b51f4f192ae3b8b8b95ed4a793ff286fdede4dba764f85164dfb1
Instruction ID: f0684abdd02a4338f954b7ef4c13df6dce0a2f628c8803bf8d87a9d48dd659a9
Opcode Fuzzy Hash: fa9c2c0b9e0b51f4f192ae3b8b8b95ed4a793ff286fdede4dba764f85164dfb1
Instruction Fuzzy Hash: B381A272E8820285F7A47EA5C154278F6B0BF19B84FF58032DA0DD7A95CB2DE941D32D

Function 00007FF78877D468 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF78877D4B4
_CallSETranslator.LIBVCRUNTIME ref: 00007FF78877D503

Strings

MOC, xrefs: 00007FF78877D4C8
RCC, xrefs: 00007FF78877D4D1

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: f09742bcba9082defbae069630545238114b431a0e4fd7be58dd8469a5d7fef1
Instruction ID: ad112efbc37ef7d317ca95eb9a5265a97a9f9feed28a38ccb94fae0fec48a5b3
Opcode Fuzzy Hash: f09742bcba9082defbae069630545238114b431a0e4fd7be58dd8469a5d7fef1
Instruction Fuzzy Hash: FF618972A08A858AE710EFA5D4403ADBBB0FB49B8CF644235EE4D13B99DF38E055C714

Function 00007FF78877D7C4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF78877D7EC
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF78877D8D4

Strings

csm, xrefs: 00007FF78877D926
csm, xrefs: 00007FF78877D80E

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: a3990994d2fbb822c09bdc2a35b5fa2b647080e9aebb1a5b00e12dffe7bfe986
Instruction ID: 8156a7135d11b3983da4b8bb41441f8a6c55bf052b7976a82c4b763eaea7ec2d
Opcode Fuzzy Hash: a3990994d2fbb822c09bdc2a35b5fa2b647080e9aebb1a5b00e12dffe7bfe986
Instruction Fuzzy Hash: 7351A53294824286EB64BF519584378FBB0FB99B94FA44135DA9C47BDACF3CE450CB18

Function 00007FFDFABB1EF0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311(?,?,?,?,?,00007FFDFABB1EDC), ref: 00007FFDFABB3B6F

Part of subcall function 00007FFDFABB1FD0: strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFABB2008
Part of subcall function 00007FFDFABB1FD0: strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFABB2026

PyErr_Format.PYTHON311 ref: 00007FFDFABB1F53

Strings

undefined character name '%s', xrefs: 00007FFDFABB1F46
name too long, xrefs: 00007FFDFABB3B65

Memory Dump Source

Source File: 00000002.00000002.1914858610.00007FFDFABB1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFDFABB0000, based on PE: true

Associated: 00000002.00000002.1914813035.00007FFDFABB0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFABB5000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC12000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC5E000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC61000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC66000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFACC0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915209099.00007FFDFACC3000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915272815.00007FFDFACC5000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfabb0000_54Oa5PcvK1.jbxd

Similarity

API ID: Err_strncmp$FormatString
String ID: name too long$undefined character name '%s'
API String ID: 3882229318-4056717002
Opcode ID: 8b8c9c862c8556266a26c0415d30d38fd4fd6db163ae40366dde064f1277ed55
Instruction ID: f017468a5964b05c92da4308cd7b607cbdcda71715d31e2f78f86f7c39374e6f
Opcode Fuzzy Hash: 8b8c9c862c8556266a26c0415d30d38fd4fd6db163ae40366dde064f1277ed55
Instruction Fuzzy Hash: C7112175B18947C1EB088B18E4A4AB56364FB88788FC405B2CA2E472E9DF7DE14AC701

Function 00007FF788772CD0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,00007FF7887727C9,?,?,?,?,?,?), ref: 00007FF788772D01

Part of subcall function 00007FF788771CB0: GetLastError.KERNEL32(?,?,00000000,00007FF788776904,?,?,?,?,?,?,?,?,?,?,?,00007FF788771023), ref: 00007FF788771CD7

Strings

GetModuleFileNameW, xrefs: 00007FF788772D12
Failed to convert executable path to UTF-8., xrefs: 00007FF788772D3A
Failed to get executable path., xrefs: 00007FF788772D0B

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
API String ID: 2776309574-1977442011
Opcode ID: 7987a5ce4ff3c8cba7d8c38c60f2d05ca27952d1a3ea66f3204455115dc1ef10
Instruction ID: b1af1a631ab846f22043f40529ccae9c8aee66a3160260051db749d422291f88
Opcode Fuzzy Hash: 7987a5ce4ff3c8cba7d8c38c60f2d05ca27952d1a3ea66f3204455115dc1ef10
Instruction Fuzzy Hash: 11018420BAD64245FA61B7A0D8153F5D2B1BF5C3C0FE00031D84E8A296EE5CE104C738

Function 00007FF78878BBD0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF78878BC4F
WriteFile.KERNEL32 ref: 00007FF78878BF17
WriteFile.KERNEL32 ref: 00007FF78878BF5D
GetLastError.KERNEL32 ref: 00007FF78878C013

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 47f9f7c1e3185106a498671fedee26090088e719dd8e44b73d57f810765c87d4
Instruction ID: 38458e930b701bc0b968b256e6657084bfda7250781033b11bd36e2ea6650285
Opcode Fuzzy Hash: 47f9f7c1e3185106a498671fedee26090088e719dd8e44b73d57f810765c87d4
Instruction Fuzzy Hash: 81D1E072B18A8589E710DFA5D4402ACF7B5FB487D8BA04236CF5E97B99DE38D006C718

Function 00007FF78878C590 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF78878C57B), ref: 00007FF78878C6AC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF78878C57B), ref: 00007FF78878C737

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 1ee269c4fb3492fdab786e16ea0be33da994e1b3a3006f3c14cd8905a42bf150
Instruction ID: b7c63c867f519763324ee69e5fb5e301f308c2d8ef9c5d930bb629a3fe96844c
Opcode Fuzzy Hash: 1ee269c4fb3492fdab786e16ea0be33da994e1b3a3006f3c14cd8905a42bf150
Instruction Fuzzy Hash: B891A632F5865285F790AFA5948027DEBB0BB98B88FA44139DE0E57A84DF3CD441C72C

Function 00007FFDFABB1FD0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 173stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFABB2008
strncmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFDFABB2026

Strings

CJK UNIFIED IDEOGRAPH-, xrefs: 00007FFDFABB201C
HANGUL SYLLABLE , xrefs: 00007FFDFABB1FF5

Memory Dump Source

Source File: 00000002.00000002.1914858610.00007FFDFABB1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFDFABB0000, based on PE: true

Associated: 00000002.00000002.1914813035.00007FFDFABB0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFABB5000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC12000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC5E000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC61000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC66000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFACC0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915209099.00007FFDFACC3000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915272815.00007FFDFACC5000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfabb0000_54Oa5PcvK1.jbxd

Similarity

API ID: strncmp
String ID: CJK UNIFIED IDEOGRAPH-$HANGUL SYLLABLE
API String ID: 1114863663-87138338
Opcode ID: 315690625b96ec968e0fd3bff09a411a7d33ab15bbea3d9f0de0a272eac0e1aa
Instruction ID: 2abcf0ba178413608c336c953fa78d00530a7d25c15f7b455bbcd9b9dfe66452
Opcode Fuzzy Hash: 315690625b96ec968e0fd3bff09a411a7d33ab15bbea3d9f0de0a272eac0e1aa
Instruction Fuzzy Hash: 7861E432B1864246E7688A19E820ABB7652FB807D0FC44276EA6D47ADDDF3CD501D700

Function 00007FFDFA9ABC74 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFDFA9ABCA0
GetCurrentThreadId.KERNEL32 ref: 00007FFDFA9ABCAE
GetCurrentProcessId.KERNEL32 ref: 00007FFDFA9ABCBA
QueryPerformanceCounter.KERNEL32 ref: 00007FFDFA9ABCCA

Memory Dump Source

Source File: 00000002.00000002.1913785207.00007FFDFA421000.00000020.00000001.01000000.0000001F.sdmp, Offset: 00007FFDFA420000, based on PE: true

Associated: 00000002.00000002.1913742250.00007FFDFA420000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000002.00000002.1914321964.00007FFDFA9C7000.00000002.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000002.00000002.1914515560.00007FFDFAB4D000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000002.00000002.1914551642.00007FFDFAB53000.00000008.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000002.00000002.1914590656.00007FFDFAB55000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000002.00000002.1914626915.00007FFDFAB57000.00000008.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000002.00000002.1914676005.00007FFDFAB5C000.00000004.00000001.01000000.0000001F.sdmpDownload File
Associated: 00000002.00000002.1914728512.00007FFDFAB60000.00000002.00000001.01000000.0000001F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfa420000_54Oa5PcvK1.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 94c9acafe10be122d2f397f1e5ea694c59c3688944f7c31b8d4002f49b5f86db
Instruction ID: 7c3ef1e7affff556deb2efcf76252a8f396c2c196ae9746f523b7a5a4007a340
Opcode Fuzzy Hash: 94c9acafe10be122d2f397f1e5ea694c59c3688944f7c31b8d4002f49b5f86db
Instruction Fuzzy Hash: E4113322B14F028AEB04CF61E8546B833B4F719758F840E31EA7D867A8EF78D154C340

Function 00007FFDFABB2C0C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFDFABB2C38
GetCurrentThreadId.KERNEL32 ref: 00007FFDFABB2C46
GetCurrentProcessId.KERNEL32 ref: 00007FFDFABB2C52
QueryPerformanceCounter.KERNEL32 ref: 00007FFDFABB2C62

Memory Dump Source

Source File: 00000002.00000002.1914858610.00007FFDFABB1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFDFABB0000, based on PE: true

Associated: 00000002.00000002.1914813035.00007FFDFABB0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFABB5000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC12000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC5E000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC61000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC66000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFACC0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915209099.00007FFDFACC3000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915272815.00007FFDFACC5000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfabb0000_54Oa5PcvK1.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 82f0f9c915ca38b27df9a13535bd7a8d6766dc117c9a79f3edaf6f20f04facae
Instruction ID: f338031b719f15389a566370f575bd24c0a517ee6bc992bff48d930f044a221f
Opcode Fuzzy Hash: 82f0f9c915ca38b27df9a13535bd7a8d6766dc117c9a79f3edaf6f20f04facae
Instruction Fuzzy Hash: 25115236B18F0589EB00CF60E8646B933A4FB59758F840E31DA6D477A8DF7CD1998380

Function 00007FF788794DBC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF788790920: _invalid_parameter_noinfo.LIBCMT ref: 00007FF788790953

_get_daylight.LIBCMT ref: 00007FF788794ED4
_get_daylight.LIBCMT ref: 00007FF788794EE5

Strings

?, xrefs: 00007FF788794E65

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 7a76fc5472fa01dafaf21516cddcde8ab34b2c46cd3e7f8dd598f321934e5d52
Instruction ID: 7539351b4ab64d9876b8dcda744cf2b9b933c6fb9fc82d9e17eb1da383ecea6f
Opcode Fuzzy Hash: 7a76fc5472fa01dafaf21516cddcde8ab34b2c46cd3e7f8dd598f321934e5d52
Instruction Fuzzy Hash: 20411E32AA828241FB64ABB59841379D670FF88BA4F744235EE5C07AD5DF3CD481C718

Function 00007FF788787FD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF788788002

Part of subcall function 00007FF788789F78: HeapFree.KERNEL32(?,?,?,00007FF788791EC2,?,?,?,00007FF788791EFF,?,?,00000000,00007FF7887923C5,?,?,00000000,00007FF7887922F7), ref: 00007FF788789F8E
Part of subcall function 00007FF788789F78: GetLastError.KERNEL32(?,?,?,00007FF788791EC2,?,?,?,00007FF788791EFF,?,?,00000000,00007FF7887923C5,?,?,00000000,00007FF7887922F7), ref: 00007FF788789F98

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF78877A485), ref: 00007FF788788020

Strings

C:\Users\user\Desktop\54Oa5PcvK1.exe, xrefs: 00007FF78878800E

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\54Oa5PcvK1.exe
API String ID: 3580290477-651273546
Opcode ID: 83176ff4db4dd0536c3ddf35c800fe3e17928d2d4ec44ff73abd72510ae6e28f
Instruction ID: 1483f088819f5974ab432a7c47e80e1c4356b374feab3c595140be73758f7dfc
Opcode Fuzzy Hash: 83176ff4db4dd0536c3ddf35c800fe3e17928d2d4ec44ff73abd72510ae6e28f
Instruction Fuzzy Hash: 83416132A8864285F714AF61D8411B9F3B5FF487D4BA44035EA4E47B95DF3DE441C328

Function 00007FF78878C268 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF78878C37F
GetLastError.KERNEL32 ref: 00007FF78878C3A1

Strings

U, xrefs: 00007FF78878C32B

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 3868b3aae24abb70b6c7ced641cfa87b6d54125405e373b4c87f7bfc476be08b
Instruction ID: bcb166d6383145293a162039711eae07cfbb0c43253169c4642e0515b071c31b
Opcode Fuzzy Hash: 3868b3aae24abb70b6c7ced641cfa87b6d54125405e373b4c87f7bfc476be08b
Instruction Fuzzy Hash: 2741C722B18A4185EB60EFA5E8443AAF770FB98794FA44031EE4D87B98DF3CD441D758

Function 00007FF78878E588 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF78878E5C8
GetCurrentDirectoryW.KERNEL32 ref: 00007FF78878E61A

Strings

:, xrefs: 00007FF78878E5DE

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 69729114f07132f4e5c02582f69e799d97905c52b16ff4e3b4ac21f165a3e13d
Instruction ID: 86500980749a7816713edb6f60d477c2796ef1b2fc5f1327337b21982cc93d38
Opcode Fuzzy Hash: 69729114f07132f4e5c02582f69e799d97905c52b16ff4e3b4ac21f165a3e13d
Instruction Fuzzy Hash: 9B21CE63B4828181EB20AB51D44426EF3B2FB88B84FE58035DA8D43285DF7CE945CB69

Function 00007FF78877E310 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF78877E354
RaiseException.KERNEL32 ref: 00007FF78877E39A

Strings

csm, xrefs: 00007FF78877E387

Memory Dump Source

Source File: 00000002.00000002.1913154019.00007FF788771000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF788770000, based on PE: true

Associated: 00000002.00000002.1913115625.00007FF788770000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913206046.00007FF78879A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913250192.00007FF7887BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.1913360795.00007FF7887BE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff788770000_54Oa5PcvK1.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: ee4cd62d6736e0f26efa3482034fbaa09f2706f16dc7c85cfdea4997af4e44da
Instruction ID: ea91264fd502427c9ef1cd79e84088bbe0f759e19e62bcf86cfd2f365a4b2b34
Opcode Fuzzy Hash: ee4cd62d6736e0f26efa3482034fbaa09f2706f16dc7c85cfdea4997af4e44da
Instruction Fuzzy Hash: 17113A32648B4182EB209F25F940269F7B4FB88B84F684231EE8D07768DF3CD551CB04

Function 00007FFDFABB4C04 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

PyErr_SetString.PYTHON311 ref: 00007FFDFABB4C54
PyUnicode_FromString.PYTHON311 ref: 00007FFDFABB4C6B

Strings

no such name, xrefs: 00007FFDFABB4C4A

Memory Dump Source

Source File: 00000002.00000002.1914858610.00007FFDFABB1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFDFABB0000, based on PE: true

Associated: 00000002.00000002.1914813035.00007FFDFABB0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFABB5000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC12000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC5E000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC61000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC66000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFACC0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915209099.00007FFDFACC3000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915272815.00007FFDFACC5000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfabb0000_54Oa5PcvK1.jbxd

Similarity

API ID: String$Err_FromUnicode_
String ID: no such name
API String ID: 3678473424-4211486178
Opcode ID: 3cee85899810c21b61c883871248d1595a37fae7423a3e6c68c232458049210f
Instruction ID: 2f78aaf6e7d50b2fa2bbc26c1fbdf9805c23790cde1325f5ab9b02681461f62c
Opcode Fuzzy Hash: 3cee85899810c21b61c883871248d1595a37fae7423a3e6c68c232458049210f
Instruction Fuzzy Hash: 84016D75B1CA4291EB659B11E831BBA6364BF98B84F800072DE6E467E9DF2CE1059600

Function 00007FFDFABB25B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_PyObject_GC_New.PYTHON311(?,?,00000000,00007FFDFABB2533), ref: 00007FFDFABB25B6
PyObject_GC_Track.PYTHON311(?,?,00000000,00007FFDFABB2533), ref: 00007FFDFABB25E8

Strings

3.2.0, xrefs: 00007FFDFABB25C4

Memory Dump Source

Source File: 00000002.00000002.1914858610.00007FFDFABB1000.00000020.00000001.01000000.0000001E.sdmp, Offset: 00007FFDFABB0000, based on PE: true

Associated: 00000002.00000002.1914813035.00007FFDFABB0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFABB5000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC12000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC5E000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC61000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFAC66000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1914898478.00007FFDFACC0000.00000002.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915209099.00007FFDFACC3000.00000004.00000001.01000000.0000001E.sdmpDownload File
Associated: 00000002.00000002.1915272815.00007FFDFACC5000.00000002.00000001.01000000.0000001E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ffdfabb0000_54Oa5PcvK1.jbxd

Similarity

API ID: Object_$Track
String ID: 3.2.0
API String ID: 16854473-1786766648
Opcode ID: 767dd7ab98994f43239e4e329e749c2ad7475791c86a6fb4d160e6b955e6c056
Instruction ID: a05a7b89d2e8f77ec76d9ecc8952251df4b852e223b5625aacaa34d6d6bc15f6
Opcode Fuzzy Hash: 767dd7ab98994f43239e4e329e749c2ad7475791c86a6fb4d160e6b955e6c056
Instruction Fuzzy Hash: B8E0ED24B09B0695EB198B11A86046A22A8BF08784BC402B6CD6E023A8EF3CE165D240

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 54Oa5PcvK1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_ARC4.pyd

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_Salsa20.pyd

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_chacha20.pyd

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_pkcs1_decode.pyd

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_aes.pyd

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_aesni.pyd

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_arc2.pyd

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_blowfish.pyd

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_cast.pyd

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_cbc.pyd

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_cfb.pyd

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_ctr.pyd

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_des.pyd

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_des3.pyd

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_ecb.pyd

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_eksblowfish.pyd

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_ocb.pyd

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Cipher\_raw_ofb.pyd

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_BLAKE2b.pyd

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_BLAKE2s.pyd

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_MD2.pyd

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_MD4.pyd

C:\Users\user\AppData\Local\Temp\_MEI67562\Crypto\Hash\_MD5.pyd

Windows Analysis Report
54Oa5PcvK1.exe