Edit tour

Windows Analysis Report
whacipher.exe

Overview

General Information

Sample name:	whacipher.exe
Analysis ID:	1578121
MD5:	1d64b1fae7b82fd77ad5ac9cafa76ad7
SHA1:	a475f87f97f608e29244b8d0e48a01fc9374d6f3
SHA256:	809fdf92ceb7a6a7534274871517bfbd3f397ade588510f222c11d3a8caf5ac1
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found pyInstaller with non standard icon

Machine Learning detection for sample

Creates a process in suspended mode (likely to inject code)

Drops PE files

Found dropped PE file which has not been started or loaded

PE file contains sections with non-standard names

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Process Tree

System is w10x64

whacipher.exe (PID: 7620 cmdline: "C:\Users\user\Desktop\whacipher.exe" MD5: 1D64B1FAE7B82FD77AD5AC9CAFA76AD7)

conhost.exe (PID: 7628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

whacipher.exe (PID: 7748 cmdline: "C:\Users\user\Desktop\whacipher.exe" MD5: 1D64B1FAE7B82FD77AD5AC9CAFA76AD7)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Machine Learning detection for sample

Source: whacipher.exe

Joe Sandbox ML: detected

Source: whacipher.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: whacipher.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: whacipher.exe, 00000000.00000003.1385141733.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-locale-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: whacipher.exe, 00000000.00000003.1385411425.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\win32\_multiprocessing.pdb source: _multiprocessing.pyd.0.dr
Source:	Binary string: API-MS-Win-Core-Handle-L1-1-0.pdb3 source: whacipher.exe, 00000000.00000003.1382049842.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-handle-l1-1-0.dll.0.dr
Source:	Binary string: API-MS-Win-Core-String-L1-1-0.pdb source: whacipher.exe, 00000000.00000003.1383113634.0000000001061000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: whacipher.exe, 00000000.00000003.1381835689.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-2-0.dll.0.dr
Source:	Binary string: ucrtbase.pdb source: whacipher.exe, 00000003.00000002.1406782720.000000006D5E1000.00000020.00000001.01000000.00000004.sdmp, ucrtbase.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\win32\_decimal.pdb%% source: _decimal.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\win32\_ssl.pdb source: _ssl.pyd.0.dr
Source:	Binary string: API-MS-Win-Core-Profile-L1-1-0.pdb3 source: whacipher.exe, 00000000.00000003.1382957453.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-profile-l1-1-0.dll.0.dr
Source:	Binary string: API-MS-Win-Core-Heap-L1-1-0.pdb3 source: whacipher.exe, 00000000.00000003.1382121992.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-heap-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: whacipher.exe, 00000000.00000003.1384167994.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-filesystem-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: whacipher.exe, 00000000.00000003.1386459368.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-stdio-l1-1-0.dll.0.dr
Source:	Binary string: API-MS-Win-Core-ProcessEnvironment-L1-1-0.pdb3 source: whacipher.exe, 00000000.00000003.1382735690.0000000001061000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\9\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: whacipher.exe, 00000003.00000002.1407128949.000000006EBC1000.00000020.00000001.01000000.00000006.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: API-MS-Win-Core-Synch-L1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.0.dr
Source:	Binary string: API-MS-Win-Core-NamedPipe-L1-1-0.pdb source: whacipher.exe, 00000000.00000003.1382671987.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.0.dr
Source:	Binary string: API-MS-Win-Core-ProcessThreads-L1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: whacipher.exe, 00000000.00000003.1383869878.0000000001061000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\pyexpat.pdb source: pyexpat.pyd.0.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: libcrypto-1_1.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\win32\_bz2.pdb source: whacipher.exe, 00000000.00000003.1378589703.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1405865964.000000006D18E000.00000002.00000001.01000000.0000000B.sdmp, _bz2.pyd.0.dr
Source:	Binary string: API-MS-Win-Core-Memory-L1-1-0.pdb source: whacipher.exe, 00000000.00000003.1382613234.0000000001061000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: API-MS-Win-Core-LibraryLoader-L1-1-0.pdb source: whacipher.exe, 00000000.00000003.1382269445.0000000001061000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_ctypes.pdb source: whacipher.exe, 00000000.00000003.1378750534.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1407009408.000000006E963000.00000002.00000001.01000000.00000007.sdmp, _ctypes.pyd.0.dr
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: whacipher.exe, 00000000.00000003.1383772967.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-convert-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\win32\_asyncio.pdb source: whacipher.exe, 00000000.00000003.1378444408.000000000105C000.00000004.00000020.00020000.00000000.sdmp, _asyncio.pyd.0.dr
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb source: libssl-1_1.dll.0.dr
Source:	Binary string: ucrtbase.pdbUGP source: whacipher.exe, 00000003.00000002.1406782720.000000006D5E1000.00000020.00000001.01000000.00000004.sdmp, ucrtbase.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\win32\_socket.pdb source: whacipher.exe, 00000003.00000002.1406123056.000000006D1B9000.00000002.00000001.01000000.00000009.sdmp, _socket.pyd.0.dr
Source:	Binary string: API-MS-Win-Core-Memory-L1-1-0.pdb3 source: whacipher.exe, 00000000.00000003.1382613234.0000000001061000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: API-MS-Win-Core-Heap-L1-1-0.pdb source: whacipher.exe, 00000000.00000003.1382121992.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-heap-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\win32\python38.pdb source: whacipher.exe, 00000003.00000002.1406447713.000000006D4F3000.00000002.00000001.01000000.00000005.sdmp, python38.dll.0.dr
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: whacipher.exe, 00000000.00000003.1388342282.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-time-l1-1-0.dll.0.dr
Source:	Binary string: API-MS-Win-Core-Util-L1-1-0.pdb source: whacipher.exe, 00000000.00000003.1383607698.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-util-l1-1-0.dll.0.dr
Source:	Binary string: API-MS-Win-Core-DateTime-L1-1-0.pdb source: whacipher.exe, 00000000.00000003.1381526332.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-datetime-l1-1-0.dll.0.dr
Source:	Binary string: API-MS-Win-Core-String-L1-1-0.pdb3 source: whacipher.exe, 00000000.00000003.1383113634.0000000001061000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_lzma.pdbOO source: whacipher.exe, 00000003.00000002.1405680410.000000006D16E000.00000002.00000001.01000000.0000000C.sdmp, _lzma.pyd.0.dr
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: whacipher.exe, 00000000.00000003.1383330279.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-synch-l1-2-0.dll.0.dr
Source:	Binary string: API-MS-Win-Core-File-L1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.0.dr
Source:	Binary string: API-MS-Win-Core-File-L1-1-0.pdb3 source: api-ms-win-core-file-l1-1-0.dll.0.dr
Source:	Binary string: API-MS-Win-Core-Console-L1-1-0.pdb3 source: whacipher.exe, 00000000.00000003.1381439683.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-console-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\win32\_lzma.pdb source: whacipher.exe, 00000003.00000002.1405680410.000000006D16E000.00000002.00000001.01000000.0000000C.sdmp, _lzma.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\win32\_queue.pdb source: _queue.pyd.0.dr
Source:	Binary string: API-MS-Win-Core-ProcessEnvironment-L1-1-0.pdb source: whacipher.exe, 00000000.00000003.1382735690.0000000001061000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: API-MS-Win-Core-NamedPipe-L1-1-0.pdb3 source: whacipher.exe, 00000000.00000003.1382671987.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: whacipher.exe, 00000000.00000003.1383673946.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-conio-l1-1-0.dll.0.dr
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 1.1.1i 8 Dec 2020built on: Tue Jan 5 20:17:31 2021 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Common Files\SSL"ENGINESDIR: "C:\Program Files (x86)\OpenSSL\lib\engines-1_1"not available source: libcrypto-1_1.dll.0.dr
Source:	Binary string: API-MS-Win-Core-SysInfo-L1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr
Source:	Binary string: API-MS-Win-Core-ErrorHandling-L1-1-0.pdb3 source: whacipher.exe, 00000000.00000003.1381676123.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-errorhandling-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: whacipher.exe, 00000000.00000003.1382505777.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-localization-l1-2-0.dll.0.dr
Source:	Binary string: API-MS-Win-Core-Debug-L1-1-0.pdb source: whacipher.exe, 00000000.00000003.1381603485.0000000001061000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: API-MS-Win-Core-DateTime-L1-1-0.pdb3 source: whacipher.exe, 00000000.00000003.1381526332.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-datetime-l1-1-0.dll.0.dr
Source:	Binary string: API-MS-Win-Core-Interlocked-L1-1-0.pdb source: whacipher.exe, 00000000.00000003.1382202466.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-interlocked-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: whacipher.exe, 00000000.00000003.1382864190.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.0.dr
Source:	Binary string: API-MS-Win-Core-Util-L1-1-0.pdb3 source: whacipher.exe, 00000000.00000003.1383607698.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-util-l1-1-0.dll.0.dr
Source:	Binary string: API-MS-Win-Core-Handle-L1-1-0.pdb source: whacipher.exe, 00000000.00000003.1382049842.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-handle-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: whacipher.exe, 00000000.00000003.1388607848.0000000001061000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: whacipher.exe, 00000000.00000003.1383511406.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-timezone-l1-1-0.dll.0.dr
Source:	Binary string: C:\A\6\b\libcrypto-1_1.pdb source: libcrypto-1_1.dll.0.dr
Source:	Binary string: API-MS-Win-Core-RtlSupport-L1-1-0.pdb source: whacipher.exe, 00000000.00000003.1383017453.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr
Source:	Binary string: API-MS-Win-Core-LibraryLoader-L1-1-0.pdb3 source: whacipher.exe, 00000000.00000003.1382269445.0000000001061000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: whacipher.exe, 00000000.00000003.1381940800.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l2-1-0.dll.0.dr
Source:	Binary string: API-MS-Win-Core-SysInfo-L1-1-0.pdb3 source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: whacipher.exe, 00000000.00000003.1385318130.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-process-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\win32\select.pdb source: whacipher.exe, 00000003.00000002.1406004346.000000006D1A3000.00000002.00000001.01000000.0000000A.sdmp, select.pyd.0.dr
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb@@ source: libssl-1_1.dll.0.dr
Source:	Binary string: API-MS-Win-Core-Profile-L1-1-0.pdb source: whacipher.exe, 00000000.00000003.1382957453.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-profile-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\win32\_decimal.pdb source: _decimal.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\win32\_hashlib.pdb source: _hashlib.pyd.0.dr
Source:	Binary string: API-MS-Win-Core-ProcessThreads-L1-1-0.pdb3 source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr
Source:	Binary string: API-MS-Win-Core-ErrorHandling-L1-1-0.pdb source: whacipher.exe, 00000000.00000003.1381676123.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-errorhandling-l1-1-0.dll.0.dr
Source:	Binary string: API-MS-Win-Core-Console-L1-1-0.pdb source: whacipher.exe, 00000000.00000003.1381439683.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-console-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: whacipher.exe, 00000000.00000003.1384267660.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-heap-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.0.dr

Source: whacipher.exe, 00000003.00000003.1399632030.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398841548.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399964070.0000000000F52000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1400061018.000000000324A000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398304412.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399330792.0000000000F47000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1402366799.000000000324B000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398790737.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1401725890.0000000000F57000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1400259066.0000000000F55000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398603345.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1402321800.0000000003230000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399219117.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1402345967.0000000003247000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1400186676.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398703307.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399911519.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399833797.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399860193.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399860193.0000000003231000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399125009.0000000003245000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html
Source: whacipher.exe, 00000000.00000003.1389017977.0000000001069000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCer
Source: whacipher.exe, 00000000.00000003.1378444408.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1391585860.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1379292769.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1389523114.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378750534.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1381194296.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378775868.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1390473545.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1379791975.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378617206.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1379450118.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378471136.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1389017977.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1380235680.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1392149464.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378948220.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1381019665.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378589703.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1389892484.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1379105907.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1389664462.0000000001069000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: whacipher.exe, 00000000.00000003.1379105907.0000000001069000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredI
Source: whacipher.exe, 00000000.00000003.1378444408.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1391585860.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1389523114.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378750534.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1381019665.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378589703.000000000105C000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _lzma.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: whacipher.exe, 00000000.00000003.1378444408.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1379292769.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378750534.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1381194296.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378775868.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1390473545.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1379791975.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378617206.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378471136.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1392149464.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378948220.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1381019665.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378589703.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1389892484.0000000001069000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: whacipher.exe, 00000000.00000003.1379450118.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1389017977.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1379105907.0000000001069000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digi
Source: whacipher.exe, 00000000.00000003.1378444408.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1391585860.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1389523114.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378750534.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1380235680.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1381019665.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378589703.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1389892484.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1389664462.0000000001069000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: whacipher.exe, 00000000.00000003.1378444408.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1379292769.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378750534.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1381194296.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378775868.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1390473545.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1379791975.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378617206.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1379450118.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378471136.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1389017977.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1380235680.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1392149464.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378948220.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1381019665.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378589703.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1389892484.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1379105907.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1389664462.0000000001069000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: whacipher.exe, 00000000.00000003.1378444408.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1391585860.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1389523114.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378750534.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1381019665.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378589703.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1389892484.0000000001069000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: whacipher.exe, 00000000.00000003.1378444408.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1379292769.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378750534.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1381194296.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378775868.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1390473545.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1379791975.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378617206.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378471136.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1389017977.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1392149464.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378948220.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1381019665.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378589703.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1389892484.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1379105907.0000000001069000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: whacipher.exe, 00000000.00000003.1389892484.0000000001069000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digice
Source: whacipher.exe, 00000000.00000003.1378444408.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1391585860.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1379292769.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1389523114.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378750534.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1381194296.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378775868.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1390473545.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1379791975.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378617206.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1379450118.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378471136.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1389017977.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1380235680.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1392149464.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378948220.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1381019665.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378589703.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1389892484.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1379105907.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1389664462.0000000001069000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: whacipher.exe, 00000000.00000003.1378444408.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1391585860.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1389523114.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378750534.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1381019665.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378589703.000000000105C000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _lzma.pyd.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: whacipher.exe, 00000000.00000003.1378444408.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1379292769.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378750534.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1381194296.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378775868.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1390473545.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1379791975.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378617206.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378471136.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1389017977.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1392149464.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378948220.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1381019665.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378589703.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1389892484.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1379105907.0000000001069000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: whacipher.exe, 00000003.00000003.1399964070.0000000000F52000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399330792.0000000000F47000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1402321800.0000000003230000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399219117.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399833797.0000000000F49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/eax/eax-spec.pdf
Source: whacipher.exe, 00000003.00000003.1399964070.0000000000F52000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399330792.0000000000F47000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399219117.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399911519.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399833797.0000000000F49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf
Source: whacipher.exe, 00000003.00000003.1399632030.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398841548.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399964070.0000000000F52000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1400061018.000000000324A000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398304412.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399330792.0000000000F47000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1402366799.000000000324B000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398790737.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1401725890.0000000000F57000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1400259066.0000000000F55000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398603345.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399219117.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398703307.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399833797.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399860193.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399125009.0000000003245000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
Source: whacipher.exe, 00000003.00000003.1400235097.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399964070.0000000000F52000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399330792.0000000000F47000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399665779.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1401725890.0000000000F57000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1400259066.0000000000F55000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1402196593.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399219117.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1401970282.0000000001270000.00000004.00001000.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399219117.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1402286680.0000000003190000.00000004.00001000.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1402252822.0000000003150000.00000004.00001000.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399911519.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399833797.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398070634.0000000000F53000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1402163140.00000000030B0000.00000004.00001000.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1401420738.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
Source: whacipher.exe, 00000000.00000003.1378444408.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1391585860.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1379292769.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1389523114.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378750534.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1381194296.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378775868.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1390473545.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1379791975.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378617206.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1379450118.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378471136.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1389017977.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1380235680.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1392149464.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378948220.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1381019665.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378589703.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1389892484.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1379105907.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1389664462.0000000001069000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: whacipher.exe, 00000000.00000003.1378444408.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1391585860.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1389523114.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378750534.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1381019665.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378589703.000000000105C000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, pyexpat.pyd.0.dr, _ctypes.pyd.0.dr, _multiprocessing.pyd.0.dr, _hashlib.pyd.0.dr, libssl-1_1.dll.0.dr, _asyncio.pyd.0.dr, libcrypto-1_1.dll.0.dr, _bz2.pyd.0.dr, _queue.pyd.0.dr, _lzma.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: whacipher.exe, 00000000.00000003.1378444408.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1379292769.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378750534.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1381194296.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378775868.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1390473545.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1379791975.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378617206.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378471136.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1389017977.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1392149464.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378948220.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1381019665.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378589703.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1389892484.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1379105907.0000000001069000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: python38.dll.0.dr	String found in binary or memory: http://python.org/dev/peps/pep-0263/
Source: whacipher.exe, 00000003.00000003.1399981772.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399330792.0000000000F47000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1401776442.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399219117.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399911519.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399833797.0000000000F49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc4880
Source: whacipher.exe, 00000003.00000003.1400109791.0000000003330000.00000004.00001000.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398304412.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1402196593.00000000030F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc5297
Source: whacipher.exe, 00000003.00000003.1399964070.0000000000F52000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398304412.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399330792.0000000000F47000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1400259066.0000000000F55000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399219117.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399833797.0000000000F49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc5869
Source: whacipher.exe, 00000003.00000003.1399632030.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398841548.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1400061018.000000000324A000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1402366799.000000000324B000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398790737.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398603345.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398703307.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399860193.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399125009.0000000003245000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://web.cs.ucdavis.edu/~rogaway/ocb/license.htm
Source: whacipher.exe, 00000003.00000003.1399632030.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398841548.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398304412.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398790737.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398603345.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1402345967.0000000003247000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1400186676.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398703307.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399860193.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399860193.0000000003231000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399125009.0000000003245000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf
Source: whacipher.exe, 00000000.00000003.1378444408.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1379292769.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378750534.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1381194296.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378775868.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1390473545.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1379791975.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378617206.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378471136.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1389017977.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1392149464.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378948220.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1381019665.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378589703.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1389892484.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1379105907.0000000001069000.00000004.00000020.00020000.00000000.sdmp, python38.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: whacipher.exe, 00000003.00000002.1402196593.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1397264523.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, base_library.zip.0.dr	String found in binary or memory: http://www.python.org/dev/peps/pep-0205/
Source: whacipher.exe, 00000003.00000002.1402085681.0000000001890000.00000004.00001000.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1395566031.0000000000F02000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1395507600.0000000000F02000.00000004.00000020.00020000.00000000.sdmp, base_library.zip.0.dr	String found in binary or memory: http://www.python.org/download/releases/2.3/mro/.
Source: whacipher.exe, 00000003.00000003.1399632030.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398841548.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1400061018.000000000324A000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1402366799.000000000324B000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398790737.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398603345.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398703307.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399860193.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399125009.0000000003245000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rfc-editor.org/info/rfc7253
Source: whacipher.exe, 00000003.00000003.1399632030.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398841548.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398304412.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398790737.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398603345.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1402345967.0000000003247000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1400186676.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398703307.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399860193.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399125009.0000000003245000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tarsnap.com/scrypt/scrypt-slides.pdf
Source: whacipher.exe, 00000003.00000003.1400109791.0000000003330000.00000004.00001000.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399219117.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1402286680.0000000003190000.00000004.00001000.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399219117.0000000000EC2000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1402252822.0000000003150000.00000004.00001000.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399511392.0000000000EDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/B16f00t
Source: whacipher.exe, 00000003.00000003.1399964070.0000000000F52000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399330792.0000000000F47000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399219117.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399911519.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399833797.0000000000F49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc3610
Source: whacipher.exe, 00000003.00000003.1399632030.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398841548.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398304412.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398790737.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398603345.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1402345967.0000000003247000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1400186676.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398703307.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399860193.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399860193.0000000003231000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399125009.0000000003245000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc5297
Source: whacipher.exe, 00000000.00000003.1378444408.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1391585860.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1379292769.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1389523114.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378750534.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1381194296.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378775868.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1390473545.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1379791975.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378617206.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1379450118.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378471136.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1389017977.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1380235680.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1392149464.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378948220.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1381019665.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1378589703.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1389892484.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1379105907.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1389664462.0000000001069000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: whacipher.exe, 00000003.00000003.1399964070.0000000000F52000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398304412.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399330792.0000000000F47000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1400259066.0000000000F55000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399219117.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399833797.0000000000F49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ietf.org/rfc/rfc2898.txt
Source: libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr	String found in binary or memory: https://www.openssl.org/H

Source: api-ms-win-core-processenvironment-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found

Source: whacipher.exe, 00000000.00000003.1378444408.000000000105C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_asyncio.pyd. vs whacipher.exe
Source: whacipher.exe, 00000000.00000003.1382613234.0000000001061000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs whacipher.exe
Source: whacipher.exe, 00000000.00000003.1382121992.0000000001061000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs whacipher.exe
Source: whacipher.exe, 00000000.00000003.1378750534.000000000105C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs whacipher.exe
Source: whacipher.exe, 00000000.00000003.1382957453.0000000001061000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs whacipher.exe
Source: whacipher.exe, 00000000.00000003.1383607698.0000000001061000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs whacipher.exe
Source: whacipher.exe, 00000000.00000003.1378281722.000000000105C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs whacipher.exe
Source: whacipher.exe, 00000000.00000003.1383017453.0000000001061000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs whacipher.exe
Source: whacipher.exe, 00000000.00000003.1381676123.0000000001061000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs whacipher.exe
Source: whacipher.exe, 00000000.00000003.1381603485.0000000001061000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs whacipher.exe
Source: whacipher.exe, 00000000.00000003.1382269445.0000000001061000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs whacipher.exe
Source: whacipher.exe, 00000000.00000003.1381751159.0000000001061000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs whacipher.exe
Source: whacipher.exe, 00000000.00000003.1392149464.0000000001069000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs whacipher.exe
Source: whacipher.exe, 00000000.00000003.1382735690.0000000001061000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs whacipher.exe
Source: whacipher.exe, 00000000.00000003.1378589703.000000000105C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs whacipher.exe
Source: whacipher.exe, 00000000.00000003.1383113634.0000000001061000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs whacipher.exe
Source: whacipher.exe, 00000000.00000003.1382049842.0000000001061000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs whacipher.exe
Source: whacipher.exe, 00000000.00000003.1381439683.0000000001061000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs whacipher.exe
Source: whacipher.exe, 00000000.00000003.1381526332.0000000001061000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs whacipher.exe
Source: whacipher.exe, 00000000.00000003.1382671987.0000000001061000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs whacipher.exe
Source: whacipher.exe, 00000000.00000003.1378310284.0000000001069000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs whacipher.exe
Source: whacipher.exe, 00000000.00000003.1382202466.0000000001061000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs whacipher.exe
Source: whacipher.exe, 00000003.00000002.1406902180.000000006D6B6000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs whacipher.exe
Source: whacipher.exe, 00000003.00000002.1407169814.000000006EBD1000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs whacipher.exe
Source: whacipher.exe, 00000003.00000002.1406166226.000000006D1C0000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs whacipher.exe
Source: whacipher.exe, 00000003.00000002.1405946525.000000006D193000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs whacipher.exe
Source: whacipher.exe, 00000003.00000002.1406685634.000000006D5B1000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamepython38.dll. vs whacipher.exe
Source: whacipher.exe, 00000003.00000002.1405768846.000000006D175000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs whacipher.exe
Source: whacipher.exe, 00000003.00000002.1407081151.000000006E96B000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs whacipher.exe
Source: whacipher.exe, 00000003.00000002.1406042439.000000006D1A6000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs whacipher.exe

Source: whacipher.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal48.winEXE@4/97@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_03

Source: C:\Users\user\Desktop\whacipher.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI76202

Jump to behavior

Source: whacipher.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\whacipher.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\whacipher.exe

File read: C:\Users\user\Desktop\whacipher.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\whacipher.exe "C:\Users\user\Desktop\whacipher.exe"
Source: C:\Users\user\Desktop\whacipher.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\whacipher.exe	Process created: C:\Users\user\Desktop\whacipher.exe "C:\Users\user\Desktop\whacipher.exe"
Source: C:\Users\user\Desktop\whacipher.exe	Process created: C:\Users\user\Desktop\whacipher.exe "C:\Users\user\Desktop\whacipher.exe"	Jump to behavior

Source: C:\Users\user\Desktop\whacipher.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Section loaded: libffi-7.dll	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\whacipher.exe

File opened: C:\Users\user\Desktop\pyvenv.cfg

Jump to behavior

Source: whacipher.exe

Static file information: File size 7646565 > 1048576

Source: whacipher.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: whacipher.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: whacipher.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: whacipher.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: whacipher.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: whacipher.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: whacipher.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: whacipher.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: whacipher.exe, 00000000.00000003.1385141733.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-locale-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: whacipher.exe, 00000000.00000003.1385411425.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\win32\_multiprocessing.pdb source: _multiprocessing.pyd.0.dr
Source:	Binary string: API-MS-Win-Core-Handle-L1-1-0.pdb3 source: whacipher.exe, 00000000.00000003.1382049842.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-handle-l1-1-0.dll.0.dr
Source:	Binary string: API-MS-Win-Core-String-L1-1-0.pdb source: whacipher.exe, 00000000.00000003.1383113634.0000000001061000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: whacipher.exe, 00000000.00000003.1381835689.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-2-0.dll.0.dr
Source:	Binary string: ucrtbase.pdb source: whacipher.exe, 00000003.00000002.1406782720.000000006D5E1000.00000020.00000001.01000000.00000004.sdmp, ucrtbase.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\win32\_decimal.pdb%% source: _decimal.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\win32\_ssl.pdb source: _ssl.pyd.0.dr
Source:	Binary string: API-MS-Win-Core-Profile-L1-1-0.pdb3 source: whacipher.exe, 00000000.00000003.1382957453.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-profile-l1-1-0.dll.0.dr
Source:	Binary string: API-MS-Win-Core-Heap-L1-1-0.pdb3 source: whacipher.exe, 00000000.00000003.1382121992.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-heap-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: whacipher.exe, 00000000.00000003.1384167994.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-filesystem-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: whacipher.exe, 00000000.00000003.1386459368.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-stdio-l1-1-0.dll.0.dr
Source:	Binary string: API-MS-Win-Core-ProcessEnvironment-L1-1-0.pdb3 source: whacipher.exe, 00000000.00000003.1382735690.0000000001061000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\9\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: whacipher.exe, 00000003.00000002.1407128949.000000006EBC1000.00000020.00000001.01000000.00000006.sdmp, VCRUNTIME140.dll.0.dr
Source:	Binary string: API-MS-Win-Core-Synch-L1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.0.dr
Source:	Binary string: API-MS-Win-Core-NamedPipe-L1-1-0.pdb source: whacipher.exe, 00000000.00000003.1382671987.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.0.dr
Source:	Binary string: API-MS-Win-Core-ProcessThreads-L1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: whacipher.exe, 00000000.00000003.1383869878.0000000001061000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\pyexpat.pdb source: pyexpat.pyd.0.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: libcrypto-1_1.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\win32\_bz2.pdb source: whacipher.exe, 00000000.00000003.1378589703.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1405865964.000000006D18E000.00000002.00000001.01000000.0000000B.sdmp, _bz2.pyd.0.dr
Source:	Binary string: API-MS-Win-Core-Memory-L1-1-0.pdb source: whacipher.exe, 00000000.00000003.1382613234.0000000001061000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: API-MS-Win-Core-LibraryLoader-L1-1-0.pdb source: whacipher.exe, 00000000.00000003.1382269445.0000000001061000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_ctypes.pdb source: whacipher.exe, 00000000.00000003.1378750534.000000000105C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1407009408.000000006E963000.00000002.00000001.01000000.00000007.sdmp, _ctypes.pyd.0.dr
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: whacipher.exe, 00000000.00000003.1383772967.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-convert-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\win32\_asyncio.pdb source: whacipher.exe, 00000000.00000003.1378444408.000000000105C000.00000004.00000020.00020000.00000000.sdmp, _asyncio.pyd.0.dr
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb source: libssl-1_1.dll.0.dr
Source:	Binary string: ucrtbase.pdbUGP source: whacipher.exe, 00000003.00000002.1406782720.000000006D5E1000.00000020.00000001.01000000.00000004.sdmp, ucrtbase.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\win32\_socket.pdb source: whacipher.exe, 00000003.00000002.1406123056.000000006D1B9000.00000002.00000001.01000000.00000009.sdmp, _socket.pyd.0.dr
Source:	Binary string: API-MS-Win-Core-Memory-L1-1-0.pdb3 source: whacipher.exe, 00000000.00000003.1382613234.0000000001061000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: API-MS-Win-Core-Heap-L1-1-0.pdb source: whacipher.exe, 00000000.00000003.1382121992.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-heap-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\win32\python38.pdb source: whacipher.exe, 00000003.00000002.1406447713.000000006D4F3000.00000002.00000001.01000000.00000005.sdmp, python38.dll.0.dr
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: whacipher.exe, 00000000.00000003.1388342282.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-time-l1-1-0.dll.0.dr
Source:	Binary string: API-MS-Win-Core-Util-L1-1-0.pdb source: whacipher.exe, 00000000.00000003.1383607698.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-util-l1-1-0.dll.0.dr
Source:	Binary string: API-MS-Win-Core-DateTime-L1-1-0.pdb source: whacipher.exe, 00000000.00000003.1381526332.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-datetime-l1-1-0.dll.0.dr
Source:	Binary string: API-MS-Win-Core-String-L1-1-0.pdb3 source: whacipher.exe, 00000000.00000003.1383113634.0000000001061000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\win32\_lzma.pdbOO source: whacipher.exe, 00000003.00000002.1405680410.000000006D16E000.00000002.00000001.01000000.0000000C.sdmp, _lzma.pyd.0.dr
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: whacipher.exe, 00000000.00000003.1383330279.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-synch-l1-2-0.dll.0.dr
Source:	Binary string: API-MS-Win-Core-File-L1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.0.dr
Source:	Binary string: API-MS-Win-Core-File-L1-1-0.pdb3 source: api-ms-win-core-file-l1-1-0.dll.0.dr
Source:	Binary string: API-MS-Win-Core-Console-L1-1-0.pdb3 source: whacipher.exe, 00000000.00000003.1381439683.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-console-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\win32\_lzma.pdb source: whacipher.exe, 00000003.00000002.1405680410.000000006D16E000.00000002.00000001.01000000.0000000C.sdmp, _lzma.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\win32\_queue.pdb source: _queue.pyd.0.dr
Source:	Binary string: API-MS-Win-Core-ProcessEnvironment-L1-1-0.pdb source: whacipher.exe, 00000000.00000003.1382735690.0000000001061000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: API-MS-Win-Core-NamedPipe-L1-1-0.pdb3 source: whacipher.exe, 00000000.00000003.1382671987.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: whacipher.exe, 00000000.00000003.1383673946.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-conio-l1-1-0.dll.0.dr
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 1.1.1i 8 Dec 2020built on: Tue Jan 5 20:17:31 2021 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Common Files\SSL"ENGINESDIR: "C:\Program Files (x86)\OpenSSL\lib\engines-1_1"not available source: libcrypto-1_1.dll.0.dr
Source:	Binary string: API-MS-Win-Core-SysInfo-L1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr
Source:	Binary string: API-MS-Win-Core-ErrorHandling-L1-1-0.pdb3 source: whacipher.exe, 00000000.00000003.1381676123.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-errorhandling-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: whacipher.exe, 00000000.00000003.1382505777.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-localization-l1-2-0.dll.0.dr
Source:	Binary string: API-MS-Win-Core-Debug-L1-1-0.pdb source: whacipher.exe, 00000000.00000003.1381603485.0000000001061000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: API-MS-Win-Core-DateTime-L1-1-0.pdb3 source: whacipher.exe, 00000000.00000003.1381526332.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-datetime-l1-1-0.dll.0.dr
Source:	Binary string: API-MS-Win-Core-Interlocked-L1-1-0.pdb source: whacipher.exe, 00000000.00000003.1382202466.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-interlocked-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: whacipher.exe, 00000000.00000003.1382864190.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.0.dr
Source:	Binary string: API-MS-Win-Core-Util-L1-1-0.pdb3 source: whacipher.exe, 00000000.00000003.1383607698.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-util-l1-1-0.dll.0.dr
Source:	Binary string: API-MS-Win-Core-Handle-L1-1-0.pdb source: whacipher.exe, 00000000.00000003.1382049842.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-handle-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: whacipher.exe, 00000000.00000003.1388607848.0000000001061000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: whacipher.exe, 00000000.00000003.1383511406.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-timezone-l1-1-0.dll.0.dr
Source:	Binary string: C:\A\6\b\libcrypto-1_1.pdb source: libcrypto-1_1.dll.0.dr
Source:	Binary string: API-MS-Win-Core-RtlSupport-L1-1-0.pdb source: whacipher.exe, 00000000.00000003.1383017453.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr
Source:	Binary string: API-MS-Win-Core-LibraryLoader-L1-1-0.pdb3 source: whacipher.exe, 00000000.00000003.1382269445.0000000001061000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: whacipher.exe, 00000000.00000003.1381940800.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l2-1-0.dll.0.dr
Source:	Binary string: API-MS-Win-Core-SysInfo-L1-1-0.pdb3 source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: whacipher.exe, 00000000.00000003.1385318130.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-process-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\win32\select.pdb source: whacipher.exe, 00000003.00000002.1406004346.000000006D1A3000.00000002.00000001.01000000.0000000A.sdmp, select.pyd.0.dr
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb@@ source: libssl-1_1.dll.0.dr
Source:	Binary string: API-MS-Win-Core-Profile-L1-1-0.pdb source: whacipher.exe, 00000000.00000003.1382957453.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-profile-l1-1-0.dll.0.dr
Source:	Binary string: D:\a\1\b\bin\win32\_decimal.pdb source: _decimal.pyd.0.dr
Source:	Binary string: D:\a\1\b\bin\win32\_hashlib.pdb source: _hashlib.pyd.0.dr
Source:	Binary string: API-MS-Win-Core-ProcessThreads-L1-1-0.pdb3 source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr
Source:	Binary string: API-MS-Win-Core-ErrorHandling-L1-1-0.pdb source: whacipher.exe, 00000000.00000003.1381676123.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-errorhandling-l1-1-0.dll.0.dr
Source:	Binary string: API-MS-Win-Core-Console-L1-1-0.pdb source: whacipher.exe, 00000000.00000003.1381439683.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-console-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: whacipher.exe, 00000000.00000003.1384267660.0000000001061000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-heap-l1-1-0.dll.0.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.0.dr

Source: whacipher.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: whacipher.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: whacipher.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: whacipher.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: whacipher.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: libssl-1_1.dll.0.dr	Static PE information: section name: .00cfg
Source: libcrypto-1_1.dll.0.dr	Static PE information: section name: .00cfg

Persistence and Installation Behavior

Found pyInstaller with non standard icon

Source: C:\Users\user\Desktop\whacipher.exe

Process created: "C:\Users\user\Desktop\whacipher.exe"

Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\python38.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\libffi-7.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file

Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\python38.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\whacipher.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file

Source: whacipher.exe, 00000003.00000003.1397097483.0000000000EE2000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399463575.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1400478054.0000000000F0C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1401597217.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1400275689.0000000000EFF000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399219117.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1396793701.0000000000F0B000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1397264523.0000000000EDB000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399707781.0000000000EFC000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399354331.0000000000EE3000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlloo

Source: C:\Users\user\Desktop\whacipher.exe

Process created: C:\Users\user\Desktop\whacipher.exe "C:\Users\user\Desktop\whacipher.exe"

Jump to behavior

Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\ucrtbase.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\Desktop\whacipher.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whacipher.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\whacipher.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	11 Process Injection	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	12 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
whacipher.exe	3%	ReversingLabs
whacipher.exe	4%	Virustotal	Browse
whacipher.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_ARC4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_Salsa20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_chacha20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_aes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_aesni.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_arc2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_blowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_cast.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_cbc.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_cfb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_ctr.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_des.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_des3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_ecb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_eksblowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_ocb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_ofb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_BLAKE2b.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_BLAKE2s.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_MD2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_MD4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_MD5.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_RIPEMD160.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_SHA1.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_SHA224.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_SHA256.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_SHA384.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_SHA512.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_ghash_clmul.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_ghash_portable.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_keccak.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_poly1305.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Math\_modexp.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Protocol\_scrypt.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\PublicKey\_ec_ws.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Util\_cpuid_c.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Util\_strxor.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\_asyncio.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\_multiprocessing.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\_overlapped.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-console-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-datetime-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-debug-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-errorhandling-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-file-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-file-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-file-l2-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-handle-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-heap-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-interlocked-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-libraryloader-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-localization-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-memory-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-namedpipe-l1-1-0.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf	whacipher.exe, 00000003.00000003.1399632030.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398841548.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398304412.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398790737.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398603345.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1402345967.0000000003247000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1400186676.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398703307.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399860193.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399860193.0000000003231000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399125009.0000000003245000.00000004.00000020.00020000.00000000.sdmp	false	high
http://python.org/dev/peps/pep-0263/	python38.dll.0.dr	false	high
http://www.tarsnap.com/scrypt/scrypt-slides.pdf	whacipher.exe, 00000003.00000003.1399632030.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398841548.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398304412.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398790737.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398603345.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1402345967.0000000003247000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1400186676.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398703307.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399860193.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399125009.0000000003245000.00000004.00000020.00020000.00000000.sdmp	false	high
http://tools.ietf.org/html/rfc5869	whacipher.exe, 00000003.00000003.1399964070.0000000000F52000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398304412.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399330792.0000000000F47000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1400259066.0000000000F55000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399219117.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399833797.0000000000F49000.00000004.00000020.00020000.00000000.sdmp	false	high
http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html	whacipher.exe, 00000003.00000003.1399632030.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398841548.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399964070.0000000000F52000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1400061018.000000000324A000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398304412.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399330792.0000000000F47000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1402366799.000000000324B000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398790737.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1401725890.0000000000F57000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1400259066.0000000000F55000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398603345.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1402321800.0000000003230000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399219117.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1402345967.0000000003247000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1400186676.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398703307.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399911519.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399833797.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399860193.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399860193.0000000003231000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399125009.0000000003245000.00000004.00000020.00020000.00000000.sdmp	false	high
http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf	whacipher.exe, 00000003.00000003.1400235097.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399964070.0000000000F52000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399330792.0000000000F47000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399665779.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1401725890.0000000000F57000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1400259066.0000000000F55000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1402196593.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399219117.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1401970282.0000000001270000.00000004.00001000.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399219117.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1402286680.0000000003190000.00000004.00001000.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1402252822.0000000003150000.00000004.00001000.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399911519.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399833797.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398070634.0000000000F53000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1402163140.00000000030B0000.00000004.00001000.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1401420738.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp	false	high
https://tools.ietf.org/html/rfc5297	whacipher.exe, 00000003.00000003.1399632030.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398841548.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398304412.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398790737.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398603345.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1402345967.0000000003247000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1400186676.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398703307.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399860193.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399860193.0000000003231000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399125009.0000000003245000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.openssl.org/H	libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr	false	high
http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/eax/eax-spec.pdf	whacipher.exe, 00000003.00000003.1399964070.0000000000F52000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399330792.0000000000F47000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1402321800.0000000003230000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399219117.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399833797.0000000000F49000.00000004.00000020.00020000.00000000.sdmp	false	high
http://tools.ietf.org/html/rfc5297	whacipher.exe, 00000003.00000003.1400109791.0000000003330000.00000004.00001000.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398304412.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1402196593.00000000030F0000.00000004.00001000.00020000.00000000.sdmp	false	high
https://www.ietf.org/rfc/rfc2898.txt	whacipher.exe, 00000003.00000003.1399964070.0000000000F52000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398304412.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399330792.0000000000F47000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1400259066.0000000000F55000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399219117.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399833797.0000000000F49000.00000004.00000020.00020000.00000000.sdmp	false	high
http://tools.ietf.org/html/rfc4880	whacipher.exe, 00000003.00000003.1399981772.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399330792.0000000000F47000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1401776442.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399219117.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399911519.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399833797.0000000000F49000.00000004.00000020.00020000.00000000.sdmp	false	high
http://web.cs.ucdavis.edu/~rogaway/ocb/license.htm	whacipher.exe, 00000003.00000003.1399632030.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398841548.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1400061018.000000000324A000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1402366799.000000000324B000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398790737.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398603345.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398703307.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399860193.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399125009.0000000003245000.00000004.00000020.00020000.00000000.sdmp	false	high
https://tools.ietf.org/html/rfc3610	whacipher.exe, 00000003.00000003.1399964070.0000000000F52000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399330792.0000000000F47000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399219117.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399911519.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399833797.0000000000F49000.00000004.00000020.00020000.00000000.sdmp	false	high
http://crl4.digice	whacipher.exe, 00000000.00000003.1389892484.0000000001069000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.python.org/dev/peps/pep-0205/	whacipher.exe, 00000003.00000002.1402196593.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1397264523.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, base_library.zip.0.dr	false	high
https://github.com/B16f00t	whacipher.exe, 00000003.00000003.1400109791.0000000003330000.00000004.00001000.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399219117.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1402286680.0000000003190000.00000004.00001000.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399219117.0000000000EC2000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1402252822.0000000003150000.00000004.00001000.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399511392.0000000000EDA000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.rfc-editor.org/info/rfc7253	whacipher.exe, 00000003.00000003.1399632030.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398841548.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1400061018.000000000324A000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1402366799.000000000324B000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398790737.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398603345.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398703307.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399860193.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399125009.0000000003245000.00000004.00000020.00020000.00000000.sdmp	false	high
http://crl3.digi	whacipher.exe, 00000000.00000003.1379450118.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1389017977.0000000001069000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000000.00000003.1379105907.0000000001069000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.python.org/download/releases/2.3/mro/.	whacipher.exe, 00000003.00000002.1402085681.0000000001890000.00000004.00001000.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1395566031.0000000000F02000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1395507600.0000000000F02000.00000004.00000020.00020000.00000000.sdmp, base_library.zip.0.dr	false	high
http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf	whacipher.exe, 00000003.00000003.1399964070.0000000000F52000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399330792.0000000000F47000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399219117.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399911519.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399833797.0000000000F49000.00000004.00000020.00020000.00000000.sdmp	false	high
http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf	whacipher.exe, 00000003.00000003.1399632030.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398841548.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399964070.0000000000F52000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1400061018.000000000324A000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398304412.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399330792.0000000000F47000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1402366799.000000000324B000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398790737.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000002.1401725890.0000000000F57000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1400259066.0000000000F55000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398603345.0000000003233000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399219117.0000000000F45000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1398703307.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399833797.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399860193.0000000003246000.00000004.00000020.00020000.00000000.sdmp, whacipher.exe, 00000003.00000003.1399125009.0000000003245000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578121
Start date and time:	2024-12-19 09:28:47 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	whacipher.exe
Detection:	MAL
Classification:	mal48.winEXE@4/97@0/0
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0035.t-0009.t-msedge.net	s3hvuz3XS0.exe	Get hash	malicious	Cryptbot	Browse	13.107.246.63
	661fW9gxDp.exe	Get hash	malicious	LummaC	Browse	13.107.246.63
	https://forms.office.com/Pages/ShareFormPage.aspx?id=z5Knz2h3QUOIV4F1TCr6H8l1dBxA_RZAr7lBOGCmz8VURUlLQURGTlFGTEQ0QzdESlFMT1lGUlpRWi4u&sharetoken=rKEHIuU7H8od3T6m0C0Z	Get hash	malicious	Unknown	Browse	13.107.246.63
	S6oj0LoSiL.exe	Get hash	malicious	LummaC	Browse	13.107.246.63
	pM3fQBuTLy.exe	Get hash	malicious	Vidar	Browse	13.107.246.63
	NVkyG9HAeY.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	13.107.246.63
	SEPTobn3BR.exe	Get hash	malicious	Remcos, DBatLoader	Browse	13.107.246.63
	Brooming.vbs	Get hash	malicious	Remcos, GuLoader	Browse	13.107.246.63
	Gosjeufon.cpl.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	#U0421#U043a#U0430#U043d-#U043a#U043e#U043fi#U044f #U041f#U0430#U0441#U043f#U043e#U0440#U0442.vbs	Get hash	malicious	SmokeLoader	Browse	13.107.246.63

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_ARC4.pyd	TwoToneDetect73.zip	Get hash	malicious	Unknown	Browse
	flash_download_tool_3.9.2.exe	Get hash	malicious	Unknown	Browse
	flash_download_tool.exe	Get hash	malicious	Unknown	Browse
	walletconnect.exe	Get hash	malicious	Zeznzo	Browse
	Trustwallet.exe	Get hash	malicious	DemonWare	Browse
	key.exe	Get hash	malicious	Unknown	Browse
	system.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_ARC4.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	9216
Entropy (8bit):	4.924658143729345
Encrypted:	false
SSDEEP:	192:QgWTz1rdafmU6LiGo4AljOFlBxAfvJk77kc:dSMWLe4gjaLxp77
MD5:	689471DB70AEAA631DA9F6930A8D79D7
SHA1:	FDDCC93E9F25D2FC54E81E2E4E1044D4E72747F5
SHA-256:	372CFB25808778C1DEEF0C08DADF23A978541C6ECEB755C851A2120A3A975579
SHA-512:	A58072FE0FF950A007BD49697D5B00D356CA30096B4A31F5936C555C3974F2CB6C1F800661800373A71C1137F2C686AF8228AC1160CF1CBEE9427FF6DEEFA8A3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: TwoToneDetect73.zip, Detection: malicious, Browse Filename: flash_download_tool_3.9.2.exe, Detection: malicious, Browse Filename: flash_download_tool.exe, Detection: malicious, Browse Filename: walletconnect.exe, Detection: malicious, Browse Filename: Trustwallet.exe, Detection: malicious, Browse Filename: key.exe, Detection: malicious, Browse Filename: system.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ue..4..4..4..L..4../E..4.._..4..4..4../E..4../E..4../E..4...F..4...F..4...F..4...F..4..Rich.4..........PE..L.....!`...........!................Q........ ...............................`............@.........................P$.......$..d....@.......................P..<.... ............................... ..@............ ..t............................text...c........................... ..`.rdata..J.... ......................@..@.data........0......................@....rsrc........@....... ..............@..@.reloc..<....P......."..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_Salsa20.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	5.328221612505345
Encrypted:	false
SSDEEP:	192:QwszVKdafmnRrCW4oQWCjO2oWlq5or5YqTLTq3b5t1Jk77Icj:in4Rr+oAjltz5YOui77T
MD5:	4EED72D58F1D7352FB9BE1A2002426E7
SHA1:	2D9541180E3D9F06C443893FAD9590916FE75408
SHA-256:	1E5E636E4EADFF5BA9305DB001FE208C5E58E64AA0F2DF3239782B44A9F3C68B
SHA-512:	D197E09312D0EAA4B32B0C49E963FC2862FF66C1E85E2A10D26AE4924C1D47A78EB24ED0A3EA4C9AC8E1F108B6AB2A95500E8CAE19AA8DAF98F6EB372949C1AE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ue..4..4..4..L..4../E..4.._..4..4..4../E..4../E..4../E..4...F..4...F..4...F..4...F..4..Rich.4..........PE..L.....!`...........!................Q........0...............................p............@..........................4......X5..d....P.......................`..L....0...............................0..@............0..t............................text...5........................... ..`.rdata.......0......................@..@.data........@.......&..............@....rsrc........P.......(..............@..@.reloc..L....`.......*..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_chacha20.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	5.392494400570155
Encrypted:	false
SSDEEP:	192:QtDzVrdafmnRrCW4oQWCjOUqP1xTWC80JuCUOh9lk8Jk7bsc:4s4Rr+oAjTw1d6C9947b
MD5:	954FFB5C956123996064637CCAC1385D
SHA1:	8E699C11B2FC90A22843970E0769A9931C811689
SHA-256:	F60F282149916D193FC108EB161975CDB304D0373035D274C4B18CBABB6780E2
SHA-512:	CC4DEB62EC7129AD269E62D0FBBDD1683050916E1325FFEBF29D8DA043DBE0D36F0C4A851B135C41F700F88E39EF4D7AEE905D8A98678BAD89DF40022C86A1E2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ue..4..4..4..L..4../E..4.._..4..4..4../E..4../E..4../E..4...F..4...F..4...F..4...F..4..Rich.4..........PE..L.....!`...........!................Q........0...............................p............@.........................P4.......5..d....P.......................`..P....0...............................0..@............0..t............................text...%........................... ..`.rdata..v....0......................@..@.data........@.......$..............@....rsrc........P.......&..............@..@.reloc..P....`.......(..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_aes.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	30720
Entropy (8bit):	6.893859004703657
Encrypted:	false
SSDEEP:	768:4nqV2dbWauyUARtVn2KNS4j9d0th9VgbT:4qVyuKNS4X0r92b
MD5:	A42ADEBFA6DCD49C530483F9D0E2351B
SHA1:	38F7C42B7D110750C8E94B75ED4509DA574DB38F
SHA-256:	B288A7638D62B58C57791FFDB355E724D5FE933D31D006E50BA67B24793189E5
SHA-512:	E71D484C1643F38195EBCC555DEF6AD537003675CEEEC55C7B059A04AC54379C9AFDB13B8DF3EF4CAA70D35404FF27D7497F6E8FC17FC0EDD95364C1F8FCFC27
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ue..4..4..4..L..4../E..4.._..4..4..4../E..4../E..4../E..4...F..4...F..4...F..4...F..4..Rich.4..........PE..L.....!`...........!.....8...>......Q........P............................................@..........................\|.......}..d...............................p....x...............................y..@............P..t............................text....6.......8.................. ..`.rdata..v0...P...2...<..............@..@.data................n..............@....rsrc................p..............@..@.reloc..p............r..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_aesni.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	5.505870384170189
Encrypted:	false
SSDEEP:	192:mqksVFsAafm0hoKYMI4T4q0O4jOCWUt1W2HAdf7oY/kH+gJk76jYUZc:DMJhoKKVqMjQUHA0+/76jYU
MD5:	441C89AA6E3E63C56B68F799645A7427
SHA1:	83B9DFD3F54ED1881847FA4CA8C3CAA833C6AED7
SHA-256:	96C5B53DEB143A8C7D76402AFBC37382451920D87408F446D46A3F4B501D407A
SHA-512:	F1EC9D1DFF045AFE4CA931BAC75222F87250F3C1750A69E6FF59FDCB32078A15FB7F9A72110ACC0AC84C4560157C9F04F255D15E0FD7A9E3E4F32621EB710CF3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Uw..4..4..4..L..4../E..4.._..4..4..4../E..4../E..4../E..4...F..4...F..4...F..4...F..4..Rich.4..................PE..L.....!`...........!..... ..........Q........0...............................p............@..........................4......$5..d....P.......................`.......0...............................0..@............0...............................text...m........ .................. ..`.rdata.......0.......$..............@..@.data........@......................@....rsrc........P.......0..............@..@.reloc.......`.......2..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_arc2.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	6.0700034816506125
Encrypted:	false
SSDEEP:	192:5ZOKlxsafm2gvnmIsE4YjuiljOs9bShQuo6qIjSWALsT0krPhMP+Z0TqWSoUXtUu:SSTVgvxsT0jN+JkQVITqoyk7g
MD5:	76F2CF0AF6C649849472DA927D598C7F
SHA1:	F2262663644C581DE5E32A57AB91B98FBD10A9B1
SHA-256:	BDE7E8C2FDEB3877DCC0BC37164246988F9A674F1A784C99DC76B963E72CF018
SHA-512:	3186D618306D22EF011C4CA0E1CD96A98E8F3FD42913E3BDAA4F711F00F15AED7B5E6C38E56BD3063EE1716B0805253FDB466796D0B38B2A9683D436AB90A8DC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Uc..4..4..4..L..4../E..4.._..4..4..4../E..4../E..4../E..4...F..4...F..4...F..4...F..4..Rich.4..................PE..L.....!`...........!.....&..........Q........@............................................@..........................E...... F..d....`.......................p..`....A...............................A..@............@..x............................text....%.......&.................. ..`.rdata.......@.......*..............@..@.data........P.......4..............@....rsrc........`.......6..............@..@.reloc..`....p.......8..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_blowfish.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	6.473475641837676
Encrypted:	false
SSDEEP:	384:vSr1g/OMTUjXYevbteraLwpJgLa0Mp8i7g:vSr2OoOYmbtkaLygLa1pg
MD5:	2AF0062586F95AC18329D5801313D98F
SHA1:	2B93614165F3B7666C132A5059F8E6AA664EE443
SHA-256:	377A5E8C1D242846C2208E21627E5E179A52D3EC9687992E7E9B03379C32251D
SHA-512:	B0BEBDCEAAFF84BBD0848C9C6CD1A941ACEF7498B7BD63D351CD1BB7874A0BBE0F020624D6DE1237931E1133619E4B191DF73EAF31C1BBF0A112BF74DA7BFD04
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Uc..4..4..4..L..4../E..4.._..4..4..4../E..4../E..4../E..4...F..4...F..4...F..4...F..4..Rich.4..................PE..L.....!`...........!........."......Q........0............................................@..........................D......pE..d....`.......................p..\|....@...............................A..@............0..x............................text...3........................... ..`.rdata.......0......................@..@.data........P.......8..............@....rsrc........`.......:..............@..@.reloc..\|....p.......<..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_cast.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	6.864811568902378
Encrypted:	false
SSDEEP:	384:A6F+JwjOb3g8v6XJZXmrfXA+UA10ol31tuXS7g:xANpYbXmrXA+NNxWog
MD5:	828483E29C283A93C47F3E2F62FAEE70
SHA1:	B899F463F77A60186F851AFA7DC2CE4553D0EFDC
SHA-256:	EEEACC9F9E317F68AE50814C1779A948A9E3291BC18724737F70DF7FFF773D4D
SHA-512:	72224B7D046F4F14D75C655AD40D3E5C7D70BD59E151D894E4F150278733AF2329B35C53824616C2089FF18B65EFA0C9EA039A9CEAF6B953D6CC3B5C340134B5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Uc..4..4..4..L..4../E..4.._..4..4..4../E..4../E..4../E..4...F..4...F..4...F..4...F..4..Rich.4..................PE..L.....!`...........!..... ...4......L........0............................................@..........................T...... U..d....p...............................P...............................P..@............0..x............................text...#........ .................. ..`.rdata...(...0...*...$..............@..@.data........`.......N..............@....rsrc........p.......P..............@..@.reloc...............R..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_cbc.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	5.045521981673899
Encrypted:	false
SSDEEP:	192:ivszl2dafmTpPCW4YQWijO0BLJk7AgcID:f7cpP+YAji7AA
MD5:	FCD7DCBAD7DE985627E8D1ECCC25F08C
SHA1:	7F30BEECD86604E9C98D6D71783948E02D889DE6
SHA-256:	058F5DBF63FE501D50E321510B533BFBA2C9A1EBA48CDE4AEED32BF3A407DF91
SHA-512:	5B37D3D76F838B9811C515919234341D849D338D2AB19629E4B580D150BCDABE1C1075030ABD006257F4B6269D973E7369063633ADC575241597504CDE2A4BF5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Uc..4..4..4..L..4../E..4.._..4..4..4../E..4../E..4../E..4...F..4...F..4...F..4...F..4..Rich.4..................PE..L.....!`...........!................Q........0...............................p............@..........................4......H5..d....P.......................`..L....0...............................0..@............0..x............................text...9........................... ..`.rdata.......0......................@..@.data........@....... ..............@....rsrc........P......."..............@..@.reloc..L....`.......$..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_cfb.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	5.540041860009719
Encrypted:	false
SSDEEP:	192:mdpsVFgfQafm0Pg6rj4q0sXkjO0Wfx0JYQOngJk7k+HZc:9gV/Pg6YqbUjNZA/7k+H
MD5:	A7A24D9911DCEAE9D28CDC308EEC4E63
SHA1:	58E3EB48DBF78BC289F0F480EC53E6E084175BCE
SHA-256:	D357EC5D50A7A8FE1ABBF5748B1F54BE8F4B9E161143EBEBDBAEE83B903B8FFB
SHA-512:	D07594F907FBE83B7B5EBF9D60604982A3292DCDBECB9525847F852FF91ACB9613B48FA83D05AF93E5EBDB8F140D20141D5A847FA3700C86D882571B5BB1FD8F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Uw..4..4..4..L..4../E..4.._..4..4..4../E..4../E..4../E..4...F..4...F..4...F..4...F..4..Rich.4..................PE..L.....!`...........!................Q........0...............................p............@..........................4......H5..d....P.......................`..h....0...............................0..@............0...............................text............................... ..`.rdata.......0......................@..@.data........@......."..............@....rsrc........P.......$..............@..@.reloc..h....`.......&..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_ctr.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.51365200579226
Encrypted:	false
SSDEEP:	192:easz1K1afmud5Da54YENjOHBxYb0xkaZG2l/Ff46Jk7pF1K+bce:4//d5DFYEj2Ba03E2lRS7pF0
MD5:	55B592CDF27016AF43E877F43AB91758
SHA1:	347A4FD58337C43C13538B09ECB725A4DC755A4F
SHA-256:	50114511465527C886793ABFBEDA23C51F38B3E9FF1DBF092E610F31FCF097D2
SHA-512:	6DF268C92E84D83E214E9EAE68276FB08227F0F14F5160DD7F8A8B337649BBE9C94DA1B62EDEDB99C282F528BC7F1DAA37292D44CA0F45B4D5889A205DE7AF71
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Iy^...0...0...0..`....0.i1...0..s1...0...1.(.0.i5...0.i4...0.i3...0.j8...0.j0...0.j....0.j2...0.Rich..0.........PE..L.....!`...........!................Q........0...............................p............@..........................4......H5..d....P.......................`..l....0...............................0..@............0...............................text............................... ..`.rdata.......0......................@..@.data........@.......(..............@....rsrc........P.......*..............@..@.reloc..l....`.......,..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_des.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	52224
Entropy (8bit):	4.088279007542777
Encrypted:	false
SSDEEP:	384:7cwjh9VBgj/l8pKPSMgMkLVeL3LFuLPL1+L8SlOLTVeLcy2LT4zE68rZKdA7be5:7cwjPVjpKcDq7KjqzKTqzQT4zTBd+b
MD5:	5D1EC5FC102A55FA6ACAD152D3DB25B6
SHA1:	2CE34BD323E3DE1885A5B48D12B7B80403659416
SHA-256:	67ED78E36247D4696072B8B5D29A094F0EB359A01DE27A18B4E7D48EC9210E41
SHA-512:	4E46792A6C9695B8A5905E9CEFEE13068207E3BBE80430E9BADDCCEF40FDE43677F7B5AAD59E27A93F8E71D5BA76926D25F592AC22A195DEA6BF30065FB559DE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Iy\|..............`......i.......s..........,...i......i......i......j......j......j......j......Rich............PE..L.....!`...........!.....,..........L........@............................................@.....................................d...................................0...............................P...@............@..t............................text...=+.......,.................. ..`.rdata.......@.......0..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_des3.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	52736
Entropy (8bit):	4.104641074620757
Encrypted:	false
SSDEEP:	768:LcwjPV6gXp9KcDq7KjqzKTqzQT4zImf7W:Lcww2mf7W
MD5:	97FBAD05785912174F0FAE7EC48AE0A6
SHA1:	46E82C679665129DC92EEE17496839A20A8B991C
SHA-256:	35860E5B1DE8E61F814B319659358F1586D3D418677A745D9A3D0FA629C69726
SHA-512:	64F746FFE1FF84282ADA1EF9174466E8C72DA704564D7C48FECC2917193546060C7018918B92121DB125D8AA5144A0F28A3116CB400985C16D57E50160BD400A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Iy\|..............`......i.......s..........,...i......i......i......j......j......j......j......Rich............PE..L.....!`...........!................L........@............................................@.....................................d...................................0...............................P...@............@..t............................text....,.......................... ..`.rdata.......@.......2..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_ecb.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8704
Entropy (8bit):	4.981562326626103
Encrypted:	false
SSDEEP:	96:QKHBkCQzlvhDvafmuLddgg6dMGoVmk4s/DjtjOEMIQ+kmJ5yzfQzQjc:VGTzlvdafmd/iGooAdjOBIBJk7EYc
MD5:	63C6A3638326BF2B917DAB436AB7BF0B
SHA1:	9557551ADD600ABB4776D5E4B3911FE23334B7AE
SHA-256:	FEBF9FF2B3CFC04921E67B925F300B55B483BDCF5D193B1D368D11B3FB4052AB
SHA-512:	E6D3284FCEA0DE9926FE07E2DF8D563A66B2E2B429D7EF952007268471232F90F277BC2DD5420337FA800F05581B7C210C2E97465B1E5AB0038AC1892B6F5280
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......auN.%. .%. .%. .,l..'. .e!.'. .1.!.&. .%.!.:. .e%... .e$./. .e#.$. .f(.$. .f .$. .f..$. .f".$. .Rich%. .........PE..L.....!`...........!................Q........ ...............................`............@.........................P$.......%..P....@.......................P..8.... ............................... ..@............ ..h............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc..8....P....... ..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_eksblowfish.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	6.502928196768047
Encrypted:	false
SSDEEP:	384:GSr1g/OMTUjMkkNTFYv+9pJgLa0Mp8a7Q:GSr2Oo5kkZ0+VgLa19Q
MD5:	C9645EFC317534F82BB666312480CACD
SHA1:	83D88135F6F26ADEB94F07E3277E4955701B0187
SHA-256:	0500569B9543FDCBF010BD5A4BAEDFA5890C923B26BFF63F90F7B457F10BEB48
SHA-512:	3E9E537DB9DAF7F893435F79ED33DB3DEEDC8EBEE3B05D6FACE9398913BD8EA3E9AD52F870AFEA22838CF2FE8789BD0B88341FFC4A789B92106C68B5944BECCC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Uc..4..4..4..L..4../E..4.._..4..4..4../E..4../E..4../E..4...F..4...F..4...F..4...F..4..Rich.4..................PE..L.....!`...........!........."......Q........0............................................@..........................D......\|E..d....`.......................p..h....@...............................A..@............0..x............................text...c........................... ..`.rdata.......0....... ..............@..@.data........P.......:..............@....rsrc........`.......<..............@..@.reloc..h....p.......>..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_ocb.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.627952006582291
Encrypted:	false
SSDEEP:	192:QsxFVSdafmypDCB4nTweQjOnRi7tTQrKzr4X/+UJk7KGGcI:x/1pD1n0jwRipAs4X/I7KG
MD5:	639BD924F7D3A10900AE5ACE6A40D09C
SHA1:	FC93645088150D53191C1BC7E610BE21765B892E
SHA-256:	D3F8C3DD0810FA229C778A01963382545C6BE1019CE7A25498785CEF2E091E61
SHA-512:	C0BF5384BF1EF1A13BD5634A84A16E862C7BF63946C974D958ED4A2881CA1427036F1339AB78105030F0ECE1DB8BD7B57C219493603DF6778AD82266E487A2D5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U...4..4..4..L..4../E..4.._..4..4..4../E..4../E..4../E..4...F..4...F..4...F..4...F..4..Rich.4..........PE..L.....!`...........!................Q........0...............................p............@..........................4.......5..d....P.......................`..X....0...............................0..@............0..\|............................text...)........................... ..`.rdata.......0....... ..............@..@.data........@.......*..............@....rsrc........P.......,..............@..@.reloc..X....`......................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_ofb.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	5.027871132927717
Encrypted:	false
SSDEEP:	192:iPszl2dafmTpPCW4YQWijOyj41lJk7Agca:/7cpP+YAjN4u7A
MD5:	D8A94C8644B1975A720B7E117E0BD2F2
SHA1:	3B20D8A1F064164739583ED73A97C9DEE4FD29D4
SHA-256:	3E0191A5C1CF0AA3434CD02FC5517F2C6A2BD719893BFA673BF76251DB923746
SHA-512:	74CF03C7D115BA7861B6A18C17F965A84CEEC1852422A5A57B1D622C90E5806BB4802D88C64841FA97C1E29DA7A5FC26FB0D7DF7502954D0ABBE9C150ADB1F80
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Uc..4..4..4..L..4../E..4.._..4..4..4../E..4../E..4../E..4...F..4...F..4...F..4...F..4..Rich.4..................PE..L.....!`...........!................Q........0...............................p............@..........................4......H5..d....P.......................`..L....0...............................0..@............0..x............................text............................... ..`.rdata.......0......................@..@.data........@....... ..............@....rsrc........P......."..............@..@.reloc..L....`.......$..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_BLAKE2b.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12800
Entropy (8bit):	5.657953185510969
Encrypted:	false
SSDEEP:	192:ppzlxsafmTpPHW48QWijOI2/GRXXJZ5GDbGaAZDoiWB4+tAnYcJk7QUc:9zcpPx8AjY+1T5qbUZDoK+PT7Q
MD5:	E81CFBAD73D7C07326BCEED5D4061E39
SHA1:	475265AC7E1FC600570916C9FE18E2167E4CDDC3
SHA-256:	55F6FF61B01581853308544B773AA0A8D434568C4941EA99B8DE112E133FDF0B
SHA-512:	3B1186F77B9815D00B2074AE792823E80346DA10FC7EDD6925CB51827E803ECAD855D5978B3986D20F554D577B3E9D02A69FD7C09BBFF9A6375916EF4D1629F5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Uc..4..4..4..L..4../E..4.._..4..4..4../E..4../E..4../E..4...F..4...F..4...F..4...F..4..Rich.4..................PE..L.....!`...........!................Q........0...............................p............@..........................5......\6..d....P.......................`..L....1...............................1..@............0..x............................text............................... ..`.rdata.......0......."..............@..@.data........@.......,..............@....rsrc........P......................@..@.reloc..L....`.......0..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_BLAKE2s.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	5.546888342671967
Encrypted:	false
SSDEEP:	192:Oszl2safmTpPHW48QWijOXFHqIlnn7NwlT1z0OcJk7Qgcb:v6cpPx8AjcHquulT2OT7Q
MD5:	487F044A542471F4781BC3244705B6A7
SHA1:	7988183C0E8C7223A59AE8FDF30C3D0964601D43
SHA-256:	33BD520C30D48A308107B23217DF40ACD88D2FEB038793BE0D9F55A9321AC192
SHA-512:	A76EEE4E8D88903F3783787A7E64B092EDAF3EBA03FD49478CB5E53B2D01C1358901608C3DCE4B541FD20EC7FE3A35517237CB5445AFC723E45ED6B3FD592A35
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Uc..4..4..4..L..4../E..4.._..4..4..4../E..4../E..4../E..4...F..4...F..4...F..4...F..4..Rich.4..................PE..L.....!`...........!................Q........0...............................p............@.........................P5.......6..d....P.......................`..T....1...............................1..@............0..x............................text............................... ..`.rdata.......0......................@..@.data........@.......&..............@....rsrc........P.......(..............@..@.reloc..T....`.......*..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_MD2.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	5.399723938603401
Encrypted:	false
SSDEEP:	192:XpzVt0afmaxb/O4MwtjO0pZe2EEq+Jk76pce:7vdxbxMQjF8Eq5765
MD5:	7593C27B12E3C3C08A278F8F4C819263
SHA1:	9CC256A08FE84E51BA44EEACADAC64AB17DCF6C2
SHA-256:	4F723168EE711B7BF46003030F79E5378AC767AAB39D1E3EF8E60478F35B12DC
SHA-512:	368279946D719FA7F52EDC2579CEB18336DFFC06DAF5C985F40A3C6E057D5429F02E9D343FF323F77FC122593678A7E4D3B491F2140EDD8B05E9BBEA8C22CE2E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U...4..4..4..L..4../E..4.._..4..4..4../E..4../E..4../E..4...F..4...F..4...F..4...F..4..Rich.4..........PE..L.....!`...........!................Q........0...............................p............@..........................5......@6..d....P.......................`..x....1...............................1..@............0..\|............................text............................... ..`.rdata.......0......................@..@.data........@......."..............@....rsrc........P.......$..............@..@.reloc..x....`.......&..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_MD4.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	5.663019583582992
Encrypted:	false
SSDEEP:	192:lszVi1afmaxbaW4MwtjO2Hb4R7piK1kF2kVZJk76ccX:aXdxbmMQjnHbU7pjkFxVM76T
MD5:	F0E1115AA757049A20EA72B0E4E5C9FE
SHA1:	EB73DF3B796C74367D7B3E732268AD242B48728B
SHA-256:	B3202BE54D66B38DC327EB2B5E88462B59EF5797D04663AA50247A7956764661
SHA-512:	A5B63F165250818B62985F6AC5C05321615558D75FFE344EB8248ACC2D04F877A3DDC9E55E6145B946A8CF9B2AEF979534B0E5F2279AB25250210D3E71BA053D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U...4..4..4..L..4../E..4.._..4..4..4../E..4../E..4../E..4...F..4...F..4...F..4...F..4..Rich.4..........PE..L.....!`...........!................Q........0...............................p............@..........................4.......5..d....P.......................`..d....0...............................1..@............0..\|............................text...;........................... ..`.rdata.......0......................@..@.data........@.......&..............@....rsrc........P.......(..............@..@.reloc..d....`.......*..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_MD5.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.766828482312621
Encrypted:	false
SSDEEP:	192:JsTVilafmXaBeezJ4aUmYjOMWUI9zk6l40fByk+z54GoE7RJk763vQcv:enNBrGaUjXWUd6O05PI54lE4763v
MD5:	EE029245AA016CEA4DFD60DDF7FABE19
SHA1:	D0F94D6B598D39CBDD0E4AEC4D663C89DE8D4216
SHA-256:	7AA0C91D8523AFD7E473333414C1B60282A5F1B2534F409BD77CB1B26AEF2598
SHA-512:	E64B7236A865ACAAEE0DFF55D7FF0388A5F15ECF2D5AA28817250D8FC45CC9947BA9D8842971A55C46EA948084B07594AE3EDD185D0A7C01F915A99A9CDFD620
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U...4..4..4..L..4../E..4.._..4..4..4../E..4../E..4../E..4...F..4...F..4...F..4...F..4..Rich.4..........PE..L.....!`...........!................Q........0...............................p............@..........................4......`5..d....P.......................`..d....0...............................0..@............0..\|............................text...;........................... ..`.rdata.......0....... ..............@..@.data........@.......*..............@....rsrc........P.......,..............@..@.reloc..d....`......................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_RIPEMD160.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	5.33323730649165
Encrypted:	false
SSDEEP:	192:ppzlxsafmTpPHW40QWijODdA0YtPLFvx27f8vIJk7A4co:9zcpPx0Ajq4LFJ2z8v7A
MD5:	E649D99E87F7DCB87F117768CEBFED82
SHA1:	0D406C2A8235A6FD0397B698402F88AA4165D3EE
SHA-256:	9341917AC01863DE435B5B07903251A16BE4266C7CD2A38ACE3DEB7ABC90C5D5
SHA-512:	ED1BD55791D807DFE9806528CED19B4D9B4D5672B6AFBD2AA5D59AA973ADFAA2BFA74F97033700E82E47D4B95332B57113824C333D3A6AEDC1FFD5B9E2FD9119
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Uc..4..4..4..L..4../E..4.._..4..4..4../E..4../E..4../E..4...F..4...F..4...F..4...F..4..Rich.4..................PE..L.....!`...........!................Q........0...............................p............@..........................6.......6..d....P.......................`......@2..............................`2..@............0..x............................text............................... ..`.rdata..P....0......................@..@.data........@.......&..............@....rsrc........P.......(..............@..@.reloc.......`.......*..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_SHA1.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	5.789625926534566
Encrypted:	false
SSDEEP:	384:0vn0z/aUjlG/s9WLU8TnjPFIwt2Os7a3+Z:0v4/DG/s9WoaT280a3+Z
MD5:	F3627778B31C24F7C48C4A0DDEBC6803
SHA1:	33679490734C47FBD1B349E66D19605F849B0E73
SHA-256:	F88D4B23D7FECB949088D482878BF603116C739506BCCCEB100975CFEA9CE4C4
SHA-512:	BEE006AC4FE2C3EDC4A3F137171ED3A29F0413F5504185FBFDA5F20FDC1B6CF8E22C1B50AB420626255D72C7B3E6C145EDACF4EE7EE8FE241BAFE1E4D35B459B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U...4..4..4..L..4../E..4.._..4..4..4../E..4../E..4../E..4...F..4...F..4...F..4...F..4..Rich.4..........PE..L.....!`...........!.....(..........Q........@............................................@..........................D......hE..d....`.......................p..p....@...............................@..@............@..\|............................text....&.......(.................. ..`.rdata.......@.......,..............@..@.data... ....P.......6..............@....rsrc........`.......8..............@..@.reloc..p....p.......:..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_SHA224.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17920
Entropy (8bit):	6.050603924849822
Encrypted:	false
SSDEEP:	384:2dWqOg4dTG0jCXv0AhRfHmNltZrbR8vLmHOa7a3:2WqqTWh1mN1bkq/a3
MD5:	6FA3FF8A26E592B0E3C235A08A485AC5
SHA1:	D2610CA3FCE254425C90B2C3D7B70CF9E5FE35B9
SHA-256:	D9F03DE356AAF7341B187776AA5A61A68D391F91E186A14CDE994156F9F93344
SHA-512:	B7FABACE16127ECF17CF1CF2DE52B766D16E7DF7871DF6017E3B9F4210FA48F002A8544D2503F7B66AC1851F5797327EF351ABA25F46132608BEE7953BFEF5D6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U...4..4..4..L..4../E..4.._..4..4..4../E..4../E..4../E..4...F..4...F..4...F..4...F..4..Rich.4..........PE..L.....!`...........!.....2..........Q........P............................................@..........................U......xV..d....p..........................l....Q...............................Q..@............P..\|............................text...20.......2.................. ..`.rdata.......P.......6..............@..@.data...p....`.......@..............@....rsrc........p.......B..............@..@.reloc..l............D..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_SHA256.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17920
Entropy (8bit):	6.053574121536138
Encrypted:	false
SSDEEP:	384:rdWqOg4dTG0jCXvyAnRfHmNltZrbR8vLmH47a3:hWqqTIn1mN1bkqma3
MD5:	B10F6FC1E1B7E14A6A44885F81C23F3F
SHA1:	0B59243D3E66CA4FD92242C17AEC5220E8E545E6
SHA-256:	D8852EE41DEA77AD61FE9B78363CF7B68E3161AC0497B81F97DD3293437E959B
SHA-512:	BD927821C94A2A147187F07A579B8A06ABC4663302CEB4D44261E17FEEA423CE1FE3BE9653D217E1B21A4F224D4950DED359ACCC4F69A76A750E2D8CD67AE2B0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U...4..4..4..L..4../E..4.._..4..4..4../E..4../E..4../E..4...F..4...F..4...F..4...F..4..Rich.4..........PE..L.....!`...........!.....2..........Q........P............................................@..........................U......xV..d....p..........................l....Q...............................Q..@............P..\|............................text...20.......2.................. ..`.rdata.......P.......6..............@..@.data...p....`.......@..............@....rsrc........p.......B..............@..@.reloc..l............D..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_SHA384.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	38400
Entropy (8bit):	6.237023713255165
Encrypted:	false
SSDEEP:	384:YdgGYkKb4j/qmGtxaYLKpFHiAn3F2gcZc8Mq1GJ8ehedr1l17a3:YdtlWCjGx+YkFAMBJ8weV1lJa3
MD5:	321CDBEF813236FAB846D98161855DE1
SHA1:	022C5CB957CB8182ADDC93B4E4E7A87EB750875E
SHA-256:	C08D2A7104800AB688CE0D4BA6F1517B4F340DBDA8AC434950E3FA2389AA3728
SHA-512:	5C877CDE40F9E688A6D00A0CD28EF86E1DF3987FBFD99CE10EA5457EC6BF46F9E8D8BA4EC82C3BDFD50BFBE97E8CB5551C3CD22D9AC687332E4921F594599BD5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Iyv..............`......i.......s..............i......i......i......j......j......j......j......Rich............PE..L.....!`...........!................Q.....................................................@.........................P.......8...d...............................l...p...................................@...............\|............................text...5........................... ..`.rdata..............................@..@.data...x...........................@....rsrc...............................@..@.reloc..l...........................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_SHA512.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	39424
Entropy (8bit):	6.228029631683999
Encrypted:	false
SSDEEP:	384:B8QGFK0jhqItxaYLKpFHiAn3F2gcZc8Mq1GJ8ehedfK987a3:B8dFzJx+YkFAMBJ8we0Ia3
MD5:	930DAD79CD55A77019DD7C18EA3C1E01
SHA1:	65AC2A9EB0E526B07025018606CCAA0A211FBD49
SHA-256:	9F6568B231FEB9612AA1D2A4B8BF755348E557F9492D561F9EBDF0FE083E118A
SHA-512:	EFBA5C0E0B40E04BD1822C52B530054EB9A787D6B879C0D164F4A67FABCF28986CCC96D86D96C08DF841CD6F1BA33B7A7ACD32547FFF1B7944BB039E24BB3F74
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Iyv..............`......i.......s..............i......i......i......j......j......j......j......Rich............PE..L.....!`...........!................Q.....................................................@....................................d......................................................................@...............\|............................text.............................. ..`.rdata..0...........................@..@.data...x...........................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_ghash_clmul.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	5.406408790127567
Encrypted:	false
SSDEEP:	192:QNszVKdafmHprCW4oQWCjOJbib5UuvGZDSnTxjAJk7jgcr:dn4pr+oAjUbibaZ2tjf7jz
MD5:	E5FA274EFA7ADC27C5EF45A7733E1856
SHA1:	A64234FC1B9B942FF52105C712EDDFFF9DB117D2
SHA-256:	D90DA5C724CC8ACF783452F519E5804995427CCB4D9DDF74CAEFD7F59174EC20
SHA-512:	A2FC26BD6766786D6D02ACCA3DACBBF3FBE15CF6A402D06B10BF32A1E20217DCBAA7798437E20229C5503D0295B186333E291893F4479654B24B6AF32842C1E0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ue..4..4..4..L..4../E..4.._..4..4..4../E..4../E..4../E..4...F..4...F..4...F..4...F..4..Rich.4..........PE..L.....!`...........!................Q........0...............................p............@..........................4......85..d....P.......................`..T....0...............................0..@............0..t............................text............................... ..`.rdata.......0......................@..@.data........@......."..............@....rsrc........P.......$..............@..@.reloc..T....`.......&..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_ghash_portable.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	5.415191560150531
Encrypted:	false
SSDEEP:	192:qDTVblafmyZWeKe44w1jOFH+2WlTCLppAoJk77gc:+UlZDO4wjaHGlNH77
MD5:	B7A8299DB2F8584B2EA77C6755C61EAC
SHA1:	3EBDA31729C887A9D0E9105ADF6CD8884D90A7B6
SHA-256:	7962619427DA4B2F0579E8BBA3558F1D5BE8B835346BDC1F7252E134141F450E
SHA-512:	E7A68B2F44295EE8ED4799CF63419B4567E788AFE1F4EDA3D02134FA56D5CF9DCC91E10C625AADC2A53804F593DF646699ECA0AEA3C94EAC8943999E7BF8237F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.q.......................................$.............................................Rich............PE..L.....!`...........!................Q........0...............................p............@.........................P4.......5..d....P.......................`..@....0...............................0..@............0..t............................text............................... ..`.rdata..b....0......................@..@.data........@.......$..............@....rsrc........P.......&..............@..@.reloc..@....`.......(..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_keccak.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	5.6045677735620325
Encrypted:	false
SSDEEP:	384:ZYZyOENIIjEkqFS1895x8g6q+SQpwyg7a:mZ3ENYFSs5V6Eyea
MD5:	76FE48A198231419B84781F7DA81BB75
SHA1:	FF0E606A86386E394E984D74379DC9D8767FFB83
SHA-256:	F9B2D448F6A68FA611CD4C1B794CB8519EB8FDA136D85BD59342AC8B835B58B3
SHA-512:	3B56595176AF4830DE5D18B6566DAF4C92488CD522FA71491BDB1D843D4641E5DEBAA5B106C8405075949338A3CB596E4711D30D3D013A72A7FD4B6232A8078B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U...4..4..4..L..4../E..4.._..4..4..4../E..4../E..4../E..4...F..4...F..4...F..4...F..4..Rich.4..........PE..L.....!`...........!.....&..........Q........@............................................@.........................PE.......F..d....`.......................p......pA...............................A..@............@..\|............................text....$.......&.................. ..`.rdata.......@.......*..............@..@.data... ....P.......4..............@....rsrc........`.......6..............@..@.reloc.......p.......8..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_poly1305.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12800
Entropy (8bit):	5.528078267986478
Encrypted:	false
SSDEEP:	192:K9slVhZafmUgkGz74aUG4jO0FJJxmFUT89pA8fG5JOJk7aKsc/:HmRgkGIaUj5FJJvOpA8fG5JJ7aK
MD5:	7EFA9A77FA57262B34111333E71C9B18
SHA1:	CCB6290E5F6A771D36CDAF2A8355006B67CAEBA1
SHA-256:	0F96B3C58EE31DCE0F2EB1C56A049D25F208896E7C26C8EEEF261679366FBAF4
SHA-512:	FBC704469EFA1A1B0905A59686106D80A7C4EA6FD552F8373722A7A99C2809FC2C1F8843ABEF611CD1AEE81FA5B39EEBB962FE4411CF70AF1093A9D5CA9AE095
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Iyv..............`......i.......s..............i......i......i......j......j......j......j......Rich............PE..L.....!`...........!................Q........0...............................p............@..........................4......H5..d....P.......................`..p....0...............................0..@............0..\|............................text...J........................... ..`.rdata.......0......."..............@..@.data...8....@.......,..............@....rsrc........P......................@..@.reloc..p....`.......0..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Math\_modexp.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29696
Entropy (8bit):	6.197076059448301
Encrypted:	false
SSDEEP:	384:Z/V8yC4w6Ejg19/MJg8Qm9e4yZ+oQ7Cjoyn0xqgK1poFuhO87RsOTIYmF:diydwm1xmoZLxoe0xqhMuHR6Ym
MD5:	B6B2E4F70361D4D1271A3F0273D05C66
SHA1:	694D909EDCCDB1D3E932677B188BBF1DCB73677F
SHA-256:	CCFF8CD3FD4D04B0F7BBA259E27437BA18DCDA5C139A3E47A45867375272E659
SHA-512:	610A0E3C97AF5F19E6C74963993F736F47D40E8CFFD0424FDB5CFC96406FB9238D3EEDFEA183B789EB3F48713DC5E922DD1BA7EFF598B8346292ADDCF480DE11
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........3~M.]-M.]-M.]-D..-I.]-..\,O.]-Y.\,N.]-M.\-h.]-..X,A.]-..Y,G.]-..^,I.]-..U,I.]-..],L.]-..-L.]-.._,L.]-RichM.]-........PE..L.....!`...........!.....X..........Q........p............................................@..........................t..d....t..d....................................p...............................p..@............p...............................text...EV.......X.................. ..`.rdata.......p.......\..............@..@.data................f..............@....rsrc................n..............@..@.reloc...............p..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Protocol\_scrypt.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	9728
Entropy (8bit):	5.107437158322755
Encrypted:	false
SSDEEP:	192:LsTVuRNafmSo+5Tym4YlO9jONSsCQULn1qJk7rGGcj:AuiQ+5TeYgj+s1d7rG
MD5:	C3DE03BADCAAEB7C88449913C0603234
SHA1:	45CBAE884FA5F6C1D0ECC571482F9128073845D9
SHA-256:	BF533F199F39E103FFD1400651F47C9CA1FEDF439646ADCA7B9B6FC8BEB972DB
SHA-512:	B9D2D51CD046BBE93F12243488A8612C63D1A94C02E35D453E632CFE7FD85265CB56E52D8015CF319C0728097ACDE7E5F3DDDF886EF959B91C9BF51FE0CBA342
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U...4..4..4..L..4../E..4.._..4..4..4../E..4../E..4../E..4...F..4...F..4...F..4...F..4..Rich.4..........PE..L.....!`...........!................Q........0...............................p............@..........................4..d....4..d....P.......................`..P....0...............................0..@............0..\|............................text...k........................... ..`.rdata..l....0......................@..@.data........@....... ..............@....rsrc........P......."..............@..@.reloc..P....`.......$..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\PublicKey\_ec_ws.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	753664
Entropy (8bit):	7.657514317930471
Encrypted:	false
SSDEEP:	12288:RGKF+8MgkRi8a/ChpC7HoxJ8gf2266y8IXhJvCKAvqVLzcrZgYIMGv1iLD9yQvGE:RGKF+8MgkRi8a/ChYHoxJFf2p3bhcrnp
MD5:	CBB0CC59C8E297B5C557D283B83A5785
SHA1:	8FC85730E289D3E649198C9D7267BD4F4EC57E57
SHA-256:	BE3B0B95010ECFD23632E2D35E46C8DA6486378C0296F5491486E30AD8C8FE98
SHA-512:	328F6E68E676A53D2CAD1D643AFC3BF19D7D3F62070B0A6BD9D99CBF84C586DC211C83302A011C591C9D83AC0CA18B36C5852FC5B493D73B2E3C4C131EEC5449
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........a....................s......................s.......s.......s.......U.......U.......U......U.......Rich....................PE..L.....!`...........!................1.....................................................@..........................{...... }..d....................................w...............................w..@............................................text.............................. ..`.rdata..............................@..@.data................j..............@....rsrc................t..............@..@.reloc...............v..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Util\_cpuid_c.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	5.200885122005131
Encrypted:	false
SSDEEP:	96:QKHmCQzlvhDvafmuLddgg6dMGoVmk4s/DjtjO6D7DaDgHHLToeJ5yzfQTQjc:VmTzlvdafmd/iGooAdjOE3/Jk7UYc
MD5:	38CC6CE25590AEE492A0A2B418D07467
SHA1:	C51E1E988C14687A8CEA56F6665B08CE3BA14DEE
SHA-256:	2E3571B68D4F8B823FFD554C00498FF51239427B613ED330BC3A90919D9F8D18
SHA-512:	EBE54FA6500F4B29FC621B024FE04E417D77343FC126DF620150BE28126C0E94EF07696F07795986B4131C32EEC48AF98F7D05CC80917802FD34E5AA068D10EC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......auN.%. .%. .%. .,l..'. .e!.'. .1.!.&. .%.!.:. .e%... .e$./. .e#.$. .f(.$. .f .$. .f..$. .f".$. .Rich%. .........PE..L.....!`...........!................Q........ ...............................`............@.........................P$..\|....$..P....@.......................P..8.... ............................... ..@............ ..h............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc..8....P......................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Util\_strxor.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	5.150921757221003
Encrypted:	false
SSDEEP:	192:0eTzlvdafmd/iGooAdjOtd5Gl/Jk70Yc:0yIa/eoQj8slG70
MD5:	5747E089484BFEEE0F6BBE8EC1F96EA8
SHA1:	E65D20056702CAA5B12EF3387EBBBDDD7F1CC322
SHA-256:	BA5D513713784B33762F32632CF0CD576E479AC5A6F835A3E67AE1947D41B5AA
SHA-512:	9F26F4622775C4FA45458CEB7746A5B69042BD2F41873C853164E8BCC5DC5F3EC485A065E42E433AF1175D99AFF047BB84150D7723C7F41439FA41270C29EC47
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......auN.%. .%. .%. .,l..'. .e!.'. .1.!.&. .%.!.:. .e%... .e$./. .e#.$. .f(.$. .f .$. .f..$. .f".$. .Rich%. .........PE..L.....!`...........!................Q........ ...............................`............@.........................P$..t....$..P....@.......................P..8.... ............................... ..@............ ..h............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc..8....P......................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	76168
Entropy (8bit):	6.781149490150774
Encrypted:	false
SSDEEP:	1536:zgTqURG2vo0RwvI7sjBH+cOKXc36r23oEecbi0mju:zdURhvZ6vIQVrPypecbi0m
MD5:	87DD91C56BE82866BF96EF1666F30A99
SHA1:	3B78CB150110166DED8EA51FBDE8EA506F72AEAF
SHA-256:	49B0FD1751342C253CAC588DDA82EC08E4EF43CEBC5A9D80DEB7928109B90C4F
SHA-512:	58C3EC6761624D14C7C897D8D0842DBEAB200D445B4339905DAC8A3635D174CDFB7B237D338D2829BC6C602C47503120AF5BE0C7DE6ABF2E71C81726285E44D6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ix..-...-...-....\|./...$a..&...-.......h..>...h..8...h..1...h..,...hl.,...h..,...Rich-...................PE..L....._.........."!.........................................................@......{.....@A......................................... ...................#...0..x....#..8............................#..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc........ ......................@..@.reloc..x....0......................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\_asyncio.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	57520
Entropy (8bit):	6.4179566473980465
Encrypted:	false
SSDEEP:	1536:0iULU9Lbx5udbmDoOTXPnbhyBDmuo2iwBIuYncjNayr:0i4MLLbhamuo2iwBIuYncj3
MD5:	54414D216C4DEA54799DC0F5CE657FBE
SHA1:	0043CFCAE73985C7739ABDF6DBB0E4291EFDB5D2
SHA-256:	CEF9A3D83E7CC45D99D666A6F8E7E58CC68ACB14E8858FE5BC6ED54A0F7C3898
SHA-512:	F3CB7C8D38E59EB8F9A1CF693AD032FD560B4CCCB604B11C1BAE837FE045591C969A7E1EDF35F1BA9546EEF0E3C5D0D70188393B3C656B91ED95736AFC8A5358
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K...%..%..%....%...$..%... ..%...!..%...&..%.<.$..%.$..%..$...%.<.-..%.<.%..%.<....%.<.'..%.Rich..%.........PE..L...../`...........!.....^...f.......].......p.......................................R....@.............................P...0...d...............................H...8...T...............................@............p...............................text....\.......^.................. ..`.rdata...8...p...:...b..............@..@.data...............................@....rsrc...............................@..@.reloc..H...........................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\_bz2.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	79536
Entropy (8bit):	6.643809455301382
Encrypted:	false
SSDEEP:	1536:02MfT59id2pNXdCQXa64t3oS8bOWUwXpIuMVwqJyb:0T/5pNXdFa6llbOWUwXpIuMVwq0
MD5:	445CE6BCEFB6EDDF0D953DBA17E0B320
SHA1:	3D5FB5EEC6ECA27D37CAAE31F173DFD53909C74C
SHA-256:	CF721704D96F071DE10A1E174A07BB1211864EA588CE1C4D6023F11701AAAB13
SHA-512:	31B2247CB06C1905AE6857CC6FC23A9FC5E1C4FB7E76229D7444B417353A3EC76412DE73FF08750C09F5D1AD8644B8C07D79B3820E594AFE997DC733F610AA41
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4..g..g..g..xg..gx..f..gX,,g..gx..f..gx..f..gx..f..g_..f..g...f..g..g...g_..f..g_..f..g_..g..g_..f..gRich..g........................PE..L...../`...........!.........N......y........................................P......2^....@......................... ...H...h........0.......................@......x...T...............................@............................................text...Y........................... ..`.rdata..n1.......2..................@..@.data...8.... ......................@....rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\_ctypes.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	117424
Entropy (8bit):	6.568932798472365
Encrypted:	false
SSDEEP:	1536:UhnXb10JQfHRFDrz2EH7EHURqBcNVValsffwv3TuLlbuRB/FfZWxOSQKkx1IuBPO:UhnLAI5xVVals3Py/FZWobKU1IuBPxEP
MD5:	286CE553108A74197DF006D71D31918F
SHA1:	01A9FDE2833F2FC684A442169480ECFC8F1559D0
SHA-256:	13A45B718DF8CB4C0218F720C396973F8A501678C6CB6EF9380730C97553EE8C
SHA-512:	3CA8AB25B4B069C702E02226623C0CEA55CDB7EC3FEEA50C81A0A2350BDCB9B5BB2C2D7768C810743024EA99568F20DF51ACC4AF28DAACDE0AF18F0F5D6B7A1F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S<...]...]...]...%o..]..,...]..,...]..,...]..,...]../...]...6...]...6...]..4...]...]...]../...]../...]../...]../...]..Rich.]..................PE..L...../`...........!.........................0......................................6.....@..........................f......Dg..................................l....b..T...........................hb..@............0...............................text............................... ..`.rdata..~N...0...P..................@..@.data.... ...........f..............@....rsrc...............................@..@.reloc..l...........................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\_decimal.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	228528
Entropy (8bit):	6.825703510403188
Encrypted:	false
SSDEEP:	6144:vISxoQN8s3Hs6B+ruCQxuqaxV3XMW5gVrserORH0i:vISxoS8s3HSruCQ6userOhv
MD5:	DD8724365CDF7372892B0220BC8007C0
SHA1:	0C43CFABCD2FD710432C7E76CF58CFEDE05F9069
SHA-256:	FF753B671FE3A1D09B4676A0E08F85A4B19D0F5DD06B50DCA31339911730F343
SHA-512:	42AF80495E1FA96A438ECE00D896D02BF3249BC4832CB182511384DB438A41F07A54A6F3F03FD992F32901A4D684E66EF337BA379CB0C9245A621CD04DB26B0D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'.}c...c...c...j.@.m....../a....../o....../i....../g....../`...w../a...c........../l....../b.....,.b....../b...Richc...................PE..L...../`...........!................w.....................................................@......................... ...P...p........P...............`.......`..D!......T...............................@............................................text...Q........................... ..`.rdata..............................@..@.data........0....... ..............@....rsrc........P.......2..............@..@.reloc..D!...`..."...>..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\_hashlib.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	39088
Entropy (8bit):	6.576705962671287
Encrypted:	false
SSDEEP:	768:cAtCkdtp99Be3oOQi2ApPXl/mr/2IBIuYIBpLDG4y2jha:cAckdtp9/2oOQi3pfVm/2IBIuYIZyt
MD5:	76A7E9C182FB34121881B868829786E5
SHA1:	40392A3BAD97AA8C7C7C7ADD34A59F170E917747
SHA-256:	D6F37E0BC993D76BFD3D8F28963E0936D893C3EA1B6A4B2ABCB06A053FF0BB94
SHA-512:	4CE0AD1149F6A2619DFA17DDFC46AE3ECBE18A2A111A3457DF99B84B6F8768FCDB6470C3B0F93C08D43B06218C56EC19C7D21A6D4AEEB86F98A51DBCBCBBEC7D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-.DUi..i..i..`...k...+.k.../.b.....c...).h....+.k..}.+.k...+.j..i.+......".h.....h......h....(.h..Richi..........PE..L...../`...........!.....>...>......H=.......P............................................@.........................`e..P....e..x....................\|..........p....`..T...........................8a..@............P...............................text....<.......>.................. ..`.rdata... ...P..."...B..............@..@.data...P............d..............@....rsrc................h..............@..@.reloc..p............t..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\_lzma.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	159408
Entropy (8bit):	6.960223316470766
Encrypted:	false
SSDEEP:	3072:wV3Rr96Jf12nMU7gc22JNO2cUDQoxXChHALHuki4zHfBg9mNoaCmERoTpIuD1qyO:+hkFPMrxyhHALHEOpgYObdRoT0R
MD5:	45D91843D03A51354A43D8DCECDF22E1
SHA1:	C982DCDCEE7B2D64AEAA478D8FFE0087B64E391D
SHA-256:	DB9ABC004E8DA4511025E47A255727CB45111195C6AEB6D50B61A037D7408D0A
SHA-512:	34A13E0445499F7B655C40D9431710FDCCF1BFDA1C7477F23481E7C42526284736714ED38949F91098131F80B635631E3A0BA73DD3734D4E0759EE7F32968364
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......YEy..$.Q.$.Q.$.Q.\.Q.$.Q.U.P.$.Q.U.P.$.Q.U.P.$.Q.U.P.$.Q.V.P.$.Q.O.P.$.Q.$.Q@$.Q.V.P'$.Q.V.P.$.Q.V.Q.$.Q.V.P.$.QRich.$.Q................PE..L..../`...........!................h........................................p......?.....@..........................4..L....4..x....P...............R.......`.. ...(0..T............................0..@............................................text............................... ..`.rdata.............................@..@.data...`....@.......4..............@....rsrc........P.......8..............@..@.reloc.. ....`.......D..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\_multiprocessing.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	26800
Entropy (8bit):	6.4189500308991985
Encrypted:	false
SSDEEP:	384:p6hMLUifrlrCojAelk6WPw6DsuOZRIuABLipJXj0DG4y8V5OB8hU:7lr9WY298RIuAtin0DG4ymFhU
MD5:	DBEC7953A3000BB513B26A26F6C1128D
SHA1:	B4CBF27FAB8DF534BE31D021E4C49C42161D4CBF
SHA-256:	307046C4F970F910968EDDC6CB9B65767FA3A70C05AA966DD6434021FEEEBDDC
SHA-512:	2C4D84F5D27E2EB84C1867223C147AB7B5F3C0B72671A5FBCC5936B3449D683AEBD7D3D2F07B4F4203E5D6523F0BD3F8314773567D5FB6FD7262A3CEBC84D20F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........\.t.=.'.=.'.=.'.Eu'.=.'.L.&.=.'.L.&.=.'.L.&.=.'.L.&.=.'6O.&.=.'.V.&.=.'.=.'.=.'6O.&.=.'6O.&.=.'6O.'.=.'6O.&.=.'Rich.=.'........................PE..L...../`...........!................}........0......................................>.....@.........................p:..`....:..x....`..(............L.......p.......5..T............................6..@............0..\............................text............................... ..`.rdata..`....0......."..............@..@.data...0....P.......6..............@....rsrc...(....`.......:..............@..@.reloc.......p.......F..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\_overlapped.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	40112
Entropy (8bit):	6.515613246434881
Encrypted:	false
SSDEEP:	768:iW1TpulXdyBdthIw5o8IYkITWb7PkNIuttgHDG4y5Eh8i:EXdyBdRTTWb7PkNIuttghydi
MD5:	4E5C64134B6C40E187B7F8627A6D8A2D
SHA1:	F5C6AFFAB5A1D14D8B586A1893E136D87DDAAD75
SHA-256:	5EEF3EB8F87D332128569E4810F9283FF57417F1BB67D59D1AB2F471505DC1B1
SHA-512:	7D6783D20AEC060BB1D5C72FADC8D52EF6812EE0776851C96FA2AD21B66C9FA853F5F43B8B775C8A741BD2B35938E2FCCAC16A829E37F7C425978C59BA62B60B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C.SP..=...=...=.......=...<...=...8...=...9...=...>...=...<...=...;...=...<...=...<.v.=...5...=...=...=.......=...?...=.Rich..=.................PE..L...../`...........!.....>...B.......<.......P......................................\|.....@.........................0i..X....i.......................................d..T............................d..@............P...............................text...2<.......>.................. ..`.rdata...$...P...&...B..............@..@.data...,............h..............@....rsrc................l..............@..@.reloc...............x..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\_queue.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	26288
Entropy (8bit):	6.44734679501627
Encrypted:	false
SSDEEP:	768:XH9qUbFuF16rtrazup1IumUYllDG4yzFhj:3AUbFYktrazup1IumUYlvyH
MD5:	963DD36AEC3EDB74C533B91C5A37498E
SHA1:	5B553F18630F25C52A41BED0AC9C6262CCA662DA
SHA-256:	D0E208BF308030C4BF879BA2A17FBEED48E10DD76C0DBDC9EB3D5F7A990302F6
SHA-512:	513438B82C62BF26079BFD42CF6C562F7DF02A3190B246D9FB32B4342766C27EB77DEF8DE8D748B71C483CEC2B88DD9EDAE367ABFE8C157D135A259A8D859D48
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........H..\|&.\|&.\|&....\|&...'.\|&...#.\|&...".\|&...%.\|&.<.'.\|&..'.\|&.\|'..\|&.<...\|&.<.&.\|&.<...\|&.<.$.\|&.Rich.\|&.................PE..L...../`...........!.........,...............0.......................................:....@..........................<..L...,=..d....`...............J.......p..\...X8..T............................8..@............0...............................text............................... ..`.rdata..b....0......."..............@..@.data...t....P.......8..............@....rsrc........`.......:..............@..@.reloc..\....p.......F..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\_socket.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	69808
Entropy (8bit):	6.611317372453449
Encrypted:	false
SSDEEP:	1536:+NU6t0wKLlEIOiKISMD9f8+LeJzJbHjW/Z1IuBwC8lYHy/:+NPt0wKLlfkMD9f8ueJdbHi/Z1IuBwpL
MD5:	FB09559F0C1C4DC91DFBE361828B0E39
SHA1:	E38A5B68F38E6FFF3C276CEA2B40620B33295879
SHA-256:	5EC25AD36306076275E094FCE70E150C632B193C916847535DF3904545F879F0
SHA-512:	6D9BAE50E82F0B57240EFA2E637DE01C16CF1AEAAF95DD9F4B3DDF391CE163D140C06549243EF8D370D76A866190A49A1C1D8E8C0177CE8A709C574A1220E86C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........3...]...]...]......].D.\...].D.X...].D.Y...].D.^...].c.\...]...\...]...\.J.].c.U...].c.]...].c.....].c._...].Rich..].................PE..L...../`...........!.....r..........Kq....................................... ............@......................... ...P...p...................................L.......T...............................@............................................text....p.......r.................. ..`.rdata...].......^...v..............@..@.data...@...........................@....rsrc...............................@..@.reloc..L...........................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\_ssl.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	143024
Entropy (8bit):	6.46611957726107
Encrypted:	false
SSDEEP:	3072:Z8wJl2IslifCkaWuNPTTT/TpvdSRyOvm5GgDdhpIuM7GHux3P:Zpl2IsMDuTT/T/SRMGgDrqx
MD5:	50F9B63B7632255FE69ABE0C2B4FAE04
SHA1:	623BB9731CC5AA99EEB7C28DDF949495B0501717
SHA-256:	0A7786AD8A9D4A24BD84B520BB7A8862DF949ABFCF10027172AAF0E3A18EDE7A
SHA-512:	B35536AD316D7FABF7617451F9A4AC2088A473A97E8E023BB7AB55C50707ED9E7B3CAC2C72CE98A5F6D2CC56DF2A5D5A6B149110994006F76937BC22644D9273
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............n..n..n......n.V.o..n.V.k..n.V.j..n.V.m..n.q.o..n.M.o..n...o..n..o...n.q.f..n.q.n..n.q..n.q.l..n.Rich.n.........................PE..L...../`...........!.........N......h........................................P......V`....@.............................d...D................................ ...#..H...T...............................@............................................text...,........................... ..`.rdata..............................@..@.data....I.......H..................@....rsrc...............................@..@.reloc...#... ...$..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-console-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	3.1738809363410794
Encrypted:	false
SSDEEP:	24:ev1GSsMy3flBrWH+MjUW5V2dCtWfrKIZW0HcNcsrV9h7r35WWdPOPNEf:qidabf5VGCtsOIZWUKcsbh/5WwaE
MD5:	2B99760530FA474FC6C36451ACB9F445
SHA1:	6FDA8692EEAD43139CE78C8A8165F035B7096A25
SHA-256:	09C2FD7338A4CC2796DEEF0B73C4786B806CF2B5366E396D6231DE263842E283
SHA-512:	3E43F28CBD887522012CB7799386A516BC074AE7FB58317910695DC9ADF4FB7D2DAF47C41BDAC05E7A2381975D09EE76B89D0F11AB56DC6CC0661CD6FEAE293A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L......^...........!......................... ....@..........................0............@.......................................... ...............................................................................................................text...b........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-datetime-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.6611702423778443
Encrypted:	false
SSDEEP:	24:ev1GSs7/ereC38M+lxMCtWfrKIZW0HcNcsrV9h7r35WWdPOPNEf:qw+JKMCtsOIZWUKcsbh/5WwaE
MD5:	9AFD83F00F9E720056DE6AEE2D45F600
SHA1:	6F2100489B0567EB5A0F910EA7CA583BE13E49A5
SHA-256:	0C8488229F4BAA1B3870EAE63F72564E4B3E81AABEB0E00F7644842CD2DD371D
SHA-512:	3D53C92B6585E314FEB40939C71AD25BE21E48D854715E4EDFD4C4EA3FBC439261D27F66D772C8006B04A91641815EDF38FB6103109CA3856110C2A010625DEF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L......^...........!................g........ ...............................@............@.......................................... .......................0.......................................................................................text...0........................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-debug-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.701276022306465
Encrypted:	false
SSDEEP:	24:ev1GSs+kOiMHE0ELdZLtWfrKIZW0HcNcsrV9h7r35WWdPOPNEf:qP51S3LtsOIZWUKcsbh/5WwaE
MD5:	49728A8FAFF8F34D41F46898DEF1D3C4
SHA1:	3EAC0E3F5C94BFD784FFE8A04668DAB4B4D01B6D
SHA-256:	A1BCD2E6710A7866F2D171BBE9D0D10D49B58F9E57D290EC0E2551C439582055
SHA-512:	2D075AF63F9F16D25DC125A7C8280F84B7D0DDCC91415A0861C3DBAAF4C1D92B43DA33358EA1EB06D2E146AB6C7CB0ADE542BD543E6A1BF8B414967D63AD272E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L......^...........!................p........ ...............................@......cW....@.......................................... .......................0.......................................................................................text...D........................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-errorhandling-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.899742343297239
Encrypted:	false
SSDEEP:	24:ev1GSs7uQbYMYbdQRMeU47v7mtWfrKIZW0HcNcsrV9h7r35WWdPOPNEf:qQ8aDytsOIZWUKcsbh/5WwaE
MD5:	B2F0E7F35DC2EC87310F118BC695A16C
SHA1:	7CCB32E18AEB30544FE4C3839990FB56FBFD5B8A
SHA-256:	D621FC2712D61640CDA9DEC78A5C6C669C999BFE12F49EFD6AF7F4C493B4781B
SHA-512:	3CE7A02A9CF64B5A5F959A7F31A1309ADC27068086792CBC6D0295B12A7520397FE789A267784CEFA12DE1424544EF280568A51A33EA5D48C270FFEC5249F56C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L...!..^...........!......................... ....@..........................@.......;....@.......................................... .......................0.......................................................................................text............................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-file-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5120
Entropy (8bit):	3.963601990010592
Encrypted:	false
SSDEEP:	96:vpcCc7v0xB9EiEsX0/Fj6alOEWcsthWwn:xRc7vLFmyDWXhW
MD5:	2A1466DC3582C648644AC01C2D63266D
SHA1:	6194D631C1A04100A1962B5871FBDB02B91B14EE
SHA-256:	160222A049433788DBD0FEBC5F419F10F54AFAF6BBFF3579AFA4806250D664CC
SHA-512:	D62C875AB47B82A30EEC0BB4B34903461920BF843D0B236A38E7B4C4D458DEDAC1958414F43CEF2557D3F08B7E7EA6BF4B2A007A76060880AF75B756752784B8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L...#..^...........!......................... ...............................@......*.....@.............................l............ .......................0.......................................................................................text...<........................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-file-l1-2-0.dll

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11000
Entropy (8bit):	6.786236597870634
Encrypted:	false
SSDEEP:	192:nWchWvU/3XjDBQABJwOR/BVrqnajoFxpq6H:nWchWvmXjDBRJ9RLlkDpLH
MD5:	5576FDD1F244BE3F29072F3D0EF710E1
SHA1:	653A08EEE34C6391CE6BC3786875505578058A29
SHA-256:	26C712D65BD2D3621DBD75EC9CD9C25B5A43035137171C64C101C66F6943DAA0
SHA-512:	D9E08EF90645037FBB06E7E6C98A5D66837DE1C1F51381A4EC0473EF2DC3085838D90ED69D9F0902CB2C6E41B603C7061637EB79655C1131D33C2A7C67A2F9C3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.PE..L...>..\...........!......................... ...............................0......u.....@.............................L............ ................... ..............8............................................................................text...,........................... ..`.rsrc........ ......................@..@....>..\........8...8...8.......>..\........d...p...p...RSDS.....5.J....5.......api-ms-win-core-file-l1-2-0.pdb.........8....rdata..8........rdata$zzzdbg.......L....edata... ..`....rsrc$01....` .......rsrc$02.......................\....0.......................(...\...~...........P...q...................api-ms-win-core-file-l1-2-0.dll.CreateFile2.kernel32.CreateFile2.GetTempPathW.kernel32.GetTempPathW.GetVolumeNameForVolumeMountPointW.kernel32.GetVolumeNameForVolumeMountPointW.GetVolu

C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-file-l2-1-0.dll

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11000
Entropy (8bit):	6.891910291633455
Encrypted:	false
SSDEEP:	192:BWchWAU/3XjDBQABJ846B9rtcunYqnajW5s5l5:BWchWAmXjDBRJ8brtul605
MD5:	718B88FC6F158A62309419CDC7C511ED
SHA1:	294701DFA10801BF6BF8E8D6E3EC471EA81255D4
SHA-256:	8CD67DBC62070C1288E83D5789F41664951FB0C120070AB5334AC7719A5C8AC9
SHA-512:	8D41158B776FE31F9B2E785C9E1C90F86D69FE85EC777C171FD5063B73FAF20A7473CB3FF4AFAE9666C6E4473210B94A837B847A0D2455FEC2516E7CA6304C56
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.PE..L....\...........!......................... ...............................0.......B....@.......................................... ................... ..............8............................................................................text...m........................... ..`.rsrc........ ......................@..@.....\........8...8...8........\........d...p...p...RSDS+Z[5+Z.N.....x....api-ms-win-core-file-l2-1-0.pdb.........8....rdata..8........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02....................*..\....v...................4...`...................@...z...............+...W...................,...]...................J.........................api-ms-win-core-file-l2-1-0.dll.CopyFile2.kernel32.CopyFile2.CopyFileExW.kernel32.CopyFileExW.CreateDirectoryExW.k

C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-handle-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.753419426634807
Encrypted:	false
SSDEEP:	24:ev1GSs1mEVq5j+rW2cd7e2ttWfrKIZW0HcNcsrV9h7r35WWdPOPNEf:qmjq4etsOIZWUKcsbh/5WwaE
MD5:	27C0CE3D2C97E9C2C0C62E07D3E26A13
SHA1:	91EBDE8F9BFFFA560F1B685CBFB917DC711441F6
SHA-256:	5F836CC29FA461FCBCE74E646AB9A8961E245BB8EBF23218B6B90E2ADD19FEEF
SHA-512:	534B8460B408434A52CD332C03FC3EE37C7534A41E9A575A274A93D8179D834320406EF68557E0D23B881192D6145E7A7406114F49AE5323DA9D61E96DC77A89
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L...$..^...........!......................... ...............................@...........@.......................................... .......................0.......................................................................................text...X........................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-heap-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.835478342720177
Encrypted:	false
SSDEEP:	48:q1Gp1lRFx9A/MmKStsOIZWUKcsbh/5WwaE:WqP/rQKpOEWcsthWwn
MD5:	94F10418C4CEA9127363E881EFA4D271
SHA1:	D58BE5831E4765FD27C35BCD5B326D09137ABFCD
SHA-256:	96CF72D654E6C99A3FCFC56F2934764B40872A884C7FA34219BAC254B95630AF
SHA-512:	0FE6D8614DFCADEE0996D92218E0CDEE95F3F65C8385E163C7525CB4C18B26DBF081B71B6CF98FF9BF00538B69B45987B92F9F8C80B20E1B72428EB5E021903F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L...%..^...........!......................... ...............................@......c.....@.......................................... .......................0.......................................................................................text...`........................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-interlocked-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.9436299932662195
Encrypted:	false
SSDEEP:	48:qqBs64pXT2dcdTuL/tsOIZWUKcsbh/5WwaE:mfXesPOEWcsthWwn
MD5:	2434AF3D661B56A4F167A5229C24F6E5
SHA1:	D6AE86C707CE42629C38865F464523DEC03BA80C
SHA-256:	FF17128F59D6C46A265B55D9CFEB95BE6361ED9893F93A19BBE931511A149159
SHA-512:	9C7224DD344271D9A78E51DA15119590CFED75E652A8E7E78B30531541A33168C2DDFF0C52F077ADECEA4AF17AFBE4E7810CE2A10053F899CE1EE2036E1DFF0E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L...&..^...........!......................... ....@..........................@...........@.......................................... .......................0.......................................................................................text............................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-libraryloader-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	3.2951782836970467
Encrypted:	false
SSDEEP:	48:qKXKzE04hzX8Guw9tsOIZWUKcsbh/5WwaE:Oh4hLFUOEWcsthWwn
MD5:	FA72CAB1143EAD3B78723CA849FFEB64
SHA1:	6D417596F4DF6F1D02E3F301B0A4957F4CF9A71E
SHA-256:	32DF6DB88C05106AB74C5DF744EF4201B9F4762481A857CB32D6719FB281B67B
SHA-512:	1810383018DAF7735E4C03BDF0D04F9F6469058F262BE309CD19010C990547DB296E2C44D381BFE66C88AC943BD65EF8165358B339D63AC3FE4D046F0AE43719
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L...(..^...........!......................... ...............................@.......:....@.......................................... .......................0.......................................................................................text...}........................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-localization-l1-2-0.dll

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	13560
Entropy (8bit):	6.788867649650528
Encrypted:	false
SSDEEP:	384:n8OMw3zdp3bwjGjue9/0jCRrndbtWchWamXjDBRJHkcls4kwa:8OMwBprwjGjue9/0jCRrndbdSXj1Pawa
MD5:	A28C593B3EFAD3870BE8C59957A65CA5
SHA1:	FE90B4DFF833D2A488E36C02D8CD0DA1E9EB4BDD
SHA-256:	7FF7B17ECC55F978DAB562A5BD26826085D9F80131ED415CEE7C3B95C95B246A
SHA-512:	B34230E6AE04335975EE9BB8759767A8E74BBD1E220FA17568D95C755B3F959291A45A45CD27F845D38B940B2062145C21FABADD1985EC92B49E4761942BD90C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.PE..L...?..\...........!......................... ...............................0......o.....@.......................................... ................... ..............8............................................................................text............................... ..`.rsrc........ ......................@..@....?..\........@...8...8.......?..\........d...x...x...RSDS...o...D..c.~g;....api-ms-win-core-localization-l1-2-0.pdb.........8....rdata..8........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02...............\....V.......;...;...............................F...m.......................=...i...................)...Q...w...................c...............J...y...............>...p...................<...h...................@...d...................0...g...............

C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-memory-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.9371318497974177
Encrypted:	false
SSDEEP:	48:qOytw3mSmiDhTqXF5tsOIZWUKcsbh/5WwaE:8wFrOEWcsthWwn
MD5:	23324ABEF38B990024180A4A9F899A21
SHA1:	A0070C48EFB8A7C4D1D7D52B1FEE79B81C259CDB
SHA-256:	70F18C2CD6F33F182D640773ADCC0D700404A6057538FF672928D5A2522D509B
SHA-512:	F61CF350CC5DD3174ECEC07B36501FE106A027CD704DE6159FF23C5E7353F8B0F768BB0874C0AD4CA84B324F38C695FB0054DC3FE44508E2EFE4D900D36E8E77
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L...+..^...........!......................... ....@..........................@.......N....@.......................................... .......................0.......................................................................................text............................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-namedpipe-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.8697528509943155
Encrypted:	false
SSDEEP:	24:ev1GSs/HfthlYbWzWHWumSqdt6IgXuDKtWfrKIZW0HcNcsrV9h7r35WWdPOPNEf:qsfXl4LoKtsOIZWUKcsbh/5WwaE
MD5:	FFDF67D2E77F5FBDCC621753D3662ECE
SHA1:	FFB398989431C7ACAB0BD53B9C300EFCD433B12D
SHA-256:	239FD031C7998174F8526E2E7700274D6AB05D83E4CFD6F67BBB46082EBD25B1
SHA-512:	CA62B778CC98EB4FEEA66C83C30847F5B357F85B25104C06311F6F877873708852C342ADF2B77A57665CFD60E6DD1F4573A67291D113AD31645276A89D1A78B0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L...-..^...........!......................... ...............................@......"2....@.......................................... .......................0.......................................................................................text...d........................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-processenvironment-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	3.3519713376688944
Encrypted:	false
SSDEEP:	48:qUApzSISSpk6/DW2ctsOIZWUKcsbh/5WwaE:gD1OEWcsthWwn
MD5:	A60C0C4D3C272968D6FA0713C50E43FB
SHA1:	9EC54F4F5FCDD7CA59CBEA2CBE531DF0B7B767A9
SHA-256:	D617B06556E662A86AF738C80473A4295152B8305750BF0D387C41467A32F02B
SHA-512:	68168748E66ADB7C45A72416D881100695485FA24E65EE42939739E75ECB1C25E6F868747437449E7A7287F1199C6EF00D4B94C0A81092268B215F8430A7EAA5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L......^...........!......................... ...............................@............@.......................................... .......................0.......................................................................................text............................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-processthreads-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.6514719893053424
Encrypted:	false
SSDEEP:	48:q/OxVBScIfVkfWeKB+vpgge6gig8YSzYFTdshgW9M2PkSvtsOIZWUKcsbh/5WwaE:QceuYFT4s9OEWcsthWwn
MD5:	BE5CBC1D1CFF18E377525D4426C5AFA8
SHA1:	7A03E3A9BAA3E2A7CB9C3F129B04D7B14BEAB608
SHA-256:	9761A785F4764D94B97A3B7FA709CC551D7D8963645ED5A12137A6ED007BACCB
SHA-512:	F9A7C1873863CFA11BF859F8CAFA1D5FD29F6248480E43DADB0FACEAB7E2E5908048E1DA45FFC8AD57ED4CE32974A16626041988002FF1C5304C515DE9E84905
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L.../..^...........!......................... ....@..........................@............@.......................................... .......................0.......................................................................................text............................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-processthreads-l1-1-1.dll

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11728
Entropy (8bit):	6.833152662224508
Encrypted:	false
SSDEEP:	192:9/nDfIehWchW66rMNYsXf0DBQABJPKYfRJgLIyqnajBoHJ48m3:9vDfIehWchW6a8f0DBRJPbRApl9yJf0
MD5:	EBA234A05BD7FA9650EF9184D67554F2
SHA1:	CA1D5A8E1CBBF741BACED4040AA4B57131F2737B
SHA-256:	C51565CC52EA3E372ACCA10FFAD2CD2AE43EAA8BCA18742B045C7E99919B775F
SHA-512:	0F3BB6BBC8D865D2C5261509EE4480953C6D89526CECA67B36EB96D0430F56E9D4B8DBD236588AC150A1219C36E412A3916DBF0719F75E984AA65FBDA1821DEA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.PE..L...>..\...........!......................... ...............................0......m.....@.......................................... ...................!..............8............................................................................text............................... ..`.rsrc........ ......................@..@....>..\........B...8...8.......>..\........d...\|...\|...RSDSJ.i..hJ..._U......api-ms-win-core-processthreads-l1-1-1.pdb...........8....rdata..8........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02...........\........................@...x...........L...............7...k...................c...............0...q...........&...Q...................R...}...............................api-ms-win-core-processthreads-l1-1-1.dll.FlushInstructionCache.kernel32.FlushInstru

C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-profile-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.609887119288061
Encrypted:	false
SSDEEP:	24:ev1GSsgBoBBCAZTxztWfrKIZW0HcNcsrV9h7r35WWdPOPNEf:q63LtsOIZWUKcsbh/5WwaE
MD5:	A35CD77DBA1C817BE05065E84524946B
SHA1:	442C7DCBFBBCA3EFD2ECB80CA7324D0BE8D698E7
SHA-256:	E9CBFBD8AD61FE008718057D30D0348CC0B3789C70B4E187FAD2C87FD27C9B6E
SHA-512:	05D57B37E793F3F9917521C7F36FE5A68B5F495564AE7921FB6E73BCA18B2E6005E1AAA813FFD27594FCEA16AF4F8D3C71A77B1AC604B9B86E9C814849B21CA4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L...0..^...........!................f........ ...............................@............@.......................................... .......................0.......................................................................................text............................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-rtlsupport-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.7576949832341655
Encrypted:	false
SSDEEP:	24:ev1GSsr35/qNTvvOX3L/4tWfrKIZW0HcNcsrV9h7r35WWdPOPNEf:q+qsL4tsOIZWUKcsbh/5WwaE
MD5:	C54961C9C9C3D48006208196E2105DE8
SHA1:	4AB2EAF1F541924D1A86DC9D675A359CD91BE6EB
SHA-256:	0EE1E3B028390DA9F875E0929743111E2840E21F61D35A6E44018CA33D4819DE
SHA-512:	24159C8AAB3612562F0F38C9A696B8ECDE78D70841C4355334D6013CFE2AD37ECAFF88FCC8E90533F2B54F3B093D4C2F6B04070355C47605D6A386AF949921BB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L...1..^...........!......................... ...............................@............@.......................................... .......................0.......................................................................................text...Y........................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-string-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.9869223332478554
Encrypted:	false
SSDEEP:	24:ev1GSs/mLTBkRHWqSzhP2LEKJMwidPCtWfrKIZW0HcNcsrV9h7r35WWdPOPNEf:qvlYMPUEKJMBQtsOIZWUKcsbh/5WwaE
MD5:	A4C806B9F0C62E91B9F6012FB7EE689D
SHA1:	569EB4EA7ACED211222740F29B1FB4AF62590685
SHA-256:	4CC985B9E61A69FDB6969BEE48573F85A1DBAB4B22216651564C3F8AD5C57FD6
SHA-512:	0A341B487A7DC647A45C31F246FF2A33B3DE16875835F08ACBED1BB0564BC347B877F0A59F133896D64802895A2029D0463B19D65AEF0C4AE649598BE5CD2DC8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L...2..^...........!......................... ...............................@......eQ....@............................."............ .......................0.......................................................................................text............................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-synch-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.728779502053704
Encrypted:	false
SSDEEP:	48:qFStBN4EaC1nFLrNLZoVdt6zsOtsOIZWUKcsbh/5WwaE:ZBG01ntZOV76zs1OEWcsthWwn
MD5:	5D8B0EA7413765D09CE7857CD511D964
SHA1:	E5AEA2EA33959497F12C986AFEC86A7113B4812C
SHA-256:	8269652F977F362CBD4495DCEDCD101D974EC54C21D49B75BBEC0DAB841075B8
SHA-512:	5D283C44138AF809B7354F65802FA817721C2F087F864FA064F7D99EC0C79035DB198D389D042A785277B844820C265985973885E413368A4B379B766409CFD2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L...3..^...........!......................... ....@..........................@............@.......................................... .......................0.......................................................................................text............................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-synch-l1-2-0.dll

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11512
Entropy (8bit):	6.854713733169912
Encrypted:	false
SSDEEP:	192:qB1tZ34WchWyEU/3XjDBQABJbBiXA6qnajAjE:qjtZ34WchWjmXjDBRJEXhlkjE
MD5:	8165F2DEFDFF0F2897F2DA1169116659
SHA1:	63831DCD6F9B439C4B081DCCCAC43D131E5A01A6
SHA-256:	A2F1957B595ACAB2BB360FFAA522A6A6C47FA5F88BCEF088509E5CB6830103CD
SHA-512:	BC43281F9975BA797258AD114CA46E044ED06DF1E00AB1B734278FB56349FF4EF398A635C4914BBA1503F10575CB5DD1507805D4F7224A92005C659A761BA53C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.PE..L...>..\...........!......................... ...............................0............@.............................v............ ................... ..............8............................................................................text...V........................... ..`.rsrc........ ......................@..@....>..\........9...8...8.......>..\........d...t...t...RSDSo...$.M....^.hL....api-ms-win-core-synch-l1-2-0.pdb............8....rdata..8........rdata$zzzdbg.......v....edata... ..`....rsrc$01....` .......rsrc$02...................\........................L...........2...o...............7...}...............B...s...............7...........W...................\...............(...e...............!.....................................api-ms-win-core-synch-l1-2-0.dll.DeleteSynchronization

C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-sysinfo-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.291917611258681
Encrypted:	false
SSDEEP:	48:qCA4Q8utKmj9ABAmCp/OrtsOIZWUKcsbh/5WwaE:BAmuttMAtOEWcsthWwn
MD5:	61B10137B1462E5667787C8F00C3A84E
SHA1:	693C163476BDB4D09CD1E506B2E5DB32ADD57277
SHA-256:	7855E2FCE7D1D8C515409B29FAC9706FDDA9B347614F0E263D26391E8CD7BC98
SHA-512:	E52C8A417A0BE5200BAFEF0B0AD3BDFD02EDE09C0826488A0B049FC903747F6E995E8DC31892206381B57683FC6D612E2D2F47773C536EA6B9818A822A5C6EE3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L...4..^...........!......................... ...............................@............@.......................................... .......................0.......................................................................................text...g........................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-timezone-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11000
Entropy (8bit):	6.91031697572317
Encrypted:	false
SSDEEP:	192:TiWchW+U/3XjDBQABJY9+K7jjT6iBTqnajR5pn:WWchW+mXjDBRJYcKTTXZlNT
MD5:	F605BBC701E9A9AC82D5FE9533D46EBD
SHA1:	E3231C03659DCD4EDAF1869849E1B5060C8A9481
SHA-256:	B4D6282B721EC240CCF03C396E0AA589D113E6E5D49942AC7E1D9BEDC50561E4
SHA-512:	C158DB8A931FAD6261673142CAFEC366D1C70BD962788DDE99B7895B2057B29AA26FC07E2EE7BFC2A8204EA07D1FAF03CD313BC4836CDBB642226BABD9BF4F2B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.PE..L...>..\...........!......................... ...............................0......^^....@.......................................... ................... ..............8............................................................................text............................... ..`.rsrc........ ......................@..@....>..\........<...8...8.......>..\........d...t...t...RSDS...Z'..C..%.N-.....api-ms-win-core-timezone-l1-1-0.pdb.........8....rdata..8........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02...................\....b...................,...P...............S...............I...................5...z...........)...r.....................api-ms-win-core-timezone-l1-1-0.dll.FileTimeToSystemTime.kernel32.FileTimeToSystemTime.GetDynamicTimeZoneInformation.kernel32.GetDynam

C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-core-util-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.7149496985519854
Encrypted:	false
SSDEEP:	24:ev1GSsVyZ/dIWJOD76tWfrKIZW0HcNcsrV9h7r35WWdPOPNEf:qVZaoOv6tsOIZWUKcsbh/5WwaE
MD5:	5D8C4FB5D4E6F3AA9653B6E4E79DCCE8
SHA1:	D8BEE8FA817ECFB90038C51FDB077BCAC444A81C
SHA-256:	71F1D3FD3E9AD7F5B1F9A3FF6795D7A64B53903D4F705A796A77E2440CA88513
SHA-512:	93902982612FA780936A7858FFFDA631649C3ECF4924F393D155262BCDFCA9369258E4246D191F2D0EF571DBCD3BB05F911F67FAFB5C8BC3D72CEF574B732164
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L.....^...........!................m........ ...............................@...........@.......................................... .......................0.......................................................................................text...S........................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-crt-conio-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12024
Entropy (8bit):	6.778635139310907
Encrypted:	false
SSDEEP:	192:DQWchWyU/3XjDBQABJAPrxhstj02qnajJZ67V:DQWchWymXjDBRJAzIjXlP67V
MD5:	4BE787D220B988D8936584B1C534B9A4
SHA1:	E06F728ABCB6EE4892D6CE4075A72D6567560C26
SHA-256:	B0FC7123806FBC54B32584CDA425AB8C7553CA6D1FE382C8C137BBDD5872C5F1
SHA-512:	32204579E3F27B31D5043B08E7D014D00774F4008331B53134012BE194EB8C696DFD3690D09B4EC6685C99B6B7801BE1EC9DC234FEE1088E961022344DFD902C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.PE..L....\...........!......................... ...............................0............@.......................................... ................... ..............8............................................................................text............................... ..`.rsrc........ ......................@..@.....\........8...8...8........\........d...p...p...RSDS0....o[K.K$..U.....api-ms-win-crt-conio-l1-1-0.pdb.........8....rdata..8........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.......................\....4...........................l...............W...............7...P...j...........................,...L...l.......................,...M...o...........T...............>...y...........0...G...b...{...........................D...]...........................

C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-crt-convert-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15096
Entropy (8bit):	6.538110465480005
Encrypted:	false
SSDEEP:	192:5PZswcy1WchW9U/3XjDBQABJncunYqnajWnN:kvy1WchW9mXjDBRJnul6N
MD5:	C4A790E9B5371D5179BFF78B3577EDCC
SHA1:	60D4C670643CA8E0BB6F482B7133EFD3C59037DF
SHA-256:	F3334FD8CDE800152651200258DC4719271010677E1A55218C5F24BC6E7C7FF5
SHA-512:	B32DF7AB4F4AB53C2357EF1E872740736F34F74A72A1AB07BA889A77F09FF2F7918C572C8255F70365729A1BD3F0ADE23C09B08D4C0A44DC4E45318F4515FED8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.PE..L...>..\...........!.........................0...............................@......M.....@..........................................0................... ..............8............................................................................text............................... ..`.rsrc........0......................@..@....>..\........:...8...8.......>..\........d...t...t...RSDSj}VW8.C...X...{....api-ms-win-crt-convert-l1-1-0.pdb...........8....rdata..8........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02...................\............z...z...........................I...b...}...........................;...S...j...............................0...I...`...w..........................."...?...^...........................>...^..............................C...\...x...............

C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-crt-environment-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11512
Entropy (8bit):	6.74520207428127
Encrypted:	false
SSDEEP:	192:X4zWchWqU/3XjDBQABJeQxUtpwBqnajry372Ni:ozWchWqmXjDBRJeQkqliX
MD5:	6F1A2D17995BAFF500D9A2E2EA4BF493
SHA1:	18DE93491E362DE93F9E61C00F1C94AEF2D880C5
SHA-256:	2ED73364A84581E67B5CE98EE8F69DDC03F49A202A94F367E9855B50EB8AE9A4
SHA-512:	D56BF9A90F05BA17119886A82218E60B1A2C31DD05396AB4894523658C6299A353AADA786B6272CE1FE88886D17AC43F0D71DBEF569DDBCC71D1621FF27FE5D7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.PE..L......\...........!......................... ...............................0......~.....@............................."............ ................... ..............8............................................................................text............................... ..`.rsrc........ ......................@..@.......\........>...8...8..........\........d...x...x...RSDSv..<...A.nM4.UW.....api-ms-win-crt-environment-l1-1-0.pdb...........8....rdata..8........rdata$zzzdbg......."....edata... ..`....rsrc$01....` .......rsrc$02...............\........................P...............4...O...j...........................<...Y...v...........................*...G...`...}.......................1...P...k.......................................................api-ms-win-crt-environment-l1-1-0.dll.__p__e

C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-crt-filesystem-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	13048
Entropy (8bit):	6.778226882900008
Encrypted:	false
SSDEEP:	192:wnWlC0i5CNWchWdU/3XjDBQABJtUUtpwBqnajry37Od:wnWm5CNWchWdmXjDBRJHqliyd
MD5:	34664EA68D4DC7B94015A90869B55604
SHA1:	5BD6ABB07694159E4BB9B979669BD674747892EA
SHA-256:	C45FD7FE182B3EDD287F5AE36E8E77198885BE931607CA207AF7DC8489B60BAD
SHA-512:	4AC1B9CAA40988E313E6075445906C372E8F0D6FD3E3092D2358E9584BB0F0C51586C8579EA8C4031D314A6D5ECE31BFA8F4025225800F33EF9B290EDB8D7DC3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.PE..L.....\...........!......................... ...............................0......7n....@.......................................... ................... ..............8............................................................................text............................... ..`.rsrc........ ......................@..@......\........=...8...8.........\........d...x...x...RSDSS\%....N.*bN.v!h....api-ms-win-crt-filesystem-l1-1-0.pdb............8....rdata..8........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02...............\............A...A...............................&...A...b.......................A...e...........................?...]...\|.......................(...F...b...~.......................%...B...^...w...................5...[.......................)...C...^...x...

C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-crt-heap-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11512
Entropy (8bit):	6.886646397973874
Encrypted:	false
SSDEEP:	192:QY17aFBRwWchWt1U/3XjDBQABJhKZRqnajlthwn:JVWchWt1mXjDBRJhyRl7I
MD5:	FD5925326354D9186891EB6DA64DA666
SHA1:	3786F18FFD4B8F2E053F1568529C6B2C4A3D1B69
SHA-256:	05E695D316B0AB969CC221A99BF6F2581CBE5DADD2B966E811D151DFC9DBAEB4
SHA-512:	AAD816E7C124AB0CBB3D1F5B472ED5E74F568DF7B2DA14D802D3E25A86FB3BDA3C4D1F60CCD89AA07A941D48BEFABD0506403E4F3A10B770947649C1E234032E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.PE..L...?..\...........!......................... ...............................0......Y.....@.......................................... ................... ..............8............................................................................text............................... ..`.rsrc........ ......................@..@....?..\........7...8...8.......?..\........d...p...p...RSDS...=9.AK.....-BS....api-ms-win-crt-heap-l1-1-0.pdb..........8....rdata..8........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.......................\........................t.......C...j...............3...f.......................6...Y...t.......................C...d.......................5...Z...................U.......................%...P...k.......................5...Z...w...........................

C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-crt-locale-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11512
Entropy (8bit):	6.8416175287863235
Encrypted:	false
SSDEEP:	192:1UdWchWBU/3XjDBQABJceinEqnajxmQR7:idWchWBmXjDBRJ6ElsQR
MD5:	9A69EB348D7BC3C58E2E30FB2B8DD62B
SHA1:	F18B5D1EFED27DE795207B413F19CF2643D9CADD
SHA-256:	70E06ED73BEC7AC66C43EBAA03A020A2B976EB480DED429DB74D31D47933FE78
SHA-512:	F3A74A7B311884179CEFEEB07551C09385F6F5D76A378A4F5BE66D5A155C3A8820E256B5A312F5F9FF24A5D87B7EE65DB503C7C721149C50E62263B0FC9ADF5E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.PE..L......\...........!......................... ...............................0............@.............................e............ ................... ..............8............................................................................text...E........................... ..`.rsrc........ ......................@..@.......\........9...8...8..........\........d...t...t...RSDSEr.:.?#M..=........api-ms-win-crt-locale-l1-1-0.pdb............8....rdata..8........rdata$zzzdbg.......e....edata... ..`....rsrc$01....` .......rsrc$02...................\........................X...........8...n...............Q...w...................D...d.......................2......."...W...............C...h...................;...V...{...................(...........................................api-ms-win-crt-locale-l1

C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-crt-math-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	21752
Entropy (8bit):	6.259566068130637
Encrypted:	false
SSDEEP:	384:ku+7tbM4Oe5grykfIgTmLqWchWFQmXjDBRJi2jXlP6Hoz:GJMq5grxfInAWXj1Pii8oz
MD5:	5559D8F37665F327C295B4CD1638A3F2
SHA1:	36D1A51B7D1741B0C3659BE51FCB5D0C997752F1
SHA-256:	0C257AB2BA4553470B14C159FEA39673FD7CFD02CEDC2AA1294AB75618E19F7F
SHA-512:	AAD4B0FE7172C1472DEEFA1DCD10072AF73C14C50CB8E0B6E1B189DC9CE3BB043CF8DBB8306045BF36D0F46C9272D87664ED11670EBCCDD16528EF2A35D59510
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.PE..L...>..\...........!.........................@...............................P............@..............................+...........@...............4... ..............8............................................................................text....,.......................... ..`.rsrc........@.......0..............@..@....>..\........7...8...8.......>..\........d...p...p...RSDS..-.(..B....&.....api-ms-win-crt-math-l1-1-0.pdb..........8....rdata..8........rdata$zzzdbg........+...edata...@..`....rsrc$01....`@.......rsrc$02.......................\....L.......:...:...............s........................... ...8...Q...j...............................-...G...b...}.................... ..I ..u ... ... ... ..%!..O!..y!...!...!...!..&"..S"..}"..."..."..."..%#..O#..z#...#...#...#...#...$..$$..<$..S$..h$..

C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-crt-process-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12024
Entropy (8bit):	6.742295990242731
Encrypted:	false
SSDEEP:	192:brjqjd71WchWNU/3XjDBQABJRsJSdqnaj7wX7:3jMWchWNmXjDBRJvdl/y7
MD5:	0691F7DBC96E4F42908E337FC20FFE9F
SHA1:	4828F5A36E20E72E7679F0A70061A3C091C4F41F
SHA-256:	73747A60A92703F2EB0D83826093203357538A72CA321CFADC2E60427A6ED053
SHA-512:	CB6F40517BE63DDCA0BDB9649D5DA50C11856C53C3200830EB2939E08ACE338678455ADF346DF84EA1F81FD6D0E91E4BFBE58AA5933CE87BC5337442AF1BFFC3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.PE..L...>..\...........!......................... ...............................0......Q.....@.............................x............ ................... ..............8............................................................................text...X........................... ..`.rsrc........ ......................@..@....>..\........:...8...8.......>..\........d...t...t...RSDS..K....H..].c.K.....api-ms-win-crt-process-l1-1-0.pdb...........8....rdata..8........rdata$zzzdbg.......x....edata... ..`....rsrc$01....` .......rsrc$02...................\....p.......$...$...........(...........................)...A...Z...t.........................../...J...f...........................&...A...]...y.......................&...D..........................."...9...R...k...........................&...A...\...y...

C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-crt-runtime-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15608
Entropy (8bit):	6.572932409777698
Encrypted:	false
SSDEEP:	192:fA/fhrpIhhf4AN5/jijWchWUU/3XjDBQABJ56UtpwBqnajry37wZM:EhrKIWchWUmXjDBRJdqli3
MD5:	9ECEEDBC48924AD17950E0EF64BFC78D
SHA1:	8BAD15420DCEB3E250DC88FE6EC8C5C5FD0953CB
SHA-256:	9B5DFBB6027D28C1A41CAB008148E4A98BCD3D6A6D43269CD08DD8BBC366AA0F
SHA-512:	F986673BCFD71CBED8EDE8E8063D3911D499C9600017781F38AB2014DB0E24467B0EBF398400D949219E84C13596248530FB9DE297AF83F98967F7FAEE55FCD3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.PE..L......\...........!.........................0...............................@......ol....@..........................................0................... ..............8............................................................................text............................... ..`.rsrc........0......................@..@.......\........:...8...8..........\........d...t...t...RSDS~.V..J...f...B....api-ms-win-crt-runtime-l1-1-0.pdb...........8....rdata..8........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02...................\....6.......k...k...........`...^...{...................#...C...d.......................7...Z...}.......................>...V...o...................6..._.......................:..._...z...................U...............>...............1...R...............

C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-crt-stdio-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17144
Entropy (8bit):	6.4771834708840865
Encrypted:	false
SSDEEP:	192:KQx2tPbvyeyuWYFxEpahjWchWvU/3XjDBQABJF/Sn7jjT6iBTqnajR5OJfx:yTFVhjWchWvmXjDBRJsnTTXZlNIJp
MD5:	6CC5E2392B5617175DA2406B7187C6C8
SHA1:	055CD8FD422DE7630A256774BD90E70B1346A8A7
SHA-256:	15D2AAC51EF02EB8242E7C121D4F405237DA415E4A05F41A16B8E3640DC27298
SHA-512:	6B99CA77F45063BA4ECDAEA214F42E8EE3431CE03E54F5119C284385408F438273BA3C881BB71BCF4059F8AE5CE6F05A1CF36FC84A65D9BFA9CE595A0A0BE295
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.PE..L....\...........!.........................0...............................@......9.....@.............................a............0..............."... ..............8............................................................................text...A........................... ..`.rsrc........0......................@..@.....\........8...8...8........\........d...p...p...RSDS......B.8<.)6f}....api-ms-win-crt-stdio-l1-1-0.pdb.........8....rdata..8........rdata$zzzdbg.......a....edata...0..`....rsrc$01....`0.......rsrc$02.......................\....>...........................n...................Y...............H...............=...x...........(...e...............$...>...V...n...........................4...U...w.......................:...[...}...................1...U...w................ ..' ..J ..

C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-crt-string-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17352
Entropy (8bit):	6.490243600324852
Encrypted:	false
SSDEEP:	384:ZUv8x0C5yguNvZ5VQgx3SbwA7yMVIkFGlvWchWo8f0DBRJwDldl99z3R:avi5yguNvZ5VQgx3SbwA71IkFsb1PY
MD5:	8DB568B36F13FEEEFD150DA0B63ADCBE
SHA1:	03BB29284802DB358609C2CD10398D8A5077E417
SHA-256:	8597F9F239B350B86350F3CDB326BDCA49CB23022703FE049F838998A8A32CD5
SHA-512:	8D57FA2975E45C2DF82634135E57F29579778A118E033F036BB093E654A9A9D6A0B450C45B24D68FAC2232D3255DBE9C88368EA8F6D697A86D035417B9CE61E6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.PE..L...>..\...........!.........................0...............................@......`.....@..........................................0..............."...!..............8............................................................................text............................... ..`.rsrc........0......................@..@....>..\........9...8...8.......>..\........d...t...t...RSDS?L..%i.L.3^.h.......api-ms-win-crt-string-l1-1-0.pdb............8....rdata..8........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02...................\................................'...C..._...\|.......................1...P...m.......................+...J...i.......................+...K...l.......................2...S...u.......................(...B..._...}......................./...N...m...............

C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-crt-time-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	13560
Entropy (8bit):	6.6675957409079505
Encrypted:	false
SSDEEP:	192:ZCGYigrDqWchWKU/3XjDBQABJFXfH098uXqnajH/7CBO:EGY36WchWKmXjDBRJ9XuXlT7CBO
MD5:	8F5ECA7B9BE54BEDE759B2BA2F018BB2
SHA1:	F7FB27990F9629332074FE4A3703DD3CDACF78B9
SHA-256:	9E5D937C72C6D5709B907130CF4C2BD12E3427E44D217A2047D461940C281C1F
SHA-512:	45DE9E9B66303554487016D448C11CC38E6EAD5B48B8660CC311C182A7B3CC20A83063EEF0F4071CA126341B8083F4A55523445B13E060E5B745527E3B6B44D4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.PE..L...>..\...........!......................... ...............................0.......h....@.......................................... ................... ..............8............................................................................text............................... ..`.rsrc........ ......................@..@....>..\........7...8...8.......>..\........d...p...p...RSDS9[....dF.2$L..t.....api-ms-win-crt-time-l1-1-0.pdb..........8....rdata..8........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.......................\............H...H.......(...H...........<...Z...x.......................6...S...n.......................$...A...^...{.......................B...c.......................&...K...p...........................K...k.......................%...E...^...y...........

C:\Users\user\AppData\Local\Temp\_MEI76202\api-ms-win-crt-utility-l1-1-0.dll

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11512
Entropy (8bit):	6.833217638045214
Encrypted:	false
SSDEEP:	192:kWfHQdu/WchWtAU/3XjDBQABJWDPJSdqnaj7ej:kWfRWchWtAmXjDBRJmsdl/G
MD5:	2BC2D1EF644E67C00E139EACD6D6F656
SHA1:	56F6F85FC0A8F9F382AADD9768AE777895FCFC60
SHA-256:	C6ACAD7EECD63B54C2F12610B273A6BF5B4DB737C0F8CE7670E778DD7A394E39
SHA-512:	ECE35C75A697812A113C8FCB625A7E23868E9697BAE814665D28CD016AF5AEDEAE21E0D4374F611992BB29E9EDB9BBA732D5113D7A4A779EE8DEF28B99509A5D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.PE..L......\...........!......................... ...............................0......a.....@.............................^............ ................... ..............8............................................................................text...>........................... ..`.rsrc........ ......................@..@.......\........:...8...8..........\........d...t...t...RSDS..t..-.A.y2=D.......api-ms-win-crt-utility-l1-1-0.pdb...........8....rdata..8........rdata$zzzdbg.......^....edata... ..`....rsrc$01....` .......rsrc$02...................\....4...........................]...~...................%...<...U...r...............................+...B...W...p.................................../...V...m.......................5...L...g...............................!...>...O...h.......................

C:\Users\user\AppData\Local\Temp\_MEI76202\base_library.zip

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	778636
Entropy (8bit):	5.482682144508252
Encrypted:	false
SSDEEP:	12288:pwhid7QIcRZuC3G6CtosQNRs54PK4IMog9Vw596fCEk5BgdeiR32Ez:uhidQutosQNRs54PK4IM1Vw596fCEkX+
MD5:	877F89F4A141DA5810AE8DF658DAE577
SHA1:	DF17D4BF2FA8BC3CE9A85F635EE8CFE640CDD3D2
SHA-256:	F009EDC33AEA2EE2DC1E9ED32E27DDDA6204C45C87A6F722B883C76EB394555F
SHA-512:	988A3DAF5DF93FE509886C4AF86039493667BA83957D41A48615101D3BBCD8B2C319AE59E59CC83A6765F33558E396294F8E9E349F8C21131C0F10A2BAD6F212
Malicious:	false
Preview:	PK..........!...2............._bootlocale.pycU............e.....................@....z...d.Z.d.d.l.Z.d.d.l.Z.e.j...d...r,d.d.d...Z.nJz.e.j...W.n4..e.k.rj......e.e.d...r\d.d.d...Z.n.d.d.d...Z.Y.n.X.d.d.d...Z.d.S.)...A minimal subset of the locale module used at interpreter startup.(imported by the _io module), in order to reduce startup time...Don't import directly from third-party code; use the `locale` module instead!......N..winTc....................C........t.j.j.r.d.S.t.....d...S.).N..UTF-8.........sys..flags..utf8_mode.._locale.._getdefaultlocale....do_setlocale..r......_bootlocale.py..getpreferredencoding...............r......getandroidapilevelc....................C........d.S.).Nr....r....r....r....r....r....r...............c....................C........t.j.j.r.d.S.d.d.l.}.\|...\|...S.).Nr....r......r....r....r......localer......r....r....r....r....r....r.....................c....................C....6...\|.r.t...t.j.j.r.d.S.t...t.j...}.\|.s2t.j.d.k.r2d.}.\|.S.).Nr......darwin....A

C:\Users\user\AppData\Local\Temp\_MEI76202\libcrypto-1_1.dll

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2234560
Entropy (8bit):	6.107082014192982
Encrypted:	false
SSDEEP:	49152:mIvPtO+ejtvRMO8xxZv1CPwDv3uFfJhFcl:xvPtwjnMO8HZv1CPwDv3uFfJh6
MD5:	76DA35FDE4E3E110331612AB351A811C
SHA1:	1836517441C70848DB3F5D4EF4EA0CB2E330732A
SHA-256:	ECABC901FA89CD771405C004849384A5148644C273A88048AE16C86BD14EF4DD
SHA-512:	A43DAE59C7D71E38F6365413946EE740C643299403DFE531D0CDBD561623807784830124B786422799AE45852F5AA541B5A94FA8E0947850547E2446BA99BC30
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... ..dA..dA..dA..m9..pA..6)..fA..6)..nA..6)..nA..6)..nA..?)..oA..dA...A...(...C...(..eA...(m.eA...(..eA..RichdA..................PE..L......_...........!.................H........................................"......."...@.........................0~...h...U!.T.....!.\|.............!.......!.X....b..8............................b..@............P!..............................text.............................. ..`.rdata..F&.......(..................@..@.data...4Y.... ....... .............@....idata..h....P!....... .............@..@.00cfg.......p!....... .............@..@.rsrc...\|.....!.......!.............@..@.reloc........!.......!.............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\libffi-7.dll

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	29208
Entropy (8bit):	6.643623418348
Encrypted:	false
SSDEEP:	384:l69PtXvz8cLBN3gHhY4AFlfIvDzqig2c2LuRRClfW23JLURlV5uH+6nYPLxDG4yG:l65tXvz2CTIvy2c26A35qYvWDG4yG
MD5:	BC20614744EBF4C2B8ACD28D1FE54174
SHA1:	665C0ACC404E13A69800FAE94EFD69A41BDDA901
SHA-256:	0C7EC6DE19C246A23756B8550E6178AC2394B1093E96D0F43789124149486F57
SHA-512:	0C473E7070C72D85AE098D208B8D128B50574ABEBBA874DDA2A7408AEA2AABC6C4B9018801416670AF91548C471B7DD5A709A7B17E3358B053C37433665D3F6B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)..qm.."m.."m.."d.p"o.."?..#o.."...#n.."m.."I.."?..#f.."?..#g.."?..#n.."...#k.."...#l.."...#l.."...#l.."Richm.."................PE..L.....]...........!.....@...........E.......P......................................H.....@.........................pU.......X..P....................X.......p..<....R..............................0R..@............P...............................text...j>.......@.................. ..`.rdata..p....P.......D..............@..@.data........`.......R..............@....reloc..<....p.......T..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\libssl-1_1.dll

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	538304
Entropy (8bit):	5.760022892820208
Encrypted:	false
SSDEEP:	12288:AqejFQiEYXBYYu3yzOBC4ISRpQuU2lvz/c:xaFJ5zF41TQuU2lvz/c
MD5:	0E15ACB04CFABDE2A6493FAA49E74280
SHA1:	E8EAC74A6DA0F1E78C66F84C14CF92DF18CC7E8A
SHA-256:	A59EC84F8AE6F0174D5C1CE3ABC22B0FDCED6B50F7C8B689367AC859AC9E08E7
SHA-512:	12D24D5FD42829FD0F89A1E42F46CD498D71E441EC803161319E721A3280406589B540EC949BBB6C0AF661CE806BA50A1097B7793C9A1CCC83061DEC4FC753AD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............K...K...K..wK...K..J...K..J...K..J...K..J...K..J...K)..J...K...Km..K)..J...K)..J...K)..K...K)..J...KRich...K................PE..L......_...........!.........................................................`......h.....@..............................N..............s.................... ...5..P...8...............................@............................................text...7........................... ..`.rdata...g.......h..................@..@.data....;...p...6...Z..............@....idata..=A.......B..................@..@.00cfg..............................@..@.rsrc...s...........................@..@.reloc..4=... ...>..................@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\pyexpat.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	168624
Entropy (8bit):	6.629244601257658
Encrypted:	false
SSDEEP:	3072:ZhgFHiME7l8Z5bYwLoE8KZKGjUdGjN81IuBhh7Eu0:QFHc7l8ZORKZKGjtjN8E
MD5:	6E2329BA53FF8B6E2E4069A859EE3FCE
SHA1:	1C067F16A3069A44EDF7A073FA35B70B86F99405
SHA-256:	27363A2DCDD990DEF43307B1644DC03304F9478830C8989C49F9DA2491889E6E
SHA-512:	C0FCC4F0AE5C019ADAE3593F81BA26CA8C5CF6A7C15B78FD42B052DBDA6CBDEFDC6F8FA52C3FD614F1B17F48725D58CA23972C8B7C183EAFC0D542251A9EF23D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C...-L..-L..-L..L..-Ls.,M..-Ls.(M..-Ls.)M..-Ls..M..-LT.,M..-L.,M..-L..,L..-LT.%M..-LT.-M..-LT..L..-LT./M..-LRich..-L........PE..L...../`...........!......................................................................@.........................`B..P....B.......p...............v...............=..T............................>..@............................................text............................... ..`.rdata...N.......P..................@..@.data...X....P.......>..............@....rsrc........p.......J..............@..@.reloc........... ...V..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\python38.dll

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4052656
Entropy (8bit):	6.720992659261596
Encrypted:	false
SSDEEP:	49152:NgQmEhbJSgm06kaUr9Alta2tPfx1CI8jXHB7MZnCPYJAT37PtLKK4WoooOA:iEWg5uta2/8LHxMZBJ4lKKoooOA
MD5:	7B97AB4F12ED448B26669B83F9061BEF
SHA1:	0E2516F3DC50EFB7FAA0B276830B4F95D8084772
SHA-256:	E7312737C82CC967FB669AE4C2736CB005F4192E1654C717DBDC5986E562957B
SHA-512:	4F123981982EA4AFFE230CBDCDBEC9DE419D4F3D92C026B2DF3DA7D2BE9BEFAAB707167265CFC97FF183F13A60BE6C53FB541E00F518BEACE819B8B9B4927D8A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........j...................%(................................"...y...".....".....".....Rich............PE..L...m./`...........!......#..........#.......#...............................?.......>...@..........................b8......%9.\|.....=...............=...... =..e...]8.T...........................P^8.@.............#..............................text.....#.......#................. ..`.rdata.......#.......#.............@..@.data.......P9......89.............@....rsrc.........=......H;.............@..@.reloc...e... =..f...T;.............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\select.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	24752
Entropy (8bit):	6.44568082211825
Encrypted:	false
SSDEEP:	384:Tg7oA2vjUzNJmTgj0nq1RiPFdd+k1IumGEKDG4y8cLrhX:ccnvjANJiXnqSdWk1IumGEKDG4yLrhX
MD5:	404C4F2FF59DA1993518D39754376606
SHA1:	560A0F8A301EF5FEF541C6CE64975E3AA1AD1460
SHA-256:	BB4FE62B14AD6FC559A1D88339D0F302450DAFEC09CF6027069F66B6D5BEF1AB
SHA-512:	585ECF2B3DA37F1144191A70CA7C29151DE3C6BC1943719318BC291B29A08BB7E4A8C6200F8C743DF8BD32225221CADEB8306450B7E491B9B16AA94587711169
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2 ..SN..SN..SN..+...SN.S"O..SN.S"K..SN.S"J..SN.S"M..SN.t!O..SN..8O..SN..SO..SN.t!F..SN.t!N..SN.t!...SN.t!L..SN.Rich.SN.........................PE..L...../`...........!.........&...............0......................................j.....@......................... ;..L...l;..x....`...............D.......p.......6..T............................6..@............0...............................text...]........................... ..`.rdata.......0....... ..............@..@.data........P.......2..............@....rsrc........`.......4..............@..@.reloc.......p.......@..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\ucrtbase.dll

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	914584
Entropy (8bit):	6.825568092802891
Encrypted:	false
SSDEEP:	24576:zadFmfYOLU7712zo2TeW04aoVmcvIZPoy4HHJ:udFlHuSPaHJ
MD5:	A924B24D71829DA17E8908E05A5321E4
SHA1:	FA5C69798B997C34C87A8B32130F664CDEF8C124
SHA-256:	F32A61D91264AFF96EFD719915BED80785A8DB4C8D881D6DA28909B620FE466F
SHA-512:	9223EC0E6E0F70B92473E897E4FD4635A19E9CA3AFF2FE7C5C065764B58E86460442991787525ED53E425ECD36F2881A6DF34C35D2A0E21B7AC4BC61BF1CBEAB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........`.M.............yf.........Z...........\.......\.......\.......\.......\.......\.......\......Rich............PE..L...Y..\...........!.....,..........P........@.......................................e....@A.........................^.......b.......... ................@.......Y..p...8...........................H...@............`...............................text....+.......,.................. ..`.data...$....@.......0..............@....idata..j....`.......>..............@..@.rsrc... ............T..............@..@.reloc...Y.......Z...Z..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\unicodedata.pyd

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1091248
Entropy (8bit):	5.360848319038452
Encrypted:	false
SSDEEP:	12288:gJz3Q191SnFRHotduNpqQOZ6gBjCmN/X4GyCAx9++bBlhJk93cgewrxEekMGv:gJ3KSogG7hCc/4D9nbDhG2wr0MGv
MD5:	5FB1A0234305D5B69DB79B4F7F89EBCA
SHA1:	9A6EF3DD3A024B433566AC20146344A1F0631F9B
SHA-256:	D9AF40281331CF55E21E20A57342FE86C6C729906D6A3AF3F3F3AD00F2284ABE
SHA-512:	FE52C0AE494459B8D015E2E28AF92BDCF6A491DC424D803B3E87E21612C4654136335E5399F5CA0FEF4717EECE75D53AC11050623E109E4F7ED59392D74A9085
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c..0..0..0..P0..0w..1..0w..1..0w..1..0w..1..0P..1..0...1..0..0...0P..1..0P..1..0P.<0..0P..1..0Rich..0........................PE..L...../`...........!.....F...B......rF.......`.......................................j....@.........................pv..X....v.......................................q..T...........................@r..@............`..4............................text....E.......F.................. ..`.rdata.......`... ...J..............@..@.data................j..............@....rsrc................v..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI76202\whacipher.exe.manifest

Download File

Process:	C:\Users\user\Desktop\whacipher.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1495
Entropy (8bit):	5.279402743773171
Encrypted:	false
SSDEEP:	24:2dt4+iNjg9mMPgi0iiNK+bkgxIme7cb3jgMkb4+GE:cSFjgYSEK+bkgxImeMcn3GE
MD5:	7E57FFDD51CCCD2C7C5FA576F736CB3F
SHA1:	1BBB4DCF5B6911A0F62C9BA105D945A9074A4AF3
SHA-256:	D98203431D7F7AE26F71FF6618BAC420D8ADEEACB8F529596913E8B4D1A037DE
SHA-512:	D4DC09EBD57268B39284BE85047DAC86C790CBD00E2B8A36B939776791F587BE969A3489F0493BED0B7BB0C3BC4FB65E7E50B93829556E58D5420CA094BCE735
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity type="win32" name="whacipher" processorArchitecture="x86" version="1.0.0.0"/>.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">.. <security>.. <requestedPrivileges>.. <requestedExecutionLevel level="asInvoker" uiAccess="false"/>.. </requestedPrivileges>.. </security>.. </trustInfo>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" language="" processorArchitecture="" version="6.0.0.0" publicKeyToken="6595b64144ccf1df"/>.. <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"/>.. </dependentAssembly>.. </dependency>.. <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">.. <application>.. <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>.. <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.994623246896421
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	whacipher.exe
File size:	7'646'565 bytes
MD5:	1d64b1fae7b82fd77ad5ac9cafa76ad7
SHA1:	a475f87f97f608e29244b8d0e48a01fc9374d6f3
SHA256:	809fdf92ceb7a6a7534274871517bfbd3f397ade588510f222c11d3a8caf5ac1
SHA512:	88b6268618d77865c045692aa4f098078ac2c26cd7dfc88a5bf8c125ec2beb3e771036a00b1a81562d63b075fc0c2ae6cc7aba5812363d7ff20417eaf279caf8
SSDEEP:	196608:prXH/CUMLu1qryKbnaqp0Y2rpg61PVVf:pbHPM61UyKbnaW0VC0
TLSH:	B6763375681100BBD6F0043E64D1C2366A3D9F76AF92E557CFAC0B77BA44AD18028E7B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1x..u..Wu..Wu..W.q.Vy..W.q.V...W.q.Vg..W...Wv..W.h.VP..W.h.Vg..W.h.Vg..W.q.Vp..Wu..W...W.k.Ve..W.k.Wt..W.k.Vt..WRichu..W.......

File Icon


Icon Hash:	2e1e7c4c4c61e979

Static PE Info

General

Entrypoint:	0x407e14
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6077DC99 [Thu Apr 15 06:26:33 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	e6dbd61884d740500a84058b14610a2c

Entrypoint Preview

Instruction
call 00007FB71CB3CD93h
jmp 00007FB71CB3C769h
push ebp
mov ebp, esp
push 00000000h
call dword ptr [00422078h]
push dword ptr [ebp+08h]
call dword ptr [00422074h]
push C0000409h
call dword ptr [00422044h]
push eax
call dword ptr [0042207Ch]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call 00007FB71CB55652h
test eax, eax
je 00007FB71CB3C8F7h
push 00000002h
pop ecx
int 29h
mov dword ptr [0043CBB0h], eax
mov dword ptr [0043CBACh], ecx
mov dword ptr [0043CBA8h], edx
mov dword ptr [0043CBA4h], ebx
mov dword ptr [0043CBA0h], esi
mov dword ptr [0043CB9Ch], edi
mov word ptr [0043CBC8h], ss
mov word ptr [0043CBBCh], cs
mov word ptr [0043CB98h], ds
mov word ptr [0043CB94h], es
mov word ptr [0043CB90h], fs
mov word ptr [0043CB8Ch], gs
pushfd
pop dword ptr [0043CBC0h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0043CBB4h], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0043CBB8h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0043CBC4h], eax
mov eax, dword ptr [ebp-00000324h]
mov dword ptr [0043CB00h], 00010001h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2d154	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3e000	0xf054	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4e000	0x185c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2c6bc	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2c6d8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x22000	0x18c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x203a5	0x20400	22c3031a598c5f03915ca21a36af487c	False	0.5745064195736435	MPEG-4 LOAS	6.670675922040015	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x22000	0xba96	0xbc00	eb3c0e8da1bb3d38418809715b7058f3	False	0.5477268949468085	data	6.054279585454769	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2e000	0xf6dc	0xa00	d0950df8ed676c8ea93a2e10c79d0fa3	False	0.15234375	DOS executable (block device driver @\273\)	1.9301537415935426	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3e000	0xf054	0xf200	7b2ba77877b34de54c2a2cd4da154347	False	0.7951639979338843	data	7.356362879733537	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x4e000	0x185c	0x1a00	ffd314a0ccbfcb6e598eabfed1f8ad43	False	0.7687800480769231	data	6.469391180869132	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x3e208	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.56636460554371
RT_ICON	0x3f0b0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.7287906137184116
RT_ICON	0x3f958	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.7471098265895953
RT_ICON	0x3fec0	0x909b	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9971636186822983
RT_ICON	0x48f5c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.38309128630705397
RT_ICON	0x4b504	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.4826454033771107
RT_ICON	0x4c5ac	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.699468085106383
RT_GROUP_ICON	0x4ca14	0x68	data	0.7019230769230769
RT_MANIFEST	0x4ca7c	0x5d7	XML 1.0 document, ASCII text, with CRLF line terminators	0.4254180602006689

Imports

DLL

Import

KERNEL32.dll

GetCommandLineW, GetEnvironmentVariableW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, CreateDirectoryW, GetTempPathW, WaitForSingleObject, Sleep, GetExitCodeProcess, GetStartupInfoW, LoadLibraryExW, CloseHandle, GetCurrentProcess, LoadLibraryA, LocalFree, FormatMessageW, MultiByteToWideChar, WideCharToMultiByte, SetEndOfFile, GetProcAddress, GetModuleFileNameW, SetDllDirectoryW, CreateProcessW, GetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetModuleHandleW, RtlUnwind, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, RaiseException, GetCommandLineA, ReadFile, CreateFileW, GetDriveTypeW, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetFullPathNameW, RemoveDirectoryW, FindClose, FindFirstFileExW, FindNextFileW, SetStdHandle, SetConsoleCtrlHandler, DeleteFileW, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapAlloc, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleCP, GetFileSizeEx, CompareStringW, LCMapStringW, GetCurrentDirectoryW, FlushFileBuffers, GetFileAttributesExW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetStringTypeW, GetProcessHeap, GetTimeZoneInformation, HeapSize, HeapReAlloc, WriteConsoleW, DecodePointer

ADVAPI32.dll

ConvertSidToStringSidW, GetTokenInformation, OpenProcessToken, ConvertStringSecurityDescriptorToSecurityDescriptorW

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 19, 2024 09:29:37.826076031 CET	1.1.1.1	192.168.2.9	0xdfa1	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 19, 2024 09:29:37.826076031 CET	1.1.1.1	192.168.2.9	0xdfa1	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	03:29:41
Start date:	19/12/2024
Path:	C:\Users\user\Desktop\whacipher.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\whacipher.exe"
Imagebase:	0x10000
File size:	7'646'565 bytes
MD5 hash:	1D64B1FAE7B82FD77AD5AC9CAFA76AD7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	03:29:41
Start date:	19/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:29:44
Start date:	19/12/2024
Path:	C:\Users\user\Desktop\whacipher.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\whacipher.exe"
Imagebase:	0x10000
File size:	7'646'565 bytes
MD5 hash:	1D64B1FAE7B82FD77AD5AC9CAFA76AD7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report whacipher.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_ARC4.pyd

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_Salsa20.pyd

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_chacha20.pyd

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_aes.pyd

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_aesni.pyd

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_arc2.pyd

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_blowfish.pyd

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_cast.pyd

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_cbc.pyd

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_cfb.pyd

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_ctr.pyd

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_des.pyd

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_des3.pyd

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_ecb.pyd

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_eksblowfish.pyd

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_ocb.pyd

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Cipher\_raw_ofb.pyd

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_BLAKE2b.pyd

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_BLAKE2s.pyd

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_MD2.pyd

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_MD4.pyd

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_MD5.pyd

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_RIPEMD160.pyd

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_SHA1.pyd

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_SHA224.pyd

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_SHA256.pyd

C:\Users\user\AppData\Local\Temp\_MEI76202\Crypto\Hash\_SHA384.pyd

Windows Analysis Report
whacipher.exe