Edit tour

Windows Analysis Report
WTvNL75dCr.exe

Overview

General Information

Sample name:	WTvNL75dCr.exe renamed because original name is a hash value
Original sample name:	94b19d2d17eeb9168cb11f97d532ee65962f70a2c1249f3abfc8625c8c3193f8.exe
Analysis ID:	1578193
MD5:	41d0bfe78163967efad3c207926add4b
SHA1:	c9bc16bc1e3a6ec027a83b1efa0fc4c4a6234bf3
SHA256:	94b19d2d17eeb9168cb11f97d532ee65962f70a2c1249f3abfc8625c8c3193f8
Tags:	exeuser-JAMESWT_MHT
Infos:

Detection

Python BackDoor

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Python BackDoor

AI detected suspicious sample

Opens network shares

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Binary contains a suspicious time stamp

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Classification

Process Tree

System is w10x64

WTvNL75dCr.exe (PID: 6932 cmdline: "C:\Users\user\Desktop\WTvNL75dCr.exe" MD5: 41D0BFE78163967EFAD3C207926ADD4B)

WTvNL75dCr.exe (PID: 7092 cmdline: "C:\Users\user\Desktop\WTvNL75dCr.exe" MD5: 41D0BFE78163967EFAD3C207926ADD4B)

systeminfo.exe (PID: 2080 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)

conhost.exe (PID: 980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 916 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

cmd.exe (PID: 6240 cmdline: C:\Windows\system32\cmd.exe /c "wmic computersystem get manufacturer" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7052 cmdline: wmic computersystem get manufacturer MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WerFault.exe (PID: 4324 cmdline: C:\Windows\system32\WerFault.exe -u -p 7092 -s 892 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.2502125804.000002B82CEB4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PythonBackDoor_1	Yara detected Python BackDoor	Joe Security
00000001.00000003.1775945211.000002B82CEC0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PythonBackDoor_1	Yara detected Python BackDoor	Joe Security
Process Memory Space: WTvNL75dCr.exe PID: 7092	JoeSecurity_PythonBackDoor_1	Yara detected Python BackDoor	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.1% probability

Source: WTvNL75dCr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qtiff.pdbBB source: WTvNL75dCr.exe, 00000000.00000003.1735629910.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\platformthemes\qxdgdesktopportal.pdb source: WTvNL75dCr.exe, 00000000.00000003.1738068132.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtsvg\plugins\iconengines\qsvgicon.pdb source: WTvNL75dCr.exe, 00000000.00000003.1734123057.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtsvg\plugins\imageformats\qsvg.pdb source: WTvNL75dCr.exe, 00000000.00000003.1734800745.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: WTvNL75dCr.exe, 00000001.00000002.2515426799.00007FFDFF237000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\msvcp140_1.amd64.pdb source: WTvNL75dCr.exe, 00000000.00000003.1705740251.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2519940745.00007FFE130C3000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\generic\qtuiotouchplugin.pdb source: WTvNL75dCr.exe, 00000000.00000003.1734013711.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbDD source: WTvNL75dCr.exe, 00000001.00000002.2516256862.00007FFDFF2C5000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: WTvNL75dCr.exe, 00000001.00000002.2517038952.00007FFE007E5000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdb source: WTvNL75dCr.exe, 00000001.00000002.2510935168.00007FFDFB0B6000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qico.pdb source: WTvNL75dCr.exe, 00000000.00000003.1734437677.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qtiff.pdb source: WTvNL75dCr.exe, 00000000.00000003.1735629910.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qgif.pdb source: WTvNL75dCr.exe, 00000000.00000003.1734208758.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.15 3 Sep 20243.0.15built on: Wed Sep 4 15:52:04 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_p
Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qtga.pdb source: WTvNL75dCr.exe, 00000000.00000003.1735519618.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: WTvNL75dCr.exe, 00000001.00000002.2510100591.00007FFDFAAE2000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: WTvNL75dCr.exe, 00000001.00000002.2520714832.00007FFE1A464000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: WTvNL75dCr.exe, 00000001.00000002.2520714832.00007FFE1A464000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: WTvNL75dCr.exe, 00000000.00000003.1716896413.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2519799716.00007FFE12E15000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qicns.pdb source: WTvNL75dCr.exe, 00000000.00000003.1734305390.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: WTvNL75dCr.exe, 00000001.00000002.2519352712.00007FFE126C3000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\styles\qwindowsvistastyle.pdb%% source: WTvNL75dCr.exe, 00000001.00000002.2517308610.00007FFE0EB57000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\styles\qwindowsvistastyle.pdb source: WTvNL75dCr.exe, 00000001.00000002.2517308610.00007FFE0EB57000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: WTvNL75dCr.exe, 00000001.00000002.2520119700.00007FFE13213000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: WTvNL75dCr.exe, 00000001.00000002.2519171717.00007FFE120C6000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qico.pdb source: WTvNL75dCr.exe, 00000000.00000003.1734437677.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: WTvNL75dCr.exe, 00000001.00000002.2519554604.00007FFE126EB000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\generic\qtuiotouchplugin.pdb source: WTvNL75dCr.exe, 00000000.00000003.1734013711.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdbT source: WTvNL75dCr.exe, 00000001.00000002.2510935168.00007FFDFB0B6000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: WTvNL75dCr.exe, 00000001.00000002.2518556029.00007FFE11BB3000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Gui.pdb source: WTvNL75dCr.exe, 00000001.00000002.2508228491.00007FFDF9F7A000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: WTvNL75dCr.exe, 00000001.00000002.2519554604.00007FFE126EB000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: WTvNL75dCr.exe, 00000001.00000002.2520350802.00007FFE1330D000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: WTvNL75dCr.exe, 00000001.00000002.2518760446.00007FFE11EA9000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\platforms\qwindows.pdb source: WTvNL75dCr.exe, 00000001.00000002.2505928675.00007FFDF9344000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qwbmp.pdb source: WTvNL75dCr.exe, 00000000.00000003.1735823065.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python3.pdb source: WTvNL75dCr.exe, 00000001.00000002.2501104305.000002B82AC10000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\libEGL.pdb source: WTvNL75dCr.exe, 00000000.00000003.1718351209.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python313.pdb source: WTvNL75dCr.exe, 00000001.00000002.2512638911.00007FFDFB888000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: WTvNL75dCr.exe, 00000001.00000002.2516256862.00007FFDFF2C5000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: WTvNL75dCr.exe, 00000000.00000003.1716754656.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: WTvNL75dCr.exe, 00000001.00000002.2517756743.00007FFE1150E000.00000002.00000001.01000000.00000013.sdmp

Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 0_2_00007FF738F29280 FindFirstFileExW,FindClose,	0_2_00007FF738F29280
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 0_2_00007FF738F283C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF738F283C0
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 0_2_00007FF738F41874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF738F41874
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 1_2_00007FF738F29280 FindFirstFileExW,FindClose,	1_2_00007FF738F29280

Source: C:\Windows\System32\WerFault.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI69322\	Jump to behavior

Source: Joe Sandbox View

IP Address: 104.20.22.46 104.20.22.46

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: nodejs.org

Source: WTvNL75dCr.exe, 00000000.00000003.1718351209.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredID
Source: WTvNL75dCr.exe, 00000000.00000003.1706348022.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734208758.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1718351209.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734123057.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1714610050.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1707484288.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1737318904.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1713062077.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1715416796.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734013711.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734437677.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1737678158.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1736330920.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734305390.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1711807197.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1738068132.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1736921671.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1735823065.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1735949612.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1714776530.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734586411.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: WTvNL75dCr.exe, 00000000.00000003.1706348022.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734208758.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1718351209.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734123057.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1714610050.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1707484288.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1737318904.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1713062077.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1715416796.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734013711.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734437677.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1737678158.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1736330920.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734305390.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1711807197.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1738068132.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1736921671.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1735823065.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1735949612.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1714776530.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734586411.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: WTvNL75dCr.exe, 00000000.00000003.1706348022.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734208758.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1718351209.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734123057.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1714610050.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1707484288.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1737318904.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1713062077.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1715416796.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734013711.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734437677.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1737678158.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1736330920.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734305390.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1711807197.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1738068132.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1736921671.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1735823065.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1735949612.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1714776530.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734586411.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: WTvNL75dCr.exe, 00000001.00000003.1779341490.000002B82D092000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D096000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82D096000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D1B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82CEB4000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2501503690.000002B82C720000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: WTvNL75dCr.exe, 00000001.00000003.1802174602.000002B82D193000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D0EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
Source: WTvNL75dCr.exe, 00000001.00000003.1802174602.000002B82D193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl-
Source: WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D0EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crlR
Source: WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D1B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
Source: WTvNL75dCr.exe, 00000001.00000003.1802174602.000002B82D193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl
Source: WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82CEB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: WTvNL75dCr.exe, 00000001.00000003.1802174602.000002B82D193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82CEB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: WTvNL75dCr.exe, 00000001.00000003.1802174602.000002B82D193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82CEB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: WTvNL75dCr.exe, 00000000.00000003.1706348022.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734208758.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1718351209.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734123057.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1714610050.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1707484288.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1737318904.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1713062077.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1715416796.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734013711.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734437677.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1737678158.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1736330920.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734305390.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1711807197.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1738068132.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1736921671.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1735823065.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1735949612.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1714776530.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734586411.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: WTvNL75dCr.exe, 00000000.00000003.1706348022.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734208758.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1718351209.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734123057.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1714610050.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1707484288.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1737318904.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1713062077.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1715416796.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734013711.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734437677.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1737678158.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1736330920.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734305390.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1711807197.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1738068132.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1736921671.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1735823065.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1735949612.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1714776530.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734586411.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: WTvNL75dCr.exe, 00000000.00000003.1706348022.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734208758.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1718351209.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734123057.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1714610050.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1707484288.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1737318904.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1713062077.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1715416796.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734013711.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734437677.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1737678158.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1736330920.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734305390.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1711807197.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1738068132.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1736921671.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1735823065.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1735949612.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1714776530.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734586411.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: WTvNL75dCr.exe, 00000000.00000003.1735949612.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl
Source: WTvNL75dCr.exe, 00000000.00000003.1706348022.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734208758.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1718351209.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734123057.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1714610050.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1707484288.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1737318904.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1713062077.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1715416796.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734013711.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734437677.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1737678158.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1736330920.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734305390.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1711807197.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1738068132.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1736921671.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1735823065.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1735949612.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1714776530.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734586411.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: WTvNL75dCr.exe, 00000000.00000003.1706348022.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734208758.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1718351209.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734123057.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1714610050.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1707484288.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1737318904.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1713062077.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1715416796.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734013711.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734437677.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1737678158.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1736330920.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734305390.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1711807197.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1738068132.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1736921671.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1735823065.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1735949612.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1714776530.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734586411.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: WTvNL75dCr.exe, 00000000.00000003.1706348022.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734208758.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1718351209.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734123057.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1714610050.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1707484288.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1737318904.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1713062077.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1715416796.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734013711.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734437677.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1737678158.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1736330920.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734305390.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1711807197.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1738068132.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1736921671.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1735823065.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1735949612.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1714776530.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734586411.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: WTvNL75dCr.exe, 00000000.00000003.1706348022.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734208758.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1718351209.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734123057.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1714610050.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1707484288.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1737318904.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1713062077.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1715416796.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734013711.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734437677.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1737678158.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1736330920.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734305390.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1711807197.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1738068132.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1736921671.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1735823065.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1735949612.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1714776530.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734586411.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: WTvNL75dCr.exe, 00000001.00000002.2503622233.000002B82D7AC000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://goo.gl/zeJZl.
Source: WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82CEB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: WTvNL75dCr.exe, 00000001.00000003.1779919371.000002B82CBD6000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2501737845.000002B82CBD6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82CEB4000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2501503690.000002B82C789000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: WTvNL75dCr.exe, 00000001.00000002.2503187734.000002B82D6A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://mail.python.org/pipermail/python-dev/2012-June/120787.html.
Source: WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D1B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es
Source: WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D1B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: WTvNL75dCr.exe, 00000000.00000003.1706348022.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734208758.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1718351209.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734123057.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1714610050.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1707484288.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1737318904.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1713062077.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1715416796.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734013711.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734437677.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1737678158.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1736330920.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734305390.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1711807197.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1738068132.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1736921671.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1735823065.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1735949612.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1714776530.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734586411.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: WTvNL75dCr.exe, 00000000.00000003.1706348022.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734208758.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1718351209.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734123057.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1714610050.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1707484288.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1737318904.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1713062077.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1715416796.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734013711.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734437677.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1737678158.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1736330920.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734305390.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1711807197.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1738068132.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1736921671.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1735823065.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1735949612.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1714776530.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734586411.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: WTvNL75dCr.exe, 00000000.00000003.1706348022.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734208758.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1718351209.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734123057.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1714610050.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1707484288.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1737318904.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1713062077.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1715416796.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734013711.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734437677.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1737678158.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1736330920.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734305390.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1711807197.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1738068132.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1736921671.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1735823065.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1735949612.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1714776530.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734586411.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82D107000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1802174602.000002B82D193000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D0EF000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1807355880.000002B82D100000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82D0BA000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D0BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/d
Source: WTvNL75dCr.exe, 00000001.00000002.2503084065.000002B82D490000.00000004.00001000.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1779341490.000002B82D092000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D1B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D1B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl
Source: WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D1B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D1B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm
Source: WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D1B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D1B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es00
Source: WTvNL75dCr.exe, 00000001.00000002.2508228491.00007FFDF9F7A000.00000002.00000001.01000000.0000001D.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D1B1000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82D068000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1807390054.000002B82D068000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/
Source: WTvNL75dCr.exe, 00000001.00000002.2501737845.000002B82CA60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D1B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/?
Source: WTvNL75dCr.exe, 00000001.00000002.2508228491.00007FFDF9F7A000.00000002.00000001.01000000.0000001D.sdmp	String found in binary or memory: http://www.color.org)
Source: WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D0EF000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D209000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82CEB4000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1781343434.000002B82CB8E000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1779919371.000002B82CB7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: WTvNL75dCr.exe, 00000001.00000003.1802174602.000002B82D14C000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82D14F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: WTvNL75dCr.exe, 00000001.00000003.1802174602.000002B82D193000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: WTvNL75dCr.exe, 00000001.00000003.1807390054.000002B82D01B000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1779341490.000002B82D00B000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82D01B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwwsearch.sf.net/):
Source: WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82CEB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: WTvNL75dCr.exe, 00000001.00000002.2501643015.000002B82C960000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/howto/mro.html.
Source: WTvNL75dCr.exe, 00000001.00000002.2501296424.000002B82C520000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
Source: WTvNL75dCr.exe, 00000001.00000002.2501296424.000002B82C520000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
Source: WTvNL75dCr.exe, 00000001.00000002.2501296424.000002B82C5A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
Source: WTvNL75dCr.exe, 00000001.00000002.2501296424.000002B82C520000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
Source: WTvNL75dCr.exe, 00000001.00000002.2501296424.000002B82C5A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
Source: WTvNL75dCr.exe, 00000001.00000002.2501296424.000002B82C520000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
Source: WTvNL75dCr.exe, 00000001.00000002.2501296424.000002B82C520000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
Source: WTvNL75dCr.exe, 00000001.00000002.2501296424.000002B82C520000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
Source: WTvNL75dCr.exe, 00000001.00000002.2501174620.000002B82AD18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
Source: WTvNL75dCr.exe, 00000001.00000003.1779341490.000002B82D092000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D096000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82D096000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: WTvNL75dCr.exe, 00000001.00000002.2501174620.000002B82AD18000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2501503690.000002B82C720000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: WTvNL75dCr.exe, 00000001.00000002.2504952865.000002B82DFF4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/giampaolo/psutil/issues/875.
Source: WTvNL75dCr.exe, 00000001.00000002.2503622233.000002B82D778000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/psf/requests/pull/6710
Source: WTvNL75dCr.exe, 00000001.00000002.2501296424.000002B82C5A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: WTvNL75dCr.exe, 00000001.00000002.2501503690.000002B82C720000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: WTvNL75dCr.exe, 00000001.00000002.2501174620.000002B82AD18000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2501503690.000002B82C720000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: WTvNL75dCr.exe, 00000001.00000002.2501737845.000002B82CA60000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1776013726.000002B82CB6C000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1776013726.000002B82CB29000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1775420372.000002B82CBD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: WTvNL75dCr.exe, 00000001.00000002.2502031958.000002B82CD60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/importlib_metadata/wiki/Development-Methodology
Source: WTvNL75dCr.exe, 00000001.00000002.2501174620.000002B82AD18000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2501503690.000002B82C720000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82CEB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: WTvNL75dCr.exe, 00000001.00000002.2503084065.000002B82D490000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: WTvNL75dCr.exe, 00000001.00000002.2503084065.000002B82D490000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/3290
Source: WTvNL75dCr.exe, 00000001.00000003.1779341490.000002B82D092000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D096000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1807390054.000002B82D01B000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82D096000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1779341490.000002B82D00B000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82D01B000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2501503690.000002B82C720000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: WTvNL75dCr.exe, 00000001.00000003.1807390054.000002B82D01B000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1779341490.000002B82D00B000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82D01B000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2501503690.000002B82C720000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82CEB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82D068000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1807390054.000002B82D068000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82D096000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: WTvNL75dCr.exe, 00000001.00000002.2503622233.000002B82D6F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/get
Source: WTvNL75dCr.exe, 00000001.00000002.2501737845.000002B82CA60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/post
Source: WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82CEB4000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2501737845.000002B82CA60000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1779919371.000002B82CB7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: WTvNL75dCr.exe, 00000001.00000002.2501737845.000002B82CA60000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1778658592.000002B82D0F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mahler:8092/site-updates.py
Source: WTvNL75dCr.exe, 00000001.00000002.2504952865.000002B82E048000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/dist/v22.11.0/node-v22.11.0-win-x64.zip
Source: WTvNL75dCr.exe, 00000001.00000002.2503084065.000002B82D490000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/core-metadata/#core-metadata
Source: WTvNL75dCr.exe, 00000001.00000002.2501737845.000002B82CA60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/entry-points/#file-format
Source: WTvNL75dCr.exe, 00000001.00000002.2501737845.000002B82CA60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/recording-installed-packages/#the-record-file
Source: WTvNL75dCr.exe, 00000001.00000002.2502963133.000002B82D390000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: WTvNL75dCr.exe, 00000001.00000002.2501942226.000002B82CC60000.00000004.00001000.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1771128414.000002B82C721000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0205/
Source: WTvNL75dCr.exe, 00000001.00000002.2512638911.00007FFDFB888000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://peps.python.org/pep-0263/
Source: WTvNL75dCr.exe, 00000001.00000002.2501737845.000002B82CA60000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2503622233.000002B82D6F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://requests.readthedocs.io
Source: WTvNL75dCr.exe, 00000001.00000002.2503622233.000002B82D6F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://requests.readthedocs.ioe
Source: WTvNL75dCr.exe, 00000001.00000002.2504952865.000002B82DFF4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/4457745#4457745.
Source: WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82CEB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: WTvNL75dCr.exe, 00000001.00000002.2501503690.000002B82C789000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7231#section-4.3.6)
Source: WTvNL75dCr.exe, 00000001.00000003.1779341490.000002B82D092000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D096000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82D096000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: WTvNL75dCr.exe, 00000001.00000002.2502963133.000002B82D390000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: WTvNL75dCr.exe, 00000001.00000002.2502963133.000002B82D390000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: WTvNL75dCr.exe, 00000000.00000003.1706348022.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734208758.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1718351209.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734123057.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1714610050.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1707484288.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1737318904.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1713062077.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1715416796.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734013711.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734437677.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1737678158.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1736330920.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734305390.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1711807197.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1738068132.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1736921671.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1735823065.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1735949612.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1714776530.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000000.00000003.1734586411.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: WTvNL75dCr.exe, 00000001.00000002.2516436619.00007FFDFF300000.00000002.00000001.01000000.00000015.sdmp, WTvNL75dCr.exe, 00000001.00000002.2510503428.00007FFDFAC24000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: WTvNL75dCr.exe, 00000001.00000002.2501737845.000002B82CA60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org
Source: WTvNL75dCr.exe, 00000001.00000002.2501737845.000002B82CA60000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1778658592.000002B82D0F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/
Source: WTvNL75dCr.exe, 00000001.00000002.2512638911.00007FFDFB888000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.python.org/psf/license/)
Source: WTvNL75dCr.exe, 00000001.00000002.2501503690.000002B82C789000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
Source: WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D1B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/
Source: WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D1B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: WTvNL75dCr.exe, 00000001.00000003.1807390054.000002B82D01B000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1779341490.000002B82D00B000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82D01B000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2501503690.000002B82C720000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733

Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 0_2_00007FF738F46964	0_2_00007FF738F46964
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 0_2_00007FF738F289E0	0_2_00007FF738F289E0
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 0_2_00007FF738F45C00	0_2_00007FF738F45C00
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 0_2_00007FF738F408C8	0_2_00007FF738F408C8
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 0_2_00007FF738F21000	0_2_00007FF738F21000
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 0_2_00007FF738F3DA5C	0_2_00007FF738F3DA5C
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 0_2_00007FF738F2A2DB	0_2_00007FF738F2A2DB
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 0_2_00007FF738F31944	0_2_00007FF738F31944
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 0_2_00007FF738F32164	0_2_00007FF738F32164
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 0_2_00007FF738F339A4	0_2_00007FF738F339A4
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 0_2_00007FF738F46418	0_2_00007FF738F46418
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 0_2_00007FF738F408C8	0_2_00007FF738F408C8
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 0_2_00007FF738F2A474	0_2_00007FF738F2A474
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 0_2_00007FF738F2ACAD	0_2_00007FF738F2ACAD
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 0_2_00007FF738F31B50	0_2_00007FF738F31B50
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 0_2_00007FF738F43C10	0_2_00007FF738F43C10
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 0_2_00007FF738F32C10	0_2_00007FF738F32C10
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 0_2_00007FF738F45E7C	0_2_00007FF738F45E7C
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 0_2_00007FF738F39EA0	0_2_00007FF738F39EA0
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 0_2_00007FF738F3DEF0	0_2_00007FF738F3DEF0
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 0_2_00007FF738F35D30	0_2_00007FF738F35D30
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 0_2_00007FF738F31D54	0_2_00007FF738F31D54
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 0_2_00007FF738F3E570	0_2_00007FF738F3E570
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 0_2_00007FF738F335A0	0_2_00007FF738F335A0
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 0_2_00007FF738F41874	0_2_00007FF738F41874
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 0_2_00007FF738F440AC	0_2_00007FF738F440AC
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 0_2_00007FF738F380E4	0_2_00007FF738F380E4
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 0_2_00007FF738F49728	0_2_00007FF738F49728
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 0_2_00007FF738F31740	0_2_00007FF738F31740
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 0_2_00007FF738F31F60	0_2_00007FF738F31F60
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 0_2_00007FF738F38794	0_2_00007FF738F38794
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 0_2_00007FF738F29800	0_2_00007FF738F29800
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 1_2_00007FF738F46964	1_2_00007FF738F46964
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 1_2_00007FF738F21000	1_2_00007FF738F21000
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 1_2_00007FF738F3DA5C	1_2_00007FF738F3DA5C
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 1_2_00007FF738F2A2DB	1_2_00007FF738F2A2DB
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 1_2_00007FF738F31944	1_2_00007FF738F31944
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 1_2_00007FF738F32164	1_2_00007FF738F32164
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 1_2_00007FF738F339A4	1_2_00007FF738F339A4
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 1_2_00007FF738F289E0	1_2_00007FF738F289E0
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 1_2_00007FF738F46418	1_2_00007FF738F46418
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 1_2_00007FF738F408C8	1_2_00007FF738F408C8
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 1_2_00007FF738F2A474	1_2_00007FF738F2A474
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 1_2_00007FF738F2ACAD	1_2_00007FF738F2ACAD

Source: C:\Users\user\Desktop\WTvNL75dCr.exe

Code function: String function: 00007FF738F22710 appears 93 times

Source: C:\Users\user\Desktop\WTvNL75dCr.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7092 -s 892

Source: unicodedata.pyd.0.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: python3.dll.0.dr

Static PE information: No import functions for PE file found

Source: WTvNL75dCr.exe, 00000000.00000003.1706348022.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5Core.dll( vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000000.00000003.1734208758.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqgif.dll( vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000000.00000003.1718351209.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000000.00000003.1718351209.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibEGL.dll. vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000000.00000003.1734123057.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqsvgicon.dll( vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000000.00000003.1714610050.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5Svg.dll( vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000000.00000003.1707484288.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5DBus.dll( vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000000.00000003.1737318904.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqwebgl.dll( vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000000.00000003.1713062077.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5QmlModels.dll( vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000000.00000003.1734013711.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqtuiotouchplugin.dll( vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000000.00000003.1734437677.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqico.dll( vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000000.00000003.1737678158.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqwindows.dll( vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000000.00000003.1736330920.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqminimal.dll( vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000000.00000003.1734305390.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqicns.dll( vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000000.00000003.1716754656.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000000.00000003.1711807197.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5Qml.dll( vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000000.00000003.1738068132.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqxdgdesktopportal.dll( vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000000.00000003.1736921671.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqoffscreen.dll( vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000000.00000003.1705170393.000001D7FDB81000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsvcp140.dllT vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000000.00000003.1735823065.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqwbmp.dll( vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000000.00000003.1735949612.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqwebp.dll( vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000000.00000003.1714776530.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5WebSockets.dll( vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000000.00000003.1734586411.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqjpeg.dll( vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000000.00000003.1735629910.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqtiff.dll( vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000000.00000003.1735519618.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqtga.dll( vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000000.00000003.1719949456.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000000.00000003.1709429521.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5Gui.dll( vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000000.00000003.1716896413.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000000.00000003.1710978092.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5Network.dll( vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000000.00000003.1734800745.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqsvg.dll( vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000000.00000003.1705740251.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsvcp140_1.dllT vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000000.00000003.1738186284.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqwindowsvistastyle.dll( vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe	Binary or memory string: OriginalFilename vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000001.00000002.2518833229.00007FFE11EB3000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000001.00000002.2501104305.000002B82AC10000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenamepython3.dll. vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000001.00000002.2507787254.00007FFDF9B33000.00000002.00000001.01000000.0000001E.sdmp	Binary or memory string: OriginalFilenameQt5Widgets.dll( vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000001.00000002.2516436619.00007FFDFF300000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: OriginalFilenamelibsslH vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000001.00000002.2515117185.00007FFDFBAC0000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamepython313.dll. vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000001.00000002.2511503582.00007FFDFB190000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: OriginalFilenameQt5Core.dll( vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000001.00000002.2519260149.00007FFE120CD000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000001.00000002.2519708804.00007FFE126F3000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000001.00000002.2506093890.00007FFDF93AB000.00000002.00000001.01000000.00000020.sdmp	Binary or memory string: OriginalFilenameqwindows.dll( vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000001.00000002.2520002195.00007FFE130C6000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: OriginalFilenamemsvcp140_1.dllT vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000001.00000002.2518072674.00007FFE1152A000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000001.00000002.2517368273.00007FFE0EB62000.00000002.00000001.01000000.00000021.sdmp	Binary or memory string: OriginalFilenameqwindowsvistastyle.dll( vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000001.00000002.2520763021.00007FFE1A46A000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000001.00000002.2519857768.00007FFE12E19000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000001.00000002.2517185698.00007FFE0081F000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: OriginalFilenamemsvcp140.dllT vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000001.00000002.2519424533.00007FFE126C6000.00000002.00000001.01000000.00000012.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000001.00000002.2510503428.00007FFDFAC24000.00000002.00000001.01000000.00000014.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000001.00000002.2520183913.00007FFE1321E000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000001.00000002.2520508230.00007FFE13312000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs WTvNL75dCr.exe
Source: WTvNL75dCr.exe, 00000001.00000002.2518620063.00007FFE11BB6000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs WTvNL75dCr.exe

Source: Qt5Core.dll.0.dr

Static PE information: Section: .qtmimed ZLIB complexity 0.997458770800317

Source: classification engine

Classification label: mal60.troj.spyw.evad.winEXE@13/142@1/1

Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:980:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7092
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6380:120:WilError_03

Source: C:\Users\user\Desktop\WTvNL75dCr.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI69322

Jump to behavior

Source: WTvNL75dCr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\WTvNL75dCr.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: WTvNL75dCr.exe

String found in binary or memory:

Source: C:\Users\user\Desktop\WTvNL75dCr.exe

File read: C:\Users\user\Desktop\WTvNL75dCr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\WTvNL75dCr.exe "C:\Users\user\Desktop\WTvNL75dCr.exe"
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Process created: C:\Users\user\Desktop\WTvNL75dCr.exe "C:\Users\user\Desktop\WTvNL75dCr.exe"
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\systeminfo.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\systeminfo.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get manufacturer"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get manufacturer
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7092 -s 892
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Process created: C:\Users\user\Desktop\WTvNL75dCr.exe "C:\Users\user\Desktop\WTvNL75dCr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get manufacturer"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get manufacturer	Jump to behavior

Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Section loaded: msvcp140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Section loaded: libssl-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Section loaded: qt5widgets.dll	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Section loaded: qt5gui.dll	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: esscli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior

Source: C:\Users\user\Desktop\WTvNL75dCr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\WTvNL75dCr.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: WTvNL75dCr.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: WTvNL75dCr.exe

Static file information: File size 38749227 > 1048576

Source: WTvNL75dCr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: WTvNL75dCr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: WTvNL75dCr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: WTvNL75dCr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: WTvNL75dCr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: WTvNL75dCr.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: WTvNL75dCr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: WTvNL75dCr.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qtiff.pdbBB source: WTvNL75dCr.exe, 00000000.00000003.1735629910.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\platformthemes\qxdgdesktopportal.pdb source: WTvNL75dCr.exe, 00000000.00000003.1738068132.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtsvg\plugins\iconengines\qsvgicon.pdb source: WTvNL75dCr.exe, 00000000.00000003.1734123057.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtsvg\plugins\imageformats\qsvg.pdb source: WTvNL75dCr.exe, 00000000.00000003.1734800745.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: WTvNL75dCr.exe, 00000001.00000002.2515426799.00007FFDFF237000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\msvcp140_1.amd64.pdb source: WTvNL75dCr.exe, 00000000.00000003.1705740251.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2519940745.00007FFE130C3000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\generic\qtuiotouchplugin.pdb source: WTvNL75dCr.exe, 00000000.00000003.1734013711.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbDD source: WTvNL75dCr.exe, 00000001.00000002.2516256862.00007FFDFF2C5000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: WTvNL75dCr.exe, 00000001.00000002.2517038952.00007FFE007E5000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdb source: WTvNL75dCr.exe, 00000001.00000002.2510935168.00007FFDFB0B6000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qico.pdb source: WTvNL75dCr.exe, 00000000.00000003.1734437677.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qtiff.pdb source: WTvNL75dCr.exe, 00000000.00000003.1735629910.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qgif.pdb source: WTvNL75dCr.exe, 00000000.00000003.1734208758.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.15 3 Sep 20243.0.15built on: Wed Sep 4 15:52:04 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_p
Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qtga.pdb source: WTvNL75dCr.exe, 00000000.00000003.1735519618.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: WTvNL75dCr.exe, 00000001.00000002.2510100591.00007FFDFAAE2000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: WTvNL75dCr.exe, 00000001.00000002.2520714832.00007FFE1A464000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: WTvNL75dCr.exe, 00000001.00000002.2520714832.00007FFE1A464000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: WTvNL75dCr.exe, 00000000.00000003.1716896413.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2519799716.00007FFE12E15000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qicns.pdb source: WTvNL75dCr.exe, 00000000.00000003.1734305390.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: WTvNL75dCr.exe, 00000001.00000002.2519352712.00007FFE126C3000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\styles\qwindowsvistastyle.pdb%% source: WTvNL75dCr.exe, 00000001.00000002.2517308610.00007FFE0EB57000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\styles\qwindowsvistastyle.pdb source: WTvNL75dCr.exe, 00000001.00000002.2517308610.00007FFE0EB57000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: WTvNL75dCr.exe, 00000001.00000002.2520119700.00007FFE13213000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: WTvNL75dCr.exe, 00000001.00000002.2519171717.00007FFE120C6000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qico.pdb source: WTvNL75dCr.exe, 00000000.00000003.1734437677.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: WTvNL75dCr.exe, 00000001.00000002.2519554604.00007FFE126EB000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\generic\qtuiotouchplugin.pdb source: WTvNL75dCr.exe, 00000000.00000003.1734013711.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdbT source: WTvNL75dCr.exe, 00000001.00000002.2510935168.00007FFDFB0B6000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: WTvNL75dCr.exe, 00000001.00000002.2518556029.00007FFE11BB3000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Gui.pdb source: WTvNL75dCr.exe, 00000001.00000002.2508228491.00007FFDF9F7A000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: WTvNL75dCr.exe, 00000001.00000002.2519554604.00007FFE126EB000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: WTvNL75dCr.exe, 00000001.00000002.2520350802.00007FFE1330D000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: WTvNL75dCr.exe, 00000001.00000002.2518760446.00007FFE11EA9000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\platforms\qwindows.pdb source: WTvNL75dCr.exe, 00000001.00000002.2505928675.00007FFDF9344000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qwbmp.pdb source: WTvNL75dCr.exe, 00000000.00000003.1735823065.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python3.pdb source: WTvNL75dCr.exe, 00000001.00000002.2501104305.000002B82AC10000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\libEGL.pdb source: WTvNL75dCr.exe, 00000000.00000003.1718351209.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python313.pdb source: WTvNL75dCr.exe, 00000001.00000002.2512638911.00007FFDFB888000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: WTvNL75dCr.exe, 00000001.00000002.2516256862.00007FFDFF2C5000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: WTvNL75dCr.exe, 00000000.00000003.1716754656.000001D7FDB83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: WTvNL75dCr.exe, 00000001.00000002.2517756743.00007FFE1150E000.00000002.00000001.01000000.00000013.sdmp

Source: WTvNL75dCr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: WTvNL75dCr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: WTvNL75dCr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: WTvNL75dCr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: WTvNL75dCr.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: VCRUNTIME140.dll.0.dr

Static PE information: 0x78BDDED1 [Sat Mar 11 17:01:05 2034 UTC]

Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: fothk
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA
Source: VCRUNTIME140.dll0.0.dr	Static PE information: section name: _RDATA
Source: opengl32sw.dll.0.dr	Static PE information: section name: _RDATA
Source: qtuiotouchplugin.dll.0.dr	Static PE information: section name: .qtmetad
Source: qsvgicon.dll.0.dr	Static PE information: section name: .qtmetad
Source: MSVCP140.dll.0.dr	Static PE information: section name: .didat
Source: Qt5Core.dll.0.dr	Static PE information: section name: .qtmimed
Source: libcrypto-3.dll.0.dr	Static PE information: section name: .00cfg
Source: qgif.dll.0.dr	Static PE information: section name: .qtmetad
Source: qicns.dll.0.dr	Static PE information: section name: .qtmetad
Source: qico.dll.0.dr	Static PE information: section name: .qtmetad
Source: qjpeg.dll.0.dr	Static PE information: section name: .qtmetad
Source: qsvg.dll.0.dr	Static PE information: section name: .qtmetad
Source: qtga.dll.0.dr	Static PE information: section name: .qtmetad
Source: qtiff.dll.0.dr	Static PE information: section name: .qtmetad
Source: qwbmp.dll.0.dr	Static PE information: section name: .qtmetad
Source: qwebp.dll.0.dr	Static PE information: section name: .qtmetad
Source: qminimal.dll.0.dr	Static PE information: section name: .qtmetad
Source: libssl-3.dll.0.dr	Static PE information: section name: .00cfg
Source: python313.dll.0.dr	Static PE information: section name: PyRuntim
Source: qoffscreen.dll.0.dr	Static PE information: section name: .qtmetad
Source: qwebgl.dll.0.dr	Static PE information: section name: .qtmetad
Source: qwindows.dll.0.dr	Static PE information: section name: .qtmetad
Source: qxdgdesktopportal.dll.0.dr	Static PE information: section name: .qtmetad
Source: qwindowsvistastyle.dll.0.dr	Static PE information: section name: .qtmetad

Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\imageformats\qjpeg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\styles\qwindowsvistastyle.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\generic\qtuiotouchplugin.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\MSVCP140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5QmlModels.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\iconengines\qsvgicon.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5Core.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\imageformats\qicns.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\QtCore.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\libssl-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5Network.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\platforms\qoffscreen.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5Qml.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\imageformats\qtiff.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\QtGui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\imageformats\qico.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5Gui.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\sip.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\charset_normalizer\md.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\MSVCP140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\platforms\qminimal.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\imageformats\qsvg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\imageformats\qwbmp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\opengl32sw.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5Widgets.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\QtWidgets.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5Svg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\platformthemes\qxdgdesktopportal.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5Quick.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\platforms\qwebgl.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\charset_normalizer\md__mypyc.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5DBus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\imageformats\qtga.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\platforms\qwindows.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\python313.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\imageformats\qgif.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\libEGL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\imageformats\qwebp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5WebSockets.dll	Jump to dropped file

Source: C:\Users\user\Desktop\WTvNL75dCr.exe

Code function: 0_2_00007FF738F276C0 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,

0_2_00007FF738F276C0

Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter

Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\imageformats\qjpeg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\styles\qwindowsvistastyle.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\generic\qtuiotouchplugin.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5QmlModels.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\iconengines\qsvgicon.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\imageformats\qicns.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\QtCore.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5Network.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\platforms\qoffscreen.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5Qml.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\imageformats\qtiff.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\imageformats\qico.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\QtGui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\sip.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\charset_normalizer\md.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\platforms\qminimal.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\imageformats\qsvg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\imageformats\qwbmp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\opengl32sw.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\QtWidgets.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5Svg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\platformthemes\qxdgdesktopportal.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\platforms\qwebgl.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5Quick.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\charset_normalizer\md__mypyc.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\platforms\qwindows.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\imageformats\qtga.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5DBus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\python313.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\imageformats\qgif.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\libEGL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\imageformats\qwebp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5WebSockets.dll	Jump to dropped file

Source: C:\Users\user\Desktop\WTvNL75dCr.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-18132

Source: C:\Users\user\Desktop\WTvNL75dCr.exe

API coverage: 9.8 %

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer FROM Win32_ComputerSystem

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 0_2_00007FF738F29280 FindFirstFileExW,FindClose,	0_2_00007FF738F29280
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 0_2_00007FF738F283C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF738F283C0
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 0_2_00007FF738F41874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF738F41874
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 1_2_00007FF738F29280 FindFirstFileExW,FindClose,	1_2_00007FF738F29280

Source: C:\Windows\System32\WerFault.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI69322\	Jump to behavior

Source: WTvNL75dCr.exe, 00000001.00000002.2502031958.000002B82CD60000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: fQEMU
Source: WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82CEB4000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1776863015.000002B82CF18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: WTvNL75dCr.exe, 00000001.00000002.2508470947.00007FFDFA1E8000.00000008.00000001.01000000.0000001D.sdmp	Binary or memory string: .?AVQEmulationPaintEngine@@

Source: C:\Users\user\Desktop\WTvNL75dCr.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\WTvNL75dCr.exe

Code function: 0_2_00007FF738F2D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF738F2D12C

Source: C:\Users\user\Desktop\WTvNL75dCr.exe

Code function: 0_2_00007FF738F43480 GetProcessHeap,

0_2_00007FF738F43480

Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 0_2_00007FF738F2D30C SetUnhandledExceptionFilter,	0_2_00007FF738F2D30C
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 0_2_00007FF738F2D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF738F2D12C
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 0_2_00007FF738F3A614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF738F3A614
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 0_2_00007FF738F2C8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF738F2C8A0
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 1_2_00007FF738F2D30C SetUnhandledExceptionFilter,	1_2_00007FF738F2D30C
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Code function: 1_2_00007FF738F2D12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FF738F2D12C

Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Process created: C:\Users\user\Desktop\WTvNL75dCr.exe "C:\Users\user\Desktop\WTvNL75dCr.exe"	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get manufacturer"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get manufacturer	Jump to behavior

Source: C:\Users\user\Desktop\WTvNL75dCr.exe

Code function: 0_2_00007FF738F49570 cpuid

0_2_00007FF738F49570

Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\imageformats VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\platforms VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\platforms VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\certifi VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\QtCore.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\sip.cp313-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\charset_normalizer\md.cp313-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\charset_normalizer\md__mypyc.cp313-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\certifi VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\psutil VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\psutil VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\psutil VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\psutil\_psutil_windows.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\QtWidgets.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\QtGui.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\platforms\qminimal.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\platforms\qwebgl.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\platforms\qwindows.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\platformthemes\qxdgdesktopportal.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\styles\qwindowsvistastyle.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\Desktop\WTvNL75dCr.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\WTvNL75dCr.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69322 VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\WTvNL75dCr.exe

Code function: 0_2_00007FF738F2D010 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF738F2D010

Source: C:\Users\user\Desktop\WTvNL75dCr.exe

Code function: 0_2_00007FF738F45C00 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF738F45C00

Stealing of Sensitive Information

Yara detected Python BackDoor

Source: Yara match	File source: 00000001.00000002.2502125804.000002B82CEB4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1775945211.000002B82CEC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WTvNL75dCr.exe PID: 7092, type: MEMORYSTR

Opens network shares

Source: C:\Users\user\Desktop\WTvNL75dCr.exe

File opened: \\Mac\shared\projects\loader\src\dropper\src\tmp\_main.py

Jump to behavior

Remote Access Functionality

Yara detected Python BackDoor

Source: Yara match	File source: 00000001.00000002.2502125804.000002B82CEB4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1775945211.000002B82CEC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WTvNL75dCr.exe PID: 7092, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	131 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	12 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Network Share Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Process Injection	LSASS Memory	2 System Time Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Native API	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	141 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	12 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	44 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
WTvNL75dCr.exe	6%	Virustotal		Browse
WTvNL75dCr.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\MSVCP140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\MSVCP140_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5Core.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5DBus.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5Gui.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5Network.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5Qml.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5QmlModels.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5Quick.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5Svg.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5WebSockets.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5Widgets.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\VCRUNTIME140_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\d3dcompiler_47.dll	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\libEGL.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\libGLESv2.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\opengl32sw.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\generic\qtuiotouchplugin.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\iconengines\qsvgicon.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\imageformats\qgif.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\imageformats\qicns.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\imageformats\qico.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\imageformats\qjpeg.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\imageformats\qsvg.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\imageformats\qtga.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\imageformats\qtiff.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\imageformats\qwbmp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\imageformats\qwebp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\platforms\qminimal.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\platforms\qoffscreen.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\platforms\qwebgl.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\platforms\qwindows.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\platformthemes\qxdgdesktopportal.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\styles\qwindowsvistastyle.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\QtCore.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\QtGui.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\QtWidgets.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\sip.cp313-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\VCRUNTIME140_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\_wmi.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\charset_normalizer\md.cp313-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\charset_normalizer\md__mypyc.cp313-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\libcrypto-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\libffi-8.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\libssl-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\psutil\_psutil_windows.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\python3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\python313.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\select.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI69322\unicodedata.pyd	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://requests.readthedocs.ioe	0%	Avira URL Cloud	safe
http://repository.swisssign.com/d	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
nodejs.org	104.20.22.46	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://google.com/	WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82CEB4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mahler:8092/site-updates.py	WTvNL75dCr.exe, 00000001.00000002.2501737845.000002B82CA60000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1778658592.000002B82D0F4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/SGCA.crl	WTvNL75dCr.exe, 00000001.00000003.1802174602.000002B82D193000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/giampaolo/psutil/issues/875.	WTvNL75dCr.exe, 00000001.00000002.2504952865.000002B82DFF4000.00000004.00001000.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc7231#section-4.3.6)	WTvNL75dCr.exe, 00000001.00000002.2501503690.000002B82C789000.00000004.00000020.00020000.00000000.sdmp	false		high
https://httpbin.org/post	WTvNL75dCr.exe, 00000001.00000002.2501737845.000002B82CA60000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source	WTvNL75dCr.exe, 00000001.00000002.2501296424.000002B82C5A4000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/Ousret/charset_normalizer	WTvNL75dCr.exe, 00000001.00000003.1779341490.000002B82D092000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D096000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82D096000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.firmaprofesional.com/cps0	WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D0EF000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D209000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec	WTvNL75dCr.exe, 00000001.00000002.2501296424.000002B82C520000.00000004.00001000.00020000.00000000.sdmp	false		high
https://nodejs.org/dist/v22.11.0/node-v22.11.0-win-x64.zip	WTvNL75dCr.exe, 00000001.00000002.2504952865.000002B82E048000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	WTvNL75dCr.exe, 00000001.00000002.2501174620.000002B82AD18000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2501503690.000002B82C720000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2920	WTvNL75dCr.exe, 00000001.00000002.2503084065.000002B82D490000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/SGCA.crl0	WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82CEB4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data	WTvNL75dCr.exe, 00000001.00000002.2501174620.000002B82AD18000.00000004.00000020.00020000.00000000.sdmp	false		high
https://yahoo.com/	WTvNL75dCr.exe, 00000001.00000003.1807390054.000002B82D01B000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1779341490.000002B82D00B000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82D01B000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2501503690.000002B82C720000.00000004.00000020.00020000.00000000.sdmp	false		high
https://packaging.python.org/en/latest/specifications/recording-installed-packages/#the-record-file	WTvNL75dCr.exe, 00000001.00000002.2501737845.000002B82CA60000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crl0	WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82CEB4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://goo.gl/zeJZl.	WTvNL75dCr.exe, 00000001.00000002.2503622233.000002B82D7AC000.00000004.00001000.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc2388#section-4.4	WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82CEB4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82CEB4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6	WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82CEB4000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1781343434.000002B82CB8E000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1779919371.000002B82CB7D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://packaging.python.org/en/latest/specifications/entry-points/#file-format	WTvNL75dCr.exe, 00000001.00000002.2501737845.000002B82CA60000.00000004.00000020.00020000.00000000.sdmp	false		high
https://html.spec.whatwg.org/multipage/	WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82D068000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1807390054.000002B82D068000.00000004.00000020.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/d	WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82D0BA000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D0BA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.quovadisglobal.com/cps0	WTvNL75dCr.exe, 00000001.00000003.1802174602.000002B82D193000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl	WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D1B1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings	WTvNL75dCr.exe, 00000001.00000002.2502963133.000002B82D390000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0	WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D1B1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.rfc-editor.org/rfc/rfc8259#section-8.1	WTvNL75dCr.exe, 00000001.00000002.2501503690.000002B82C789000.00000004.00000020.00020000.00000000.sdmp	false		high
https://requests.readthedocs.io	WTvNL75dCr.exe, 00000001.00000002.2501737845.000002B82CA60000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2503622233.000002B82D6F0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://peps.python.org/pep-0205/	WTvNL75dCr.exe, 00000001.00000002.2501942226.000002B82CC60000.00000004.00001000.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1771128414.000002B82C721000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.dhimyotis.com/certignarootca.crl	WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D1B1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.accv.es	WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D1B1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/	WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82D107000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1802174602.000002B82D193000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D0EF000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1807355880.000002B82D100000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename	WTvNL75dCr.exe, 00000001.00000002.2501296424.000002B82C520000.00000004.00001000.00020000.00000000.sdmp	false		high
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	WTvNL75dCr.exe, 00000001.00000002.2502963133.000002B82D390000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	WTvNL75dCr.exe, 00000001.00000002.2501296424.000002B82C5A4000.00000004.00001000.00020000.00000000.sdmp	false		high
https://httpbin.org/get	WTvNL75dCr.exe, 00000001.00000002.2503622233.000002B82D6F0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.xrampsecurity.com/XGCA.crl	WTvNL75dCr.exe, 00000001.00000003.1802174602.000002B82D193000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.python.org	WTvNL75dCr.exe, 00000001.00000002.2501737845.000002B82CA60000.00000004.00000020.00020000.00000000.sdmp	false		high
http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/	WTvNL75dCr.exe, 00000001.00000003.1779341490.000002B82D092000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D096000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82D096000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/legislacion_c.htm0U	WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D1B1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.aiim.org/pdfa/ns/id/	WTvNL75dCr.exe, 00000001.00000002.2508228491.00007FFDF9F7A000.00000002.00000001.01000000.0000001D.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code	WTvNL75dCr.exe, 00000001.00000002.2501296424.000002B82C520000.00000004.00001000.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/0m	WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D1B1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.accv.es0	WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D1B1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.python.org/	WTvNL75dCr.exe, 00000001.00000002.2501737845.000002B82CA60000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1778658592.000002B82D0F4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	WTvNL75dCr.exe, 00000001.00000002.2501174620.000002B82AD18000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2501503690.000002B82C720000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/cpython/issues/86361.	WTvNL75dCr.exe, 00000001.00000002.2501737845.000002B82CA60000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1776013726.000002B82CB6C000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1776013726.000002B82CB29000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1775420372.000002B82CBD8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://json.org	WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82CEB4000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2501737845.000002B82CA60000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1779919371.000002B82CB7D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://mail.python.org/pipermail/python-dev/2012-June/120787.html.	WTvNL75dCr.exe, 00000001.00000002.2503187734.000002B82D6A8000.00000004.00001000.00020000.00000000.sdmp	false		high
https://httpbin.org/	WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82D096000.00000004.00000020.00020000.00000000.sdmp	false		high
https://requests.readthedocs.ioe	WTvNL75dCr.exe, 00000001.00000002.2503622233.000002B82D6F0000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wwww.certigna.fr/autorites/	WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D1B1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module	WTvNL75dCr.exe, 00000001.00000002.2501296424.000002B82C520000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.python.org/3/howto/mro.html.	WTvNL75dCr.exe, 00000001.00000002.2501643015.000002B82C960000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package	WTvNL75dCr.exe, 00000001.00000002.2501296424.000002B82C520000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches	WTvNL75dCr.exe, 00000001.00000002.2501296424.000002B82C520000.00000004.00001000.00020000.00000000.sdmp	false		high
https://twitter.com/	WTvNL75dCr.exe, 00000001.00000003.1779341490.000002B82D092000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D096000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82D096000.00000004.00000020.00020000.00000000.sdmp	false		high
https://stackoverflow.com/questions/4457745#4457745.	WTvNL75dCr.exe, 00000001.00000002.2504952865.000002B82DFF4000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.color.org)	WTvNL75dCr.exe, 00000001.00000002.2508228491.00007FFDF9F7A000.00000002.00000001.01000000.0000001D.sdmp	false		high
http://www.quovadisglobal.com/cps	WTvNL75dCr.exe, 00000001.00000003.1802174602.000002B82D14C000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82D14F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82CEB4000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2501503690.000002B82C789000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module	WTvNL75dCr.exe, 00000001.00000002.2501296424.000002B82C5A4000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	WTvNL75dCr.exe, 00000001.00000002.2501174620.000002B82AD18000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2501503690.000002B82C720000.00000004.00000020.00020000.00000000.sdmp	false		high
https://google.com/	WTvNL75dCr.exe, 00000001.00000003.1779341490.000002B82D092000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D096000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1807390054.000002B82D01B000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82D096000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1779341490.000002B82D00B000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82D01B000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2501503690.000002B82C720000.00000004.00000020.00020000.00000000.sdmp	false		high
https://google.com/mail/	WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82CEB4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://packaging.python.org/en/latest/specifications/core-metadata/#core-metadata	WTvNL75dCr.exe, 00000001.00000002.2503084065.000002B82D490000.00000004.00001000.00020000.00000000.sdmp	false		high
http://google.com/mail/	WTvNL75dCr.exe, 00000001.00000003.1779919371.000002B82CBD6000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2501737845.000002B82CBD6000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crl	WTvNL75dCr.exe, 00000001.00000003.1802174602.000002B82D193000.00000004.00000020.00020000.00000000.sdmp	false		high
http://wwwsearch.sf.net/):	WTvNL75dCr.exe, 00000001.00000003.1807390054.000002B82D01B000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1779341490.000002B82D00B000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82D01B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/python/importlib_metadata/wiki/Development-Methodology	WTvNL75dCr.exe, 00000001.00000002.2502031958.000002B82CD60000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/3290	WTvNL75dCr.exe, 00000001.00000002.2503084065.000002B82D490000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D1B1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es/legislacion_c.htm	WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D1B1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://tools.ietf.org/html/rfc6125#section-6.4.3	WTvNL75dCr.exe, 00000001.00000002.2503084065.000002B82D490000.00000004.00001000.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1779341490.000002B82D092000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.xrampsecurity.com/XGCA.crl0	WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82CEB4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.openssl.org/H	WTvNL75dCr.exe, 00000001.00000002.2516436619.00007FFDFF300000.00000002.00000001.01000000.00000015.sdmp, WTvNL75dCr.exe, 00000001.00000002.2510503428.00007FFDFAC24000.00000002.00000001.01000000.00000014.sdmp	false		high
http://crl.certigna.fr/certignarootca.crl01	WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D1B1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.cert.fnmt.es/dpcs/	WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D1B1000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82D068000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1807390054.000002B82D068000.00000004.00000020.00020000.00000000.sdmp	false		high
https://google.com/mail	WTvNL75dCr.exe, 00000001.00000003.1807390054.000002B82D01B000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000003.1779341490.000002B82D00B000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82D01B000.00000004.00000020.00020000.00000000.sdmp, WTvNL75dCr.exe, 00000001.00000002.2501503690.000002B82C720000.00000004.00000020.00020000.00000000.sdmp	false		high
https://packaging.python.org/specifications/entry-points/	WTvNL75dCr.exe, 00000001.00000002.2502963133.000002B82D390000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.cert.fnmt.es/dpcs/?	WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D1B1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.accv.es00	WTvNL75dCr.exe, 00000001.00000003.1800975595.000002B82D1B1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.python.org/psf/license/)	WTvNL75dCr.exe, 00000001.00000002.2512638911.00007FFDFB888000.00000002.00000001.01000000.00000004.sdmp	false		high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	WTvNL75dCr.exe, 00000001.00000002.2501503690.000002B82C720000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.cert.fnmt.es/dpcs/0	WTvNL75dCr.exe, 00000001.00000002.2501737845.000002B82CA60000.00000004.00000020.00020000.00000000.sdmp	false		high
https://peps.python.org/pep-0263/	WTvNL75dCr.exe, 00000001.00000002.2512638911.00007FFDFB888000.00000002.00000001.01000000.00000004.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	WTvNL75dCr.exe, 00000001.00000002.2502125804.000002B82CEB4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/psf/requests/pull/6710	WTvNL75dCr.exe, 00000001.00000002.2503622233.000002B82D778000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.20.22.46	nodejs.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578193
Start date and time:	2024-12-19 12:19:23 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	WTvNL75dCr.exe renamed because original name is a hash value
Original Sample Name:	94b19d2d17eeb9168cb11f97d532ee65962f70a2c1249f3abfc8625c8c3193f8.exe
Detection:	MAL
Classification:	mal60.troj.spyw.evad.winEXE@13/142@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 73% Number of executed functions: 62 Number of non-executed functions: 90
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29, 172.202.163.200, 40.126.53.19, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtProtectVirtualMemory calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.20.22.46	wmdqEYgW2i.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	Bootstrapper.exe	Get hash	malicious	Unknown	Browse
	download.ps1	Get hash	malicious	Python BackDoor	Browse
	y3x8pjQ1Ci.exe	Get hash	malicious	Unknown	Browse
	download.ps1	Get hash	malicious	Unknown	Browse
	download.ps1	Get hash	malicious	Unknown	Browse
	download.ps1	Get hash	malicious	Unknown	Browse
	check.exe	Get hash	malicious	Unknown	Browse
	sDKRz09zM7.exe	Get hash	malicious	AsyncRAT, XWorm	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
nodejs.org	wmdqEYgW2i.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.20.22.46
	Bootstrapper.exe	Get hash	malicious	Unknown	Browse	104.20.22.46
	https://f29cc861.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe	Get hash	malicious	HTMLPhisher	Browse	104.20.23.46
	download.ps1	Get hash	malicious	Python BackDoor	Browse	104.20.22.46
	y3x8pjQ1Ci.exe	Get hash	malicious	Unknown	Browse	104.20.22.46
	y3x8pjQ1Ci.exe	Get hash	malicious	Unknown	Browse	104.20.23.46
	download.ps1	Get hash	malicious	Unknown	Browse	104.20.22.46
	download.ps1	Get hash	malicious	Unknown	Browse	104.20.22.46

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://github.com/starise/win11-virtual-desktop-extension/releases/download/1.1.0/VirtualDesktopExtension-1.1.0.msi	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://e.trustifi.com/#/fff2a1/305619/6dc30e/bb62bb/581844/11c063/a3c1ce/c0ba4d/e8666a/ef542d/85972d/627493/9a11d6/1f4096/1d247f/838c7e/cd63d6/82c9fe/baf706/264690/9188a6/a54400/a45112/68deb9/a1d612/148c70/62dcf5/9cb4f7/9713c0/de2350/884a31/c8623a/2f5546/ab6255/63291e/390e78/6b371c/add804/d4bbed/01f0b4/6023ca/9b7c0b/b0881b/bd8fbb/380790/942e2d/c30675/2c79c4/594b5b/fa5dac/c17e29/ec9861/3d4f90/8d1dd9/15a5f1/e3d291/035383/58ff7f/dcf654/c36a6d/ac2219/0a7478/f49f04/50db6b/1c0640/509cd9/d5eb23/7e01e4/b5bcef/2cfb1e/1cd263/f68c45/7325e0/8e5d9b/dacf2c/074706/a0f040/11bf65/f8b4f7/b49b4f/da74f6/285aa9/b249dd/d9b9c7/1a738e/07e7fa/7ea43f/a69f97/422641/436e51/504e86	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	NieuwBetalingsbevestigingvoor vanas.eu.htm	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://init-area.fr/AB	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://registry.paratext.org	Get hash	malicious	Unknown	Browse	104.26.6.135
	DHL_231437894819.bat.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	4089137200.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Overheaped237.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.67.152
	HUSDGHCE23ED.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\MSVCP140.dll	FileScanner.exe	Get hash	malicious	Unknown	Browse
	MacAttack.exe	Get hash	malicious	Unknown	Browse
	download.ps1	Get hash	malicious	Python BackDoor	Browse
	y3x8pjQ1Ci.exe	Get hash	malicious	Unknown	Browse
	y3x8pjQ1Ci.exe	Get hash	malicious	Unknown	Browse
	download.ps1	Get hash	malicious	Unknown	Browse
	download.ps1	Get hash	malicious	Unknown	Browse
	download.ps1	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\MSVCP140_1.dll	FileScanner.exe	Get hash	malicious	Unknown	Browse
	MacAttack.exe	Get hash	malicious	Unknown	Browse
	download.ps1	Get hash	malicious	Python BackDoor	Browse
	y3x8pjQ1Ci.exe	Get hash	malicious	Unknown	Browse
	y3x8pjQ1Ci.exe	Get hash	malicious	Unknown	Browse
	download.ps1	Get hash	malicious	Unknown	Browse
	download.ps1	Get hash	malicious	Unknown	Browse
	download.ps1	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_WTvNL75dCr.exe_9e582b949571b490dfc358bda39d6d65633a8_e366b6b7_e1cddcb4-52e3-4ff0-9757-9cc16e5c6c23\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.355233790266045
Encrypted:	false
SSDEEP:	192:cC9cw3l90KloAjjoR7Nqa7n1TbkRh+B7+Umf7ELBiGTA4waXDMM/YRV8Rv1SnYzN:1953l+KloAjjEXwaTJRzuiF0Y4lO84l
MD5:	01848F7BBEAF10E65C47DB59AC8D8857
SHA1:	30960ADF5E83FE598B07C05566073EF947D076AC
SHA-256:	21ED6D9DE56F1DC2B655B67D7BA1F5F7F82E798F96D5579812EBA153C51DA65D
SHA-512:	24556C0BC5F0AAB5934409EAD91AFCEA12C9B9D42E563A7FC998C83D020A602753E02AADD97B37CE4484C18EF1E080B9A73ACA0ADB241EFC42FDB11E0AAFD880
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.0.8.0.8.4.0.0.0.5.0.2.6.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.0.8.0.8.4.0.4.2.6.8.9.5.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.1.c.d.d.c.b.4.-.5.2.e.3.-.4.f.f.0.-.9.7.5.7.-.9.c.c.1.6.e.5.c.6.c.2.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.8.7.6.e.8.5.3.-.f.6.c.4.-.4.4.2.3.-.9.9.4.4.-.a.f.f.8.d.1.2.3.e.3.9.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.W.T.v.N.L.7.5.d.C.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.b.4.-.0.0.0.1.-.0.0.1.4.-.e.2.3.2.-.0.9.f.f.0.7.5.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.4.8.8.d.c.1.c.a.2.6.8.6.b.4.8.f.b.5.2.1.a.0.c.7.2.4.7.f.e.0.8.0.0.0.0.f.f.f.f.!.0.0.0.0.8.a.8.d.f.5.9.b.5.9.9.4.9.d.a.5.d.6.1.3.b.d.e.8.f.a.a.d.d.d.a.0.2.5.0.9.b.7.6.7.!.W.T.v.N.L.7.5.d.C.r...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.2././.1.6.:.1.2.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER96D8.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Dec 19 11:20:40 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	133636
Entropy (8bit):	2.0375562767051076
Encrypted:	false
SSDEEP:	768:sKUZgurkKbE3q/fiFWYsHUOTQmqw9AHSQ82a:5Kh0OTUHSB2a
MD5:	3E046A0C0725802237C11513D777D56F
SHA1:	BDB1FB5C4733956442246E24194FED38CA91B39D
SHA-256:	C05B67BFE2286DF7CDB266C91405A15D8140558B78804F560CE8591945DA4333
SHA-512:	431D3EA3AD521B3023500CCF9897AE5587F88B7842D5DFCA26D372A1C19F27D5B1CB42EF52454CFB5BDAFB3D27E526F32B60448E3CC2A7BC0F634DC9F9560A0D
Malicious:	false
Preview:	MDMP..a..... .........dg............$............%..8.......$....-......d....\..........`.......8...........T............%..t............-.........../..............................................................................eJ......p0......Lw......................T...........w.dg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER97B3.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	9638
Entropy (8bit):	3.710582075808272
Encrypted:	false
SSDEEP:	192:R6l7wVeJ9H+w36YHx+jjjgmfLyNpDP89bbkyfd9xJm:R6lXJd+Q6YR+jjjgmfLyIbpfd9O
MD5:	90AD8975C96EB99A901A798E9545AD52
SHA1:	5AF86089885A33AA6EE3DF122AE92E0F5A19D11C
SHA-256:	760006D5BC7AABCCA42726306D255C700ABFA1CDD566345EB14E453CD96F69BD
SHA-512:	63676D4465ED9796630BDFE9AE751B07570BAAFD09E8E8CFA808ADC74B058E0D97330763CDFF2E32A5F41E3F7D9E969D518844686B9CCD4DF3F3AC363ED2D72F
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.9.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER97F3.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4760
Entropy (8bit):	4.4621820998422175
Encrypted:	false
SSDEEP:	48:cvIwWl8zsmJg771I9B+WpW8VY7Ym8M4JAWDFtyq8vBWzGndzrznhd:uIjf8I7a/7VfJZnW4zGndXznhd
MD5:	33E961A692F282B747A12CE27453506A
SHA1:	ADD9D179AA491C6BFE6F84E3A95AF709CAB61DBB
SHA-256:	4474C1C4499542EEF616DB9DB4E87F3CBFD5179EF2A48BB093C31DEEC0122173
SHA-512:	6108B45761B8DB512E54CDB19EFFD976707FE5234EB83E507ACBC1582D222DF703DD8E5E904562F21686060ED0FD83ED1E81ACAD7A32E3C8B5E9F1FF597766FD
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="638063" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\MSVCP140.dll

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	590112
Entropy (8bit):	6.461874649448891
Encrypted:	false
SSDEEP:	12288:xI88L4Wu4+oJ+xc39ax5Ms4ETs3rxSvYcRkdQEKZm+jWodEEVh51:xD89rxZfQEKZm+jWodEEP5
MD5:	01B946A2EDC5CC166DE018DBB754B69C
SHA1:	DBE09B7B9AB2D1A61EF63395111D2EB9B04F0A46
SHA-256:	88F55D86B50B0A7E55E71AD2D8F7552146BA26E927230DAF2E26AD3A971973C5
SHA-512:	65DC3F32FAF30E62DFDECB72775DF870AF4C3A32A0BF576ED1AAAE4B16AC6897B62B19E01DC2BF46F46FBE3F475C061F79CBE987EDA583FEE1817070779860E5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: FileScanner.exe, Detection: malicious, Browse Filename: MacAttack.exe, Detection: malicious, Browse Filename: download.ps1, Detection: malicious, Browse Filename: y3x8pjQ1Ci.exe, Detection: malicious, Browse Filename: y3x8pjQ1Ci.exe, Detection: malicious, Browse Filename: download.ps1, Detection: malicious, Browse Filename: download.ps1, Detection: malicious, Browse Filename: download.ps1, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........LS..-=..-=..-=.....-=..U...-=..-<.k-=.gB<..-=.gB9..-=.gB>..-=.gB8.=-=.gB=..-=.gB..-=.gB?..-=.Rich.-=.........PE..d.....t^.........." .....@..........."...............................................z....`A.........................................j..h....D..,...............L;...... A......(...@...8...............................0............P.......f..@....................text...,>.......@.................. ..`.rdata..r....P.......D..............@..@.data....:...`..."...N..............@....pdata..L;.......<...p..............@..@.didat..h...........................@....rsrc...............................@..@.reloc..(...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\MSVCP140_1.dll

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	31728
Entropy (8bit):	6.499754548353504
Encrypted:	false
SSDEEP:	384:rOY/H1SbuIqnX8ndnWc95gW3C8c+pBj0HRN7bULkcyHRN7rxTO6iuQl9xiv:yYIBqnMdxxWd4urv
MD5:	0FE6D52EB94C848FE258DC0EC9FF4C11
SHA1:	95CC74C64AB80785F3893D61A73B8A958D24DA29
SHA-256:	446C48C1224C289BD3080087FE15D6759416D64F4136ADDF30086ABD5415D83F
SHA-512:	C39A134210E314627B0F2072F4FFC9B2CE060D44D3365D11D8C1FE908B3B9403EBDD6F33E67D556BD052338D0ED3D5F16B54D628E8290FD3A155F55D36019A86
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: FileScanner.exe, Detection: malicious, Browse Filename: MacAttack.exe, Detection: malicious, Browse Filename: download.ps1, Detection: malicious, Browse Filename: y3x8pjQ1Ci.exe, Detection: malicious, Browse Filename: y3x8pjQ1Ci.exe, Detection: malicious, Browse Filename: download.ps1, Detection: malicious, Browse Filename: download.ps1, Detection: malicious, Browse Filename: download.ps1, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>.{.zl..zl..zl......xl..s...~l.....}l.....xl..zl..Ql......l.....il.....{l.....{l.....{l..Richzl..................PE..d.....t^.........." .........$......p.....................................................`A........................................p>..L....?..x....p.......`..X....:...A......p...P3..8............................3..0............0..@............................text............................... ..`.rdata.......0......................@..@.data........P.......,..............@....pdata..X....`.......0..............@..@.rsrc........p.......4..............@..@.reloc..p............8..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5Core.dll

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6023664
Entropy (8bit):	6.768988071491288
Encrypted:	false
SSDEEP:	98304:hcirJylHYab/6bMJsv6tWKFdu9CLiZxqfg8gwf:+irJylHFb/QMJsv6tWKFdu9CL4xqfg8x
MD5:	817520432A42EFA345B2D97F5C24510E
SHA1:	FEA7B9C61569D7E76AF5EFFD726B7FF6147961E5
SHA-256:	8D2FF4CE9096DDCCC4F4CD62C2E41FC854CFD1B0D6E8D296645A7F5FD4AE565A
SHA-512:	8673B26EC5421FCE8E23ADF720DE5690673BB4CE6116CB44EBCC61BBBEF12C0AD286DFD675EDBED5D8D000EFD7609C81AAE4533180CF4EC9CD5316E7028F7441
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......D.............................UJ......................................................W.....,..................r....................Rich............PE..d...;._.........." ..........-.......-......................................`\.....x.\...`...........................................L..O....T...... \.......U.. ....[......0\..%..,.H.T.....................H.(.....H.0............./.H............................text............................... ..`.rdata..F7%.../..8%.................@..@.data...x....PT..\...6T.............@....pdata... ....U.."....T.............@..@.qtmimed.....0W.......V.............@..P.rsrc........ \.......[.............@..@.reloc...%...0\..&....[.............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5DBus.dll

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	436720
Entropy (8bit):	6.392610185061176
Encrypted:	false
SSDEEP:	6144:ZLvnUJ17UTGOkWHUe/W9TgYMDu96ixMZQ8IlXbKgp8aIDeN:KP7cGOGegTwu96ixMZQtlrPN
MD5:	0E8FF02D971B61B5D2DD1AC4DF01AE4A
SHA1:	638F0B46730884FA036900649F69F3021557E2FE
SHA-256:	1AA70B106A10C86946E23CAA9FC752DC16E29FBE803BBA1F1AB30D1C63EE852A
SHA-512:	7BA616EDE66B16D9F8B2A56C3117DB49A74D59D0D32EAA6958DE57EAC78F14B1C7F2DBBA9EAE4D77937399CF14D44535531BAF6F9DB16F357F8712DFAAE4346A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D..............+...../............).....+...O.+....+....O./...O....O..........O.(...Rich..........................PE..d...]._.........." .....\...<.......\..............................................K.....`..........................................h..to...................`...Q..............4.......T.......................(...`...0............p...............................text...yZ.......\.................. ..`.rdata..0....p.......`..............@..@.data...X....@......."..............@....pdata...Q...`...R...2..............@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5Gui.dll

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	7008240
Entropy (8bit):	6.674290383197779
Encrypted:	false
SSDEEP:	49152:9VPhJZWVvpg+za3cFlc61j2VjBW77I4iNlmLPycNRncuUx24LLsXZFC6FOCfDt2/:BJZzI1ZR3U9Cxc22aDACInVc4Z
MD5:	47307A1E2E9987AB422F09771D590FF1
SHA1:	0DFC3A947E56C749A75F921F4A850A3DCBF04248
SHA-256:	5E7D2D41B8B92A880E83B8CC0CA173F5DA61218604186196787EE1600956BE1E
SHA-512:	21B1C133334C7CA7BBBE4F00A689C580FF80005749DA1AA453CCEB293F1AD99F459CA954F54E93B249D406AEA038AD3D44D667899B73014F884AFDBD9C461C14
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......QH^~.)0-.)0-.)0-.Q.-.)0-...-.)0-.F4,.)0-.F3,.)0-.F5,.)0-.F1,.)0-.Y1,.)0-.B5,.)0-.B1,.)0-.)1-m,0-.Y4,.)0-.Y5,\|(0-.Y0,.)0-.Y.-.)0-.).-.)0-.Y2,.)0-Rich.)0-................PE..d....._.........." ......?...+.....X.?.......................................k.....R.k...`.........................................pKK.....d.e.\|....`k.......g.......j......pk..6....F.T................... .F.(.....F.0.............?.p+...........................text...2.?.......?................. ..`.rdata...z&...?..\|&...?.............@..@.data....o... f.......f.............@....pdata........g.......f.............@..@.rsrc........`k.......j.............@..@.reloc...6...pk..8....j.............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5Network.dll

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1340400
Entropy (8bit):	6.41486755163134
Encrypted:	false
SSDEEP:	24576:eXPn73RXox1U9M0m+1ffSDY565RzHUY1iaRy95hdGehEM:+7hXU1U95m4ff9A5RviaRy9NGI
MD5:	3569693D5BAE82854DE1D88F86C33184
SHA1:	1A6084ACFD2AA4D32CEDFB7D9023F60EB14E1771
SHA-256:	4EF341AE9302E793878020F0740B09B0F31CB380408A697F75C69FDBD20FC7A1
SHA-512:	E5EFF4A79E1BDAE28A6CA0DA116245A9919023560750FC4A087CDCD0AB969C2F0EEEC63BBEC2CD5222D6824A01DD27D2A8E6684A48202EA733F9BB2FAB048B32
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........Yt..7'..7'..7'...'..7'..3&..7'}.3&..7'}.4&..7'}.2&..7'}.6&..7'..6&..7'0.6&..7'..6'c.7'0.2&2.7'0.7&..7'0..'..7'...'..7'0.5&..7'Rich..7'........................PE..d....._.........." .................................................................c....`......................................... ....n..,...h....................X..........,.......T...................p...(...@...0............................................text...C........................... ..`.rdata...g.......h..................@..@.data...XN...@...2... ..............@....pdata...............R..............@..@.rsrc................>..............@..@.reloc..,............D..............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5Qml.dll

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3591664
Entropy (8bit):	6.333693598000157
Encrypted:	false
SSDEEP:	98304:iPnt09+kVh2NrSdSG779LLLS/o/L4YqoY0Xba+mRRH2T:iPnt2ZVhT
MD5:	D055566B5168D7B1D4E307C41CE47C4B
SHA1:	043C0056E9951DA79EC94A66A784972532DC18EF
SHA-256:	30035484C81590976627F8FACE9507CAA8581A7DC7630CCCF6A8D6DE65CAB707
SHA-512:	4F12D17AA8A3008CAA3DDD0E41D3ED713A24F9B5A465EE93B2E4BECCF876D5BDF0259AA0D2DD77AD61BB59DC871F78937FFBE4D0F60638014E8EA8A27CAF228D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.4...Z...Z...Z......Z..^...Z..Y...Z.._...Z..[...Z...[...Z...[...Z...[...Z..._...Z...Z...Z.......Z......Z...X...Z.Rich..Z.........PE..d......_.........." .....^$..........O$.......................................7.....}.7...`...........................................,......2.......6.......4. .....6.......6..J....).T.....................).(...p.).0............p$..%...........................text....\$......^$................. ..`.rdata......p$......b$.............@..@.data.........3..n....2.............@....pdata.. .....4......l4.............@..@.rsrc.........6......`6.............@..@.reloc...J....6..L...f6.............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5QmlModels.dll

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	438768
Entropy (8bit):	6.312090336793804
Encrypted:	false
SSDEEP:	6144:k1tE6lq982HdyuEZ5gw+VHDZjZ0yOWm7Vdcm4GyasLCZCu6vdQp:k1tEuq9Hdyuo5gwguyOtVIup
MD5:	2030C4177B499E6118BE5B9E5761FCE1
SHA1:	050D0E67C4AA890C80F46CF615431004F2F4F8FC
SHA-256:	51E4E5A5E91F78774C44F69B599FAE4735277EF2918F7061778615CB5C4F6E81
SHA-512:	488F7D5D9D8DEEE9BBB9D63DAE346E46EFEB62456279F388B323777999B597C2D5AEA0EE379BDF94C9CBCFD3367D344FB6B5E90AC40BE2CE95EFA5BBDD363BCC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x..<...<...<...5.H.4...(...>.......*.......4.......8.......8......9...<...g....../......=....$.=...<.L.=......=...Rich<...................PE..d...M.._.........." .....(...r......d+..............................................MF....`.........................................0E...^..0................`.. F..................H...T.......................(.......0............@...............................text...N&.......(.................. ..`.rdata.......@.......,..............@..@.data...x/...0...(..................@....pdata.. F...`...H...>..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5Quick.dll

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4148720
Entropy (8bit):	6.462183686222023
Encrypted:	false
SSDEEP:	49152:EcDwCQsvkBD+ClI3IAVLA7Tr15SokomoqxQhT2bAssCFEUGX5ig:E7CKPsA3p0Z/QV/sS3Ag
MD5:	65F59CFC0C1C060CE20D3B9CEFFBAF46
SHA1:	CFD56D77506CD8C0671CA559D659DAB39E4AD3C2
SHA-256:	C81AD3C1111544064B1830C6F1AEF3C1FD13B401546AB3B852D697C0F4D854B3
SHA-512:	D6F6DC19F1A0495026CBA765B5A2414B6AF0DBFC37B5ACEED1CD0AE37B3B0F574B759A176D75B01EDD74C6CE9A3642D3D29A3FD7F166B53A41C8978F562B4B50
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!Fvge'.4e'.4e'.4l_.4i'.4.H.5m'.4.H.5a'.4.H.5\|'.4.H.5c'.4.W.5o'.4qL.5`'.4e'.4.,.4.W.5.'.4.W.5d'.4.W.4d'.4e'.4d'.4.W.5d'.4Riche'.4........................PE..d......_.........." ......%..B......L.$.......................................?.......?...`.........................................0)2.P.....8.T.....>.......<..^...2?.......?.py......T.......................(.......0............ %..\...........................text.....%.......%................. ..`.rdata....... %.......%.............@..@.data....I...@;..2... ;.............@....pdata...^....<..`...R<.............@..@.rsrc.........>.......>.............@..@.reloc..py....?..z....>.............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5Svg.dll

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	330736
Entropy (8bit):	6.381828869454302
Encrypted:	false
SSDEEP:	6144:6qLZcTC3wR/0JNZ+csBkBv0L0hq+SvcO8MsvwbIeblsjTR:6qNcCwqHE2fYlsPR
MD5:	03761F923E52A7269A6E3A7452F6BE93
SHA1:	2CE53C424336BCC8047E10FA79CE9BCE14059C50
SHA-256:	7348CFC6444438B8845FB3F59381227325D40CA2187D463E82FC7B8E93E38DB5
SHA-512:	DE0FF8EBFFC62AF279E239722E6EEDD0B46BC213E21D0A687572BFB92AE1A1E4219322233224CA8B7211FFEF52D26CB9FE171D175D2390E3B3E6710BBDA010CB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............_._._..*_._,.^._..^._,.^._,.^._,.^._a.^._._=.._a.^._a.^._a.F_._.._._a.^._Rich._................PE..d......_.........." .........................................................@.......^....`.................................................((....... ...........0...........0..H...xL..T....................N..(....L..0............................................text............................... ..`.rdata..p...........................@..@.data...8...........................@....pdata...0.......2..................@..@.rsrc........ ......................@..@.reloc..H....0......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5WebSockets.dll

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	149488
Entropy (8bit):	6.116105454277536
Encrypted:	false
SSDEEP:	3072:4sSkET6pEXb3loojg1Q2sorWvZXF2sorrLA7cG27Qhvvc:4sSd6pwzloDbsnX0sCrc7ct7QVc
MD5:	A016545F963548E0F37885E07EF945C7
SHA1:	CBE499E53AB0BD2DA21018F4E2092E33560C846F
SHA-256:	6B56F77DA6F17880A42D2F9D2EC8B426248F7AB2196A0F55D37ADE39E3878BC6
SHA-512:	47A3C965593B97392F8995C7B80394E5368D735D4C77F610AFD61367FFE7658A0E83A0DBD19962C4FA864D94F245A9185A915010AFA23467F999C833982654C2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'`.CF.KCF.KCF.KJ>.KGF.K.).JAF.KW-.JAF.K.).JVF.K.).JKF.K.).J@F.K.6.JFF.KCF.K.G.K.6.JPF.K.6.JBF.K.6.KBF.KCF.KBF.K.6.JBF.KRichCF.K........................PE..d......_.........." .....$..........t(.......................................p.......5....`............................................."..l........P.......0.......,.......`..L...hw..T....................x..(....w..0............@...............................text....".......$.................. ..`.rdata..z....@.......(..............@..@.data...x...........................@....pdata.......0......................@..@.rsrc........P......."..............@..@.reloc..L....`.......(..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5Widgets.dll

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5498352
Entropy (8bit):	6.619117060971844
Encrypted:	false
SSDEEP:	49152:KO+LIFYAPZtMym9RRQ7/KKIXSewIa/2Xqq1sfeOoKGOh6EwNmiHYYwBrK8KMlH0p:IGoKZdRqJD10rK8KMlH0gi5GX0oKZ
MD5:	4CD1F8FDCD617932DB131C3688845EA8
SHA1:	B090ED884B07D2D98747141AEFD25590B8B254F9
SHA-256:	3788C669D4B645E5A576DE9FC77FCA776BF516D43C89143DC2CA28291BA14358
SHA-512:	7D47D2661BF8FAC937F0D168036652B7CFE0D749B571D9773A5446C512C58EE6BB081FEC817181A90F4543EBC2367C7F8881FF7F80908AA48A7F6BB261F1D199
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........x..................I.......I.......I.......I...........................................9.................................Rich............PE..d....._.........." ......3..P .......3.......................................T......MT...`.........................................0.D.P^....L.h....pS......0P..8....S.......S.d.....?.T...................`.?.(...0.?.0.............3.._...........................text.....3.......3................. ..`.rdata..8.....3.......3.............@..@.data.........O......dO.............@....pdata...8...0P..:....O.............@..@.rsrc........pS......4S.............@..@.reloc..d.....S......:S.............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	101872
Entropy (8bit):	6.5661918084228725
Encrypted:	false
SSDEEP:	1536:RCKWZGuEK0mOLSTxoPl9GIcuZrxi4hXX9oix8H+NCIecbGShwZul:RFWY1WxgGStJ8H2CIecbG36
MD5:	971DBBE854FC6AB78C095607DFAD7B5C
SHA1:	1731FB947CD85F9017A95FDA1DC5E3B0F6B42CA2
SHA-256:	5E197A086B6A7711BAA09AFE4EA7C68F0E777B2FF33F1DF25A21F375B7D9693A
SHA-512:	B966AAB9C0D9459FADA3E5E96998292D6874A7078924EA2C171F0A1A50B0784C24CC408D00852BEC48D6A01E67E41D017684631176D3E90151EC692161F1814D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........w.............t:..............................................................Rich....................PE..d.....t^.........." .........^.......................................................e....`A.........................................0..4....9.......p.......P.......L...A..............8........................... ...0............................................text...2........................... ..`.rdata...?.......@..................@..@.data...0....@.......4..............@....pdata.......P.......8..............@..@_RDATA.......`.......D..............@..@.rsrc........p.......F..............@..@.reloc...............J..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\VCRUNTIME140_1.dll

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	44528
Entropy (8bit):	6.627837381503075
Encrypted:	false
SSDEEP:	384:Aim/NRETi8kykt25HwviU5fJUiP2551xWmbTqOA7SXf+Ny85xM8ATJWr3KWoC8cS:0Ie8kySL2iPQxdvjAevcMESW5lxJG
MD5:	6BC084255A5E9EB8DF2BCD75B4CD0777
SHA1:	CF071AD4E512CD934028F005CABE06384A3954B6
SHA-256:	1F0F5F2CE671E0F68CF96176721DF0E5E6F527C8CA9CFA98AA875B5A3816D460
SHA-512:	B822538494D13BDA947655AF791FED4DAA811F20C4B63A45246C8F3BEFA3EC37FF1AA79246C89174FE35D76FFB636FA228AFA4BDA0BD6D2C41D01228B151FD89
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ .S.A...A...A..0.m..A..O....A...9...A...A...A..O....A..O....A..O....A..O....A..O.}..A..O....A..Rich.A..................PE..d.....t^.........." .....:...4......pA...............................................Z....`A.........................................j......\|k..x....................l...A......8....b..8...........................@b..0............P..X............................text....9.......:.................. ..`.rdata... ...P..."...>..............@..@.data................`..............@....pdata...............b..............@..@.rsrc................f..............@..@.reloc..8............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\d3dcompiler_47.dll

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4173928
Entropy (8bit):	6.329102290474506
Encrypted:	false
SSDEEP:	49152:8BfmqCtLI4erBYysLjG/A8McPyCD6hw16JVTW7B3EgvVlQ3LAYmyNOvGJse+aWyb:8eZevVKACOvWYQF
MD5:	B0AE3AA9DD1EBD60BDF51CB94834CD04
SHA1:	EE2F5726AC140FB42D17ABA033D678AFAF8C39C1
SHA-256:	E994847E01A6F1E4CBDC5A864616AC262F67EE4F14DB194984661A8D927AB7F4
SHA-512:	756EBF4FA49029D4343D1BDB86EA71B2D49E20ADA6370FD7582515455635C73D37AD0DBDEEF456A10AB353A12412BA827CA4D70080743C86C3B42FA0A3152AA3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G..(.a.{.a.{.a.{..m{5a.{..l{.a.{.m{.a.{.o{.a.{.a.{.a.{.i{.a.{.l{.a.{.h{.a.{.q{.a.{.k{.a.{.n{.a.{Rich.a.{........................PE..d......R.........." ......;.........`.8......................................@@......a@...`...........................................;.u...P.>.d.....?.@.....=......t?.h<... ?..{..................................@a................>.P............................text.....;.......;................. ..`.data...h.....;.......;.............@....pdata........=......n<.............@..@.idata..@.....>......B>.............@..@.rsrc...@.....?......\>.............@..@.reloc....... ?......b>.............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\libEGL.dll

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	25072
Entropy (8bit):	5.961464514165753
Encrypted:	false
SSDEEP:	384:KEyYvsyDQrjwgut4Maw+XZndDGg7Dgf2hU:RvszjwgocwOhdDGEUf2hU
MD5:	BB00EF1DD81296AF10FDFA673B4D1397
SHA1:	773FFCF4A231B963BAAC36CBEF68079C09B62837
SHA-256:	32092DE077FD57B6EF355705EC46C6D21F6D72FBE3D3A5DD628F2A29185A96FA
SHA-512:	C87C0868C04852B63A7399AFE4E568CD9A65B7B7D5FD63030ABEA649AAC5E9F2293AB5BE2B2CE56A57F2B4B1992AE730150A293ADA53637FC5CD7BE0A727CBD4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9...Xv@.Xv@.Xv@. .@.Xv@.7wA.Xv@.3wA.Xv@.7sA.Xv@.7rA.Xv@.7uA.Xv@W(wA.Xv@.Xw@.Xv@W(sA.Xv@W(vA.Xv@W(.@.Xv@.X.@.Xv@W(tA.Xv@Rich.Xv@........PE..d...#._.........." .........0......................................................Z.....`.........................................`9.......B..d.......H....p.......F.......... ....3..T............................4..0............0...............................text............................... ..`.rdata..r#...0...$..................@..@.data........`.......:..............@....pdata.......p.......<..............@..@.rsrc...H............>..............@..@.reloc.. ............D..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\libGLESv2.dll

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3385328
Entropy (8bit):	6.382356347494905
Encrypted:	false
SSDEEP:	49152:sU0O89Onk/cNTgO/WSLqfTPnK+9eaOiY95ZEQryD1pPG3L:MaHUKt3L
MD5:	2247EE4356666335DF7D72129AF8D600
SHA1:	F0131C1A67FC17C0E8DCC4A4CA38C9F1780E7182
SHA-256:	50FAD5605B3D57627848B3B84A744DFB6A045609B8236B04124F2234676758D8
SHA-512:	67F2A7BF169C7B9A516689CF1B16446CA50E57F099B9B742CCB1ABB2DCDE8867F8F6305AD8842CD96194687FC314715AE04C1942B0E0A4F51B592B028C5B16D3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............t..t..t....t.A.p..t.A.w..t.A.q..t.A.u..t.u..t..u..t...q..t...t..t......t.....t...v..t.Rich..t.........PE..d....._.........." ......&.........L.&.......................................3.......3...`..........................................0..]....0.......3.P.....1.L.....3.......3..;...},.T...................P.,.(... ~,.0.............'..............................text...o.&.......&................. ..`.rdata........'.......&.............@..@.data.........1.......0.............@....pdata..L.....1.......1.............@..@.rsrc...P.....3......J3.............@..@.reloc...;....3..<...P3.............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\opengl32sw.dll

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20923392
Entropy (8bit):	6.255903817217008
Encrypted:	false
SSDEEP:	393216:LIckHor5uLnn83wAP5hxOZEa7/LzRuDFqILn5LgcKyZyQXt+8M:yEZbv
MD5:	7DBC97BFEE0C7AC89DA8D0C770C977B6
SHA1:	A064C8D8967AAA4ADA29BD9FEFBE40405360412C
SHA-256:	963641A718F9CAE2705D5299EAE9B7444E84E72AB3BEF96A691510DD05FA1DA4
SHA-512:	286997501E1F5CE236C041DCB1A225B4E01C0F7C523C18E9835507A15C0AC53C4D50F74F94822125A7851FE2CB2FB72F84311A2259A5A50DCE6F56BA05D1D7E8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[.@..............'.......'.......'..[...........\|.-.....\|.+....\|..<....'......../.....q.*.....q.+....q.&.^...q.......q.,.....Rich............PE..d....._W.........." .....(....b.....\|&....................................... E...........`.........................................0.1.t.....1...............9.`n............C..k.. . .T..................... .(..... ..............@...............................text...T&.......(.................. ..`.rdata..XvO..@...xO..,..............@..@.data....;....1.......1.............@....pdata..`n....9..p...D3.............@..@.gfids.......pC.......=.............@..@.tls..........C.......=.............@..._RDATA........C.......=.............@..@.reloc...k....C..l....=.............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\generic\qtuiotouchplugin.dll

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	68080
Entropy (8bit):	6.207162014262433
Encrypted:	false
SSDEEP:	1536:mQ4IT53ign4CbtlO705xWL3frA5rlhgQJ7tapgUff:mLIT53Hbtk70OLs3hg0Cz
MD5:	750A31DE7840B5EED8BA14C1BD84D348
SHA1:	D345D13B0C303B7094D1C438E49F0046791DE7F6
SHA-256:	A9BFFB0F3CD69CD775C328C916E46440FE80D99119FAEBC350C7EC51E3E57C41
SHA-512:	5C0A68ED27A9F1BBFF104942152E475C94BB64B03CE252EAAC1A6770E24DC4156CE4ADE99EBCD92662801262DED892C33F84C605AD84472B45A83C4883D5E767
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............h..h..h...s.h..]...h.....h..]...h..]...h..]...h......h..h..&h......h......h......h......h..Rich.h..................PE..d...X._.........." .........b......$........................................@......{v....`......................................... ................ ..X....................0......H...T......................(.......0............................................text............................... ..`.rdata...E.......F..................@..@.data...............................@....pdata..............................@..@.qtmetadi...........................@..P.rsrc...X.... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\iconengines\qsvgicon.dll

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	41968
Entropy (8bit):	6.0993566622860635
Encrypted:	false
SSDEEP:	768:VPs5g31JfDgej5JZmA0ZsEEC6lmn+4FdDGimUf2hr:VkC31ee7ZmA+sEEC6lmn+4FOUfc
MD5:	313F89994F3FEA8F67A48EE13359F4BA
SHA1:	8C7D4509A0CAA1164CC9415F44735B885A2F3270
SHA-256:	42DDE60BEFCF1D9F96B8366A9988626B97D7D0D829EBEA32F756D6ECD9EA99A8
SHA-512:	06E5026F5DB929F242104A503F0D501A9C1DC92973DD0E91D2DAF5B277D190082DE8D37ACE7EDF643C70AA98BB3D670DEFE04CE89B483DA4F34E629F8ED5FECF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n.:..i..i..i#.Ei...i...h(..i>..h(..i...h8..i...h-..i...h(..i...h-..i..i...i...h(..i...h+..i..)i+..i...h+..iRich*..i........................PE..d......_.........." .....@...F.......F..............................................C.....`..........................................g..x...hh..........H...........................xX..T....................Z..(....X..0............P...............................text....>.......@.................. ..`.rdata...3...P...4...D..............@..@.data................x..............@....pdata...............z..............@..@.qtmetadj...........................@..P.rsrc...H...........................@..@.reloc..............................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\imageformats\qgif.dll

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	39408
Entropy (8bit):	6.0316011626259405
Encrypted:	false
SSDEEP:	768:ygk2hM0GskFtvPCjEIxh8eDzFyPddeeGvnhotdDGPUf2he:yN2a05kfPOEMaeDzFkddeFnhotOUfh
MD5:	52FD90E34FE8DED8E197B532BD622EF7
SHA1:	834E280E00BAE48A9E509A7DC909BEA3169BDCE2
SHA-256:	36174DD4C5F37C5F065C7A26E0AC65C4C3A41FDC0416882AF856A23A5D03BB9D
SHA-512:	EF3FB3770808B3690C11A18316B0C1C56C80198C1B1910E8AA198DF8281BA4E13DC9A6179BB93A379AD849304F6BB934F23E6BBD3D258B274CC31856DE0FC12B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R...3..3..3..KA.3..o\..3..X..3..o\..3..o\..3..o\..3.."C..3..3...3.."C..3.."C..3.."C-.3.."C..3..Rich.3..........PE..d...H._.........." .....@...B.......E...............................................^....`..........................................f..t....f..........@............~..............HW..T....................X..(....W..0............P...............................text...k?.......@.................. ..`.rdata..&)...P...*...D..............@..@.data...(............n..............@....pdata...............p..............@..@.qtmetads............v..............@..P.rsrc...@............x..............@..@.reloc...............\|..............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\imageformats\qicns.dll

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	45040
Entropy (8bit):	6.016125225197622
Encrypted:	false
SSDEEP:	768:vEip0IlhxTDxut3dnm8IyAmQQ3ydJouEAkNypTAO0tfC3apmsdDG9Uf2hU:vxvXxgVIyA23ydJlEATpTAO0tfCKpms/
MD5:	AD84AF4D585643FF94BFA6DE672B3284
SHA1:	5D2DF51028FBEB7F6B52C02ADD702BC3FA781E08
SHA-256:	F4A229A082D16F80016F366156A2B951550F1E9DF6D4177323BBEDD92A429909
SHA-512:	B68D83A4A1928EB3390DEB9340CB27B8A3EB221C2E0BE86211EF318B4DD34B37531CA347C73CCE79A640C5B06FBD325E10F8C37E0CEE2581F22ABFBFF5CC0D55
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................a....Q........Q......Q......Q......................................Rich...........PE..d......_.........." .....B...N.......G...............................................&....`.............................................t...$...........@...........................xp..T....................r..(....p..0............`...............................text....@.......B.................. ..`.rdata...9...`...:...F..............@..@.data...............................@....pdata..............................@..@.qtmetadx...........................@..P.rsrc...@...........................@..@.reloc..............................@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\imageformats\qico.dll

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	38384
Entropy (8bit):	5.957072398645384
Encrypted:	false
SSDEEP:	768:zBXBEfQiAzC9Oh5AS7a3Z5OGrTDeV9mp7nnsWdDGgYUf2hi/:8JAzuOhy3zOGrTDeV9mp7nnsWjYUfz
MD5:	A9ABD4329CA364D4F430EDDCB471BE59
SHA1:	C00A629419509929507A05AEBB706562C837E337
SHA-256:	1982A635DB9652304131C9C6FF9A693E70241600D2EF22B354962AA37997DE0B
SHA-512:	004EA8AE07C1A18B0B461A069409E4061D90401C8555DD23DBF164A08E96732F7126305134BFAF8B65B0406315F218E05B5F0F00BEDB840FB993D648CE996756
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u.G...G...G...N...C......E...S...E......R......O......D.......B...G...........D.......F.......F.......F...RichG...................PE..d...H._.........." .....4...H.......9....................................................`..........................................h..t...th..........@............z..............(X..T....................Y..(....X..0............P..8............................text....2.......4.................. ..`.rdata..B/...P...0...8..............@..@.data...h............h..............@....pdata...............l..............@..@.qtmetad.............r..............@..P.rsrc...@............t..............@..@.reloc...............x..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\imageformats\qjpeg.dll

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	421360
Entropy (8bit):	5.7491063936821405
Encrypted:	false
SSDEEP:	6144:USgOWz1eW38u9tyh6fpGUasBKTrsXWwMmH1l3JM5hn0uEfB4:USPQTnastBRB4
MD5:	16ABCCEB70BA20E73858E8F1912C05CD
SHA1:	4B3A32B166AB5BBBEE229790FDAE9CBC84F936BA
SHA-256:	FB4E980CB5FAFA8A4CD4239329AED93F7C32ED939C94B61FB2DF657F3C6AD158
SHA-512:	3E5C83967BF31C9B7F1720059DD51AA4338E518B076B0461541C781B076135E9CB9CBCEB13A8EC9217104517FBCC356BDD3FFACA7956D1C939E43988151F6273
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Iv"...L...L...L..o....L..xM...L..\|M...L.......L..xI...L..xH...L..xO...L..gM...L...M...L..gH.?.L..gI...L..gL...L..g....L..gN...L.Rich..L.........PE..d...o._.........." .....b...........i...............................................g....`.............................................t...............@....`.......R..............h...T.......................(.......0...............@............................text....`.......b.................. ..`.rdata..J............f..............@..@.data...8....P.......(..............@....pdata.......`... ...*..............@..@.qtmetad.............J..............@..P.rsrc...@............L..............@..@.reloc...............P..............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\imageformats\qsvg.dll

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	32240
Entropy (8bit):	5.978149408776758
Encrypted:	false
SSDEEP:	768:uOVKDlJJVlTuLiMtsKVG7TSdDG9Uf2h4e:hVgJVlTuL/tsKVG7TSQUfre
MD5:	C0DE135782FA0235A0EA8E97898EAF2A
SHA1:	FCF5FD99239BF4E0B17B128B0EBEC144C7A17DE2
SHA-256:	B3498F0A10AC4CB42CF7213DB4944A34594FF36C78C50A0F249C9085D1B1FF39
SHA-512:	7BD5F90CCAB3CF50C55EAF14F7EF21E05D3C893FA7AC9846C6CA98D6E6D177263AC5EB8A85A34501BCFCA0DA7F0B6C39769726F4090FCA2231EE64869B81CF0B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x>...P...P...P..a...P.&vQ...P..rQ...P.&vU...P.&vT...P.&vS...P.kiQ...P...Q.n.P.kiU...P.kiP...P.ki....P.kiR...P.Rich..P.........PE..d......_.........." .....$...B......D)....................................................`.........................................PU..t....U..........@............b...............G..T....................I..(...PH..0............@..(............................text....".......$.................. ..`.rdata...+...@...,...(..............@..@.data...8....p.......T..............@....pdata...............V..............@..@.qtmetad.............Z..............@..P.rsrc...@............\..............@..@.reloc...............`..............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\imageformats\qtga.dll

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	31728
Entropy (8bit):	5.865766652452823
Encrypted:	false
SSDEEP:	768:1lGALluUEAQATWQ79Z2Y8Ar+dDG2vUf2hF:TZl/EH8WQ794Y8Ar+hvUfm
MD5:	A913276FA25D2E6FD999940454C23093
SHA1:	785B7BC7110218EC0E659C0E5ACE9520AA451615
SHA-256:	5B641DEC81AEC1CF7AC0CCE9FC067BB642FBD32DA138A36E3BDAC3BB5B36C37A
SHA-512:	CEBE48E6E6C5CDF8FC339560751813B8DE11D2471A3DAB7D648DF5B313D85735889D4E704E8EEC0AD1084AB43BE0EBDFBACD038AEAC46D7A951EFB3A7CE838EB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F ._'N._'N._'N.V_.Y'N..HO.]'N.KLO.]'N..HK.M'N..HJ.W'N..HM.\'N..WO.Z'N._'O.4'N..WK.\'N..WN.^'N..W..^'N..WL.^'N.Rich_'N.........................PE..d......_.........." ....."...@.......'..............................................7.....`..........................................W..t...dX..........@.......`....`..............(I..T....................J..(....I..0............@..h............................text...[!.......".................. ..`.rdata...)...@...*...&..............@..@.data........p.......P..............@....pdata..`............T..............@..@.qtmetadu............X..............@..P.rsrc...@............Z..............@..@.reloc...............^..............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\imageformats\qtiff.dll

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	390128
Entropy (8bit):	5.724665470266677
Encrypted:	false
SSDEEP:	6144:V0jqHiFBaRe0GPAKwP15e7xrEEEEEEN024Rx/3tkYiHUASQbs/l7OanYoOgyV:0qqwP15bx/q7/yyV
MD5:	9C0ACF12D3D25384868DCD81C787F382
SHA1:	C6E877ABA3FB3D2F21D86BE300E753E23BB0B74E
SHA-256:	825174429CED6B3DAB18115DBC6C9DA07BF5248C86EC1BD5C0DCAECA93B4C22D
SHA-512:	45594FA3C5D7C4F26325927BB8D51B0B88E162E3F5E7B7F39A5D72437606383E9FDC8F83A77F814E45AFF254914514AE52C1D840A6C7B98767F362ED3F4FC5BD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................E....q............q......q......q......<.............<......<......<......<.)....<......Rich....................PE..d......_.........." .....(..........D-.......................................0............`.............................................t...4...........@........%........... ..(....d..T................... f..(....d..0............@..0............................text....&.......(.................. ..`.rdata...v...@...x...,..............@..@.data...(...........................@....pdata...%.......&..................@..@.qtmetad............................@..P.rsrc...@...........................@..@.reloc..(.... ......................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\imageformats\qwbmp.dll

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30192
Entropy (8bit):	5.938644231596902
Encrypted:	false
SSDEEP:	768:EfEM3S46JE2X/xBZ76pC5J6GdDGZUf2h4:63S3JE2PHZ76pC5J6GEUfn
MD5:	68919381E3C64E956D05863339F5C68C
SHA1:	CE0A2AD1F1A46B61CB298CEC5AA0B25FF2C12992
SHA-256:	0F05969FB926A62A338782B32446EA3E28E4BFBFFC0DBD25ED303FAB3404ABAC
SHA-512:	6222A3818157F6BCD793291A6C0380EF8C6B93ECEA2E0C9A767D9D9163461B541AFAF8C6B21C5A020F01C95C6EE9B2B74B358BA18DA120F520E87E24B20836AA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]...<.I.<.I.<.I.D%I.<.I.S.H.<.I.W.H.<.I.S.H.<.I.S.H.<.I.S.H.<.IYL.H.<.I.<.I.<.IYL.H.<.IYL.H.<.IYLII.<.IYL.H.<.IRich.<.I........PE..d......_.........." ..... ...8.......'....................................................`......................................... D..t....D..........@....p..T....Z...............6..T...................p8..(...@7..0............0..p............................text............ .................. ..`.rdata..d&...0...(...$..............@..@.data........`.......L..............@....pdata..T....p.......N..............@..@.qtmetad~............R..............@..P.rsrc...@............T..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\imageformats\qwebp.dll

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	510448
Entropy (8bit):	6.605517748735854
Encrypted:	false
SSDEEP:	12288:bPTjgdqdsvh+LrLrLrL5/y4DVHAsqx3hXS+oPZQqRaYG:jT5sMLrLrLrL5q4dAsaOFo
MD5:	308E4565C3C5646F9ABD77885B07358E
SHA1:	71CB8047A9EF0CDB3EE27428726CACD063BB95B7
SHA-256:	6E37ACD0D357871F92B7FDE7206C904C734CAA02F94544DF646957DF8C4987AF
SHA-512:	FFAEECFAE097D5E9D1186522BD8D29C95CE48B87583624EB6D0D52BD19E36DB2860A557E19F0A05847458605A9A540C2A9899D53D36A6B7FD5BF0AD86AF88124
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................a....s........s......s......s....>.........>......>.....>....>......>....Rich...................PE..d......_.........." .....B..........tH.......................................0......`q....`..........................................W..t....W..........@.......0H........... ......h...T.......................(.......0............`...............................text...[@.......B.................. ..`.rdata..J....`.......F..............@..@.data....'...........X..............@....pdata..0H.......J...\..............@..@.qtmetadv...........................@..P.rsrc...@...........................@..@.reloc....... ......................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\platforms\qminimal.dll

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	844784
Entropy (8bit):	6.625808732261156
Encrypted:	false
SSDEEP:	12288:y6MhioHKQ1ra8HT+bkMY8zKI4kwU7dFOTTYfEWmTxbwTlWc:BMhioHKQp+bkjAjwGdFSZtbwBd
MD5:	2F6D88F8EC3047DEAF174002228219AB
SHA1:	EB7242BB0FE74EA78A17D39C76310A7CDD1603A8
SHA-256:	05D1E7364DD2A672DF3CA44DD6FD85BED3D3DC239DCFE29BFB464F10B4DAA628
SHA-512:	0A895BA11C81AF14B5BD1A04A450D6DCCA531063307C9EF076E9C47BD15F4438837C5D425CAEE2150F3259691F971D6EE61154748D06D29E4E77DA3110053B54
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#\..B2..B2..B2..:...B2..-3..B2.F....B2..-7..B2..-6..B2..-1..B2..)6..B2.^23..B2..)3..B2..B3.@2.^26..B2.^27..B2.^22..B2.^2...B2.^20..B2.Rich.B2.........PE..d...N._.........." ......................................................... ............`......................................... ...x.......@.......H....`..H.......................T.......................(.......0...............(............................text...;........................... ..`.rdata...C.......D..................@..@.data...H....@......."..............@....pdata..H....`.......0..............@..@.qtmetad............................@..P.rsrc...H...........................@..@.reloc..............................@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\platforms\qoffscreen.dll

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	754672
Entropy (8bit):	6.6323155845799695
Encrypted:	false
SSDEEP:	12288:/HpBmyVIRZ3Tck83vEgex5aebusGMIlhLfEWmpCJkl:/HpB63TckUcLaHMITAZmW
MD5:	6407499918557594916C6AB1FFEF1E99
SHA1:	5A57C6B3FFD51FC5688D5A28436AD2C2E70D3976
SHA-256:	54097626FAAE718A4BC8E436C85B4DED8F8FB7051B2B9563A29AEE4ED5C32B7B
SHA-512:	8E8ABB563A508E7E75241B9720A0E7AE9C1A59DD23788C74E4ED32A028721F56546792D6CCA326F3D6AA0A62FDEDC63BF41B8B74187215CD3B26439F40233F4D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m..T..KT..KT..K]t7K@..K.c.JV..K@g.JV..K.cKU..K.c.JA..K.c.J\..K.c.JP..K.\|.JQ..KT..K...K.\|.Js..K.\|.JS..K.\|.JU..K.\|[KU..K.\|.JU..KRichT..K........PE..d...R._.........." ................L.....................................................`.............................................x...8...........H....... s...h..........p.......T................... ...(.......0...............@............................text............................... ..`.rdata..............................@..@.data...............................@....pdata.. s.......t..................@..@.qtmetad.............T..............@..P.rsrc...H............V..............@..@.reloc..p............Z..............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\platforms\qwebgl.dll

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	482288
Entropy (8bit):	6.152380961313931
Encrypted:	false
SSDEEP:	6144:WO/vyK+DtyaHlIMDhg5WEOvAwKB2VaaHeqRw/yVfYu4UnCA6DEjeYchcD+1Zy2:bKtHOWg5OvAwK0NYu4AShcD+1U2
MD5:	1EDCB08C16D30516483A4CBB7D81E062
SHA1:	4760915F1B90194760100304B8469A3B2E97E2BC
SHA-256:	9C3B2FA2383EEED92BB5810BDCF893AE30FA654A30B453AB2E49A95E1CCF1631
SHA-512:	0A923495210B2DC6EB1ACEDAF76D57B07D72D56108FD718BD0368D2C2E78AE7AC848B90D90C8393320A3D800A38E87796965AFD84DA8C1DF6C6B244D533F0F39
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........gM..#...#...#..~....#.ei&...#.ei'...#.ei ...#..m'...#.ei"...#.(v"...#..m"...#..."...#.(v&...#.(v#...#.(v...#.(v!...#.Rich..#.................PE..d......_.........." .....R...........;....................................................`..........................................m..t...Dn..T.......@....@...=...@..............0...T.......................(.......0............p..(............................text...{Q.......R.................. ..`.rdata..:....p.......V..............@..@.data...H....0......................@....pdata...=...@...>..................@..@.qtmetadz............2..............@..P.rsrc...@............4..............@..@.reloc...............8..............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\platforms\qwindows.dll

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1477104
Entropy (8bit):	6.575113537540671
Encrypted:	false
SSDEEP:	24576:4mCSPJrAbXEEuV9Hw2SoYFo3HdxjEgqJkLdLu5qpmZuhg/A2b:nPlIEEuV9Hw2SFFWHdWZsdmqja/A2b
MD5:	4931FCD0E86C4D4F83128DC74E01EAAD
SHA1:	AC1D0242D36896D4DDA53B95812F11692E87D8DF
SHA-256:	3333BA244C97264E3BD19DB5953EFA80A6E47AACED9D337AC3287EC718162B85
SHA-512:	0396BCCDA43856950AFE4E7B16E0F95D4D48B87473DC90CF029E6DDFD0777E1192C307CFE424EAE6FB61C1B479F0BA1EF1E4269A69C843311A37252CF817D84D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......i...-...-...-...$.%.9.....q.,......8......%......)......+...9......9..,......)..........9..8...-..........d......,.....I.,......,...Rich-...........PE..d....._.........." .....,...h......4+..............................................n.....`.............................................x...(...........H............n..........X....r..T...................Pt..(... s..0............@...5...........................text..._+.......,.................. ..`.rdata.......@.......0..............@..@.data....m...@...D...(..............@....pdata...............l..............@..@.qtmetad.............J..............@..P.rsrc...H............L..............@..@.reloc..X............P..............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\platformthemes\qxdgdesktopportal.dll

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	68592
Entropy (8bit):	6.125954940500008
Encrypted:	false
SSDEEP:	1536:Nt4B1RLj3S6TtH2sweUH+Hz6/4+D6VFsfvUfO:AB1RHFdoeUs6/4O6VFSZ
MD5:	F66F6E9EDA956F72E3BB113407035E61
SHA1:	97328524DA8E82F5F92878F1C0421B38ECEC1E6C
SHA-256:	E23FBC1BEC6CEEDFA9FD305606A460D9CAC5D43A66D19C0DE36E27632FDDD952
SHA-512:	7FF76E83C8D82016AB6BD349F10405F30DEEBE97E8347C6762EB71A40009F9A2978A0D8D0C054CF7A3D2D377563F6A21B97DDEFD50A9AC932D43CC124D7C4918
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+...o...o...o...f...k......m...{..m......~......h......m......h...o..........k......n.....~.n......n...Richo...........................PE..d...V._.........." .....z...t......T........................................@.......b....`......................................... ................ ..X....................0..4.......T.......................(...p...0...............x............................text....y.......z.................. ..`.rdata...Z.......\...~..............@..@.data...............................@....pdata..............................@..@.qtmetad............................@..P.rsrc...X.... ......................@..@.reloc..4....0......................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\plugins\styles\qwindowsvistastyle.dll

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	144368
Entropy (8bit):	6.294675868932723
Encrypted:	false
SSDEEP:	3072:rrjwZ43rCOtrBk7wcR0l7wBlaL6BtIEt51T0Nhkqg8FoQY:7hZu9R0l7wFBtIEt51T0Nuqg8JY
MD5:	53A85F51054B7D58D8AD7C36975ACB96
SHA1:	893A757CA01472A96FB913D436AA9F8CFB2A297F
SHA-256:	D9B21182952682FE7BA63AF1DF24E23ACE592C35B3F31ECEEF9F0EABEB5881B9
SHA-512:	35957964213B41F1F21B860B03458404FBF11DAF03D102FBEA8C2B2F249050CEFBB348EDC3F22D8ECC3CB8ABFDC44215C2DC9DA029B4F93A7F40197BD0C16960
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......R._...1]..1]..1]..]..1]..0\..1]..5\..1]..2\..1]..4\..1]..0\..1]..0\..1]..0]..1]..4\..1]..1\..1]...]..1]..3\..1]Rich..1]........................PE..d...`._.........." .....\...........`.......................................`......wJ....`................................................. ........@..X.... ...............P.........T...................`...(...0...0............p...............................text....Z.......\.................. ..`.rdata......p.......`..............@..@.data...............................@....pdata....... ......................@..@.qtmetadm....0......................@..P.rsrc...X....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_ar.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	130
Entropy (8bit):	4.024232093209084
Encrypted:	false
SSDEEP:	3:j2wZC4C/2/vlAlHekW3/S1MUe3/CLlI+rwtbWlMrNtYs8ar/u:Cwm+/PtUePCRIRt6Ygs8y/u
MD5:	8FF05B56C0995F90A80B7064AA6E915C
SHA1:	D5AEB09AE557CEEFB758972EC4AC624CDDC9E6A7
SHA-256:	A8A1B0D6F958E7366D1C856BE61000106D3E7FC993FB931675369892B9002D0B
SHA-512:	5374E0F1D3F5A6A456B00732DE8005787B17ECEF9C8A2B2C1228966A6A8DE211700334D8FD789DAD269F52D0AEED3F5160010CA60909861E270C253B3EA881A4
Malicious:	false
Preview:	<.d....!..`.......ar....R.....q.t.b.a.s.e._.a.r.....q.t.s.c.r.i.p.t._.a.r.....q.t.m.u.l.t.i.m.e.d.i.a._.a.r..............$...*.

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_bg.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153
Entropy (8bit):	3.6813848812976975
Encrypted:	false
SSDEEP:	3:j2wZC4C/6lLlAlHekVYtzlY1MUdI7lULlI+rwtbWlMoIFl8IPldkO4t/z:CwDC+7tJjUWhURIRt68f8oiP1z
MD5:	466EED6C184D2055488D4C5EA9AE5F20
SHA1:	8599AB9B731BFC84F6EEC7A0129F396FB8FEC4EA
SHA-256:	9E1CE4D91852352043D9191F1A992838F919CBA7E2F2D9BB1161E494E8BF5F5E
SHA-512:	D2462951EC7DCE3D0851AE9C4ED644FFE0D2A5BDD15B4AE1A4295C187B4295BC854D6A5038DAC0564D165463419D615EB6CE7A9760CEFAD71AB673FB2109C349
Malicious:	false
Preview:	<.d....!..`.......bg....v.....q.t.b.a.s.e._.b.g.....q.t.s.c.r.i.p.t._.b.g.....q.t.m.u.l.t.i.m.e.d.i.a._.b.g... .q.t.x.m.l.p.a.t.t.e.r.n.s._.b.g.......

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_ca.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153
Entropy (8bit):	3.631479835393124
Encrypted:	false
SSDEEP:	3:j2wZC4C/NVl/lAlHekUOplY1MUce/hlAlI+rwtbWlMpOflUlIPldkOHlz:CwO4+94jUcerAIRt6a6Uloi8
MD5:	6FBA66FE449866B478A2EBA66A724A02
SHA1:	EBEF6ED8460218CE8DF735659A8CBCD693600AC6
SHA-256:	171C7424B24D8502AB53CB3784FF34D8FCFAE26557CF8AF4DFDDEC6485ACC2FE
SHA-512:	2D2438738C6D10D8A53B46DE5A94BBF993818D080F344D9F1B94FC83D60335D9A5E8EFCC297D593FFF1D427972F9F9502FC31C332CAEA579FC7A88487390457E
Malicious:	false
Preview:	<.d....!..`.......ca....v.....q.t.b.a.s.e._.c.a.....q.t.s.c.r.i.p.t._.c.a.....q.t.m.u.l.t.i.m.e.d.i.a._.c.a... .q.t.x.m.l.p.a.t.t.e.r.n.s._.c.a.......

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_cs.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	157
Entropy (8bit):	3.7483537099309427
Encrypted:	false
SSDEEP:	3:j2wZC4C/fVFlAlHekUsplY1MUcM/hlULlI+rwtbWlMpsfl8IPldkO1lPchn:CwY4+9ujUcMrURIRt6aE8oinh
MD5:	D033053C03C3ECFA2AA926E0E674F67F
SHA1:	B4E95F8278121E2549F8BB6B5DAF1496F1738A7D
SHA-256:	3C0CBFD19490D67D1B3B9E944C3A4D9A9E7F87D7AE35E88D5D5A0077349B5B21
SHA-512:	2C7E9E9DBE0B25FBA94A52FE4BCCB1D9FED2A7BD2877DB91F82546C3BC8606280949594227BA0FC1C74C31010E1F573B3A82852BE746EAA4F397140485789136
Malicious:	false
Preview:	<.d....!..`.......cs....v.....q.t.b.a.s.e._.c.s.....q.t.s.c.r.i.p.t._.c.s.....q.t.m.u.l.t.i.m.e.d.i.a._.c.s... .q.t.x.m.l.p.a.t.t.e.r.n.s._.c.s...........

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_da.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153
Entropy (8bit):	3.6174817344122334
Encrypted:	false
SSDEEP:	3:j2wZC4C/4Jlr/lAlHekT6hY1MUb6JAlI+rwtbWlMuel3UlIPldkOQtt:Cw7rC+3jUkAIRt6EVUloi9
MD5:	E6A683F4A0883B5B0C7D30B847EF208C
SHA1:	FF2440DBBFE04AD86C6F285426AAFD49A895B128
SHA-256:	B5036161CE808C728E5FDA985F792DB565831FD01CF00B282547790C037353A2
SHA-512:	D73B794A71DFD3A3C06BF43ED109F635B4960F9A3904FB728873AB5251BDF6A791DDFDEBA884A2703A35461E18BA902804095AC4B92A2C9361526469B6D35FFA
Malicious:	false
Preview:	<.d....!..`.......da....v.....q.t.b.a.s.e._.d.a.....q.t.s.c.r.i.p.t._.d.a.....q.t.m.u.l.t.i.m.e.d.i.a._.d.a... .q.t.x.m.l.p.a.t.t.e.r.n.s._.d.a.......

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_de.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153
Entropy (8bit):	3.6174817344122334
Encrypted:	false
SSDEEP:	3:j2wZC4C/8rJFlAlHekTul01MUbul4LlI+rwtbWlMuallyIPldkOknt:Cw/rJ4+XU5RIRt6Aaoi7t
MD5:	06168E1261BF72F49F94927723B2E1EB
SHA1:	DEAF1B53C3FEE6CB28840418D0060AFA4D59D3FC
SHA-256:	5805B8FF3747849794E2D70661D737C69C15F1AE763C38E17084B1E5A81E9153
SHA-512:	AA3915C029C74DC270514C7F50E8BEC06C825F278E0DE0477AD8ED3187700BBD7711382A6E47C3AC76AC756CEFF9FA8CDD4E9B9DAC817475BC122F78B02C7D7D
Malicious:	false
Preview:	<.d....!..`.......de....v.....q.t.b.a.s.e._.d.e.....q.t.s.c.r.i.p.t._.d.e.....q.t.m.u.l.t.i.m.e.d.i.a._.d.e... .q.t.x.m.l.p.a.t.t.e.r.n.s._.d.e.......

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_en.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	16
Entropy (8bit):	4.0
Encrypted:	false
SSDEEP:	3:j2wZC4n:CwZ
MD5:	BCEBCF42735C6849BDECBB77451021DD
SHA1:	4884FD9AF6890647B7AF1AEFA57F38CCA49AD899
SHA-256:	9959B510B15D18937848AD13007E30459D2E993C67E564BADBFC18F935695C85
SHA-512:	F951B511FFB1A6B94B1BCAE9DF26B41B2FF829560583D7C83E70279D1B5304BDE299B3679D863CAD6BB79D0BEDA524FC195B7F054ECF11D2090037526B451B78
Malicious:	false
Preview:	<.d....!..`...

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_es.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153
Entropy (8bit):	3.6070658648473097
Encrypted:	false
SSDEEP:	3:j2wZC4C/7lJFlAlHekSMthULlI+rwtbWlMvEJY1MUaEf8IPldkOzvt:CwElJ4+7MrURIRt6cujUaE8oi0F
MD5:	EE47DFADBA4414FDC051C5CFBE71DDC1
SHA1:	DE650E96A9C130D35F8A498202773EF7FC875D27
SHA-256:	E25E43F046F61022FFE871A2F73C6A12EDFC5C3EFD958C0E019A721860A053B0
SHA-512:	8C1D8901D2F66CCBF947B831858E08B703517470B2B813B241E00162A275AC9103FF5B9251AD39BD53551E0A4FB45EE74187B218A1EF7C6CF6C5FA9F9219AE04
Malicious:	false
Preview:	<.d....!..`.......es....v.....q.t.b.a.s.e._.e.s.....q.t.m.u.l.t.i.m.e.d.i.a._.e.s.....q.t.s.c.r.i.p.t._.e.s... .q.t.x.m.l.p.a.t.t.e.r.n.s._.e.s.......

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_fa.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	293121
Entropy (8bit):	5.272179385890926
Encrypted:	false
SSDEEP:	3072:gEo2cQbzaVmvGQYkHkMRKkNeGr+0BhaRsLAChY21rpnLqL9ytnvC58gypn4l4qF:gEZbza0HjeGrxBhaCLFC
MD5:	F9C3624197ACB30A9E6CC799BB65BED6
SHA1:	D715EAE24387DE15588F68C92991A93FAFB5EEAB
SHA-256:	B292AFB0763B8C7C30A5AF7372BFC12D8A0D00BF3DD4A000715D9F576D9C1A39
SHA-512:	199C107AE7EAFCF2A5EEC149CAFEE7ED09B938E204B56AD3AAC9568D27166F61EC8E2225A11AF26F7E1F035FB5CAD98621A01E8A9942D18C273F43B90201162A
Malicious:	false
Preview:	<.d....!..`.......faB..I....*...u...+...............@.......A...J...B.......C...X...D.......E.......F...%...G.......H...0...I.......P...v...Q.......R.......S.......T..."...U.......V...h...W.......X...s...Y.......]..e....t...................-.......W.......\|.......i...;..Eu...;..Z....;...]...;..c....;.......;..0]...M..f....O.......O..2.......#....}..f=...m..fg.........(5......+;..1a..+;...V..+;...!..+O..17..+O...(..1.......E@......F....u..H4......HY...Y..H....S..I....5..I@.....IA......IC......J...1...J.......J.......J...\|...K...6...LD......L.......PS......R....Z..T.......Zr.. ...[`...O..[`......\...%@..\...2..._...&l.._...38..1........E..........2u..........1.......1...........@......4G...........................$...L...$..xY...[.......,...u...y...y...y..z.......F.......<.......g.......5W...........9...........f...E...U...E../....E..................0-...%..6....%.........................3......f..........5...?...0..EK...0......0..L ...0..c....0.......0...Z...5...........Y.. D

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_fi.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	117
Entropy (8bit):	3.739162292019161
Encrypted:	false
SSDEEP:	3:j2wZC4C/4HlAlHekRgOp1MUZWJKlI+rwtbWlMsIkk:Cwxe++IUocIRt6Qkk
MD5:	72882942B07B8AAC98034016E752B1A0
SHA1:	BF23B4C136B863B10E770019A2DF62FC988859DF
SHA-256:	048CA42DCE4FAF5FC21D843576E3C6FD963146ECC78554E7E5F34D07F64FB213
SHA-512:	403E7F4E9A0E44F2118804F0781A18EB1852797825498751E3AFA02D9558D90293ABDB570786CED80F7EFF800BEF6D9444A72E6A640D331DA46B2A0EA43C8E96
Malicious:	false
Preview:	<.d....!..`.......fi....R.....q.t.b.a.s.e._.f.i.....q.t.s.c.r.i.p.t._.f.i.....q.t.m.u.l.t.i.m.e.d.i.a._.f.i.......

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_fr.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153
Entropy (8bit):	3.680458675741643
Encrypted:	false
SSDEEP:	3:j2wZC4C/FjlAlHekRL21MUZNJOLlI+rwtbWlMs9KIPldkORT:Cw3+SU0RIRt6koio
MD5:	3C45C665CFE036A7474CB4DCBB13CF40
SHA1:	62312DFF3C4CD38BAE8456C981601D0D89600F63
SHA-256:	8624033D849E670B12C9532337FCBF260F20848E044FEE7787CFE2AC92BE28DB
SHA-512:	21659AA452BC2493D915F0BE94F90CDD57759B1F1306AAA2836058D41E80DED24742EBD74E19420021514A6AB4150CA0B447574E96B9D3BF0BC5A8C78DAAF7AC
Malicious:	false
Preview:	<.d....!..`.......fr....v.....q.t.b.a.s.e._.f.r.....q.t.s.c.r.i.p.t._.f.r.....q.t.m.u.l.t.i.m.e.d.i.a._.f.r... .q.t.x.m.l.p.a.t.t.e.r.n.s._.f.r.......

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_gd.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	70
Entropy (8bit):	4.463523104731333
Encrypted:	false
SSDEEP:	3:j2wZC4C/EXlAlHekQrEuknbJB:CwjO+5JY
MD5:	A8D55457C0413893F746D40B637F9C93
SHA1:	25123615482947772176E055E4A74043B2FBCAA0
SHA-256:	49DF855A004A17950338AF3146466F6DF4D5852410BD0B58EA80E0D0203A9D24
SHA-512:	99718B948D94B292BDEDF6B247A5856BC7AC78408FCC41C980F264C2C8565125786F0289F5F993DCF11B8CDA3AFB2A1D8634B1D0BC9B34992F538F8E4086EC00
Malicious:	false
Preview:	<.d....!..`.......gd..........q.t.b.a.s.e._.g.d....................

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_gl.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	323590
Entropy (8bit):	4.568068046062524
Encrypted:	false
SSDEEP:	3072:OYSG8zxWSDjq73Pf6FT1f4uh50QGrRfFD54YyUY0Ou4/tnra3Z0uYhB5YHfHRRn2:O39WSD3TMQGrxFD5EUVQ
MD5:	0661FFABFBC50187F3BA38876B721946
SHA1:	EB5E7205355CFC6BCB4DF27E224079842C97B296
SHA-256:	204A01AC7DEB6B5BAE193AFECBD1E50D18C73BF7D94BADEB2BBFDF6123C4ED93
SHA-512:	65AB66CC54D65E7678FA731A5C5F2CC9D6FC217B91AD47D538440811E09A23E49CD95CE62A79E3E8C275E250AC1A0B54BD289F6DD067573876DA7AFF54381D02
Malicious:	false
Preview:	<.d....!..`.......gl_ESB..I...........+..&............@.......A...z...B.......C...p...D.......E......F...!...G......H.......I......P...@...Q.......R......S...5...T......U...+...V.......W...a...X.......Y...N...]..o....t..,................F.......p..............4....;..LI...;..bD...;.......;.......;.......;..cJ...M..o1...O..G....O..e.......U....}..oY...m..o........D..(5...X..+;..6/..+;...~..+;......+O..6...+O...N..1......E@...?..F.......H4..'...HY......H...3`..I......I@......IA......IC..0...J...P...J...1...J...0...J.......K...:...LD..2...L...3...PS..:A..R... d..T.......Zr..Rd..[`......[`.....\...WK..\...RR.._...X..._...f...1........E...{......7M..........1.......1....q......O.......9......................)....$... ...$.......[..,=...,..-....y..0X...y...~......Mx......]0.......H......:A......0....9...............E...o...E..b....E.........1.......c....%..;....%...;......3.......^......S................5..4Z...0..L....0.......0..n....0.......0..7....0.......5..9D......!g.

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_he.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	83
Entropy (8bit):	3.880645689209568
Encrypted:	false
SSDEEP:	3:j2wZC4C/YJ/dQlHekfaB21MUXmlvt:CwT0+D/UUt
MD5:	DD5C2C6B148F2DB3E666B859776AE129
SHA1:	8368F32039CC0776A1B95C9DED5FE6C9EA0D93FD
SHA-256:	C113D14E218D5402B616DABEA27969C6F83852676468C5EF051DDDEFB3EE0235
SHA-512:	2EAE33C8707407E083F6B8B05EA2C5B987646DF1553888C16D6508C5A33B2F758DDED73323622CD50324C96F51D61B7CE822F393551A30B211ABD3CC1367249F
Malicious:	false
Preview:	<.d....!..`.......he....0.....q.t.b.a.s.e._.h.e.....q.t.s.c.r.i.p.t._.h.e.......

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_help_ar.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	8743
Entropy (8bit):	5.189558605179696
Encrypted:	false
SSDEEP:	192:YUM7gBwnG4Vxj4nyn9aAMOJckrL6esm/0sQ5HeK1nvEB:YBkKnZxkyn9aAMWPsm/0sQsGvEB
MD5:	CCD39A7C8139AD041E31B3E5D40968B4
SHA1:	5751BE96817BB6AE7C9DA9F1FBA7F42F31CFCC5D
SHA-256:	222088C9752D1CC3BAB985EF2DC77E5AE78578DCE18A61EC15B39F02E588163D
SHA-512:	9844C0EC65EE1C76DBA021EAC6D476A85E6C8F5BBAF4150C1EA80C0A95BEDE67B5E8F981360EF8599FCECDFCBCB83BC0B8AC44DDEFDCD85F914318030E346967
Malicious:	false
Preview:	<.d....!..`.......arB.....(.....d.0T.....5w......Uj....!.`.....M.a[............n..t..............39....&................B<s...V..M^...e......4.O5^...r..)^......o>...........?...t.....D ......k.N.....k.N...C...n...T...I...R..........2>.................\|..G.......w....T.......l..........,................^............$a......6.>...........x..K......W.b....._Xn......GN...m..~......!.....J.K.H.............pN.............P.~.....o.....W..(.......~......s.>......%c.....o.....R.z.q..........................n.h................e.....i..........:.J.1. .E.3.E.Q.I..........Untitled.....QHelp.....8..9.0.Q.1. .F.3... .E.D.A.Q. .'.D..Q.,.E.J.9.).:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler........9.0.Q.1. .%.F.4.'.!. .'.D./.Q.D.J.D.:. .%.1..........Cannot create directory: %1.....QHelpCollectionHandler.....>..9.0.Q.1. .%.F.4.'.!. .,./.'.H.D. .A.J. .'.D.E.D.A.Q. .%.1........... Cannot create tables in file %1......QHelpCollectionHandler.....L..9.0.Q.1. .*.

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_help_bg.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10599
Entropy (8bit):	5.192287379770591
Encrypted:	false
SSDEEP:	192:jhYkcd7CYBdmfIOeX3byuJRoZXlBYnEpUYR+BJqO5X9pA2NNrxC0zwRK2nMY762A:a71DQIrLuVCnEtR+DquhN5xC0zwKPYHA
MD5:	5538049DA3A1D1D724AB6E11D2E2EDBE
SHA1:	7256BE390B88A053C0252488C443BE42F6F2D92A
SHA-256:	CBCDD1E0BBAE332D80DDB0A286056F17C824FA28D353D7FDF12FC97D9F6FE054
SHA-512:	DD98CAF3A016968EEDC9106C1839DDECC2D109E9E354708BD74B35E766C6A098C1680C0B867EAD9FCE2E2A6D683BE673B8E5DF1A1B2F1AAFDB31910FF833370F
Malicious:	false
Preview:	<.d....!..`.......bgB...(.(.......0T......5w... S.Uj......`.......a[....(..........t..............39..........&..........B<s...4..M^..........q...J..%..O5^...O..)^...I..o>...I...J..%.......#....t...A.8dz..$..D ....Z.k.N...<.k.N.......n.......I..............2>...p................G..."...w....................7..,................^............$a....<.6.>..........#...K...........$1.W.b....._Xn......GN...*..~....-..TH.."..!.....5.K.H..#R.........pN..."......&..P.~...@.o.....v..(.........."8..~......s.>.....o.... ..z.q..........................O.h....!t..........e....mi..'.....\|.(...@.8.G.8.=.0.B.0. .<.>.6.5. .4.0. .5.,. .G.5. .4.>.:.C.<.5.=.B.0.F.8.O.B.0. .2.A.5. .>.I.5. .A.5. .8.=.4.5.:.A.8.@.0...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.........0.1.5.;.5.6.:.0.:..........Note:.....QCLuceneResultWidget.....,. .5.7.C.;.B.0.B.8. .>.B. .B.J.@.A.5.=.5.B.>..........Search Results.....QCLuceneResultWidget....... .

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_help_ca.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	7444
Entropy (8bit):	4.580794980254807
Encrypted:	false
SSDEEP:	192:G8oS34B7n303D37Bn3Jso37cfp3Mg3H373R58noct36R9RFu:GQU7ETrxZvqTXLSoct36Pzu
MD5:	66722ED97BCBFD3DAE3C8264413859AB
SHA1:	400A93B213FCF9BBC9785881EA82ADB9F444CD6C
SHA-256:	ECD4283A660F2CF72849B323810D7EADD063120B6F561E05AA1243A5B280946A
SHA-512:	B898BAC9652D7532384ED5CC53FA62DB55D516421D13F815A3E6D5E80AD4C69555F1A7E6C51F8B0A234614824EEE01D6731458F90D40A585990F84A58B9ABE44
Malicious:	false
Preview:	<.d....!..`.......caB............%.......0T......K:^.....Uj......`.....P..YJ...V.E.4...*...........>...7........B<s.....B\>...6........+.s.....zq.......9.......vR......@.......@.......:....;.8Z....!.g.N......F................t.....D ....z.k.N.......I......^......`#.......2.......G........N...7......N......{..................K...............GN......NO...5.........K.H...@.........pN......V............q..................>...N.........~.....5..%c...:.z.q....i...4....".A.f.e.g.e.i.x. .u.n. .f.i.l.t.r.e..........Add Filter.....FilterNameDialogClass.......N.o.m. .d.e.l. .f.i.l.t.r.e.:..........Filter Name:.....FilterNameDialogClass.......S.e.n.s.e. .t...t.o.l..........Untitled.....QHelp.....`.N.o. .s.'.h.a. .p.o.g.u.t. .c.o.p.i.a.r. .e.l. .f.i.t.x.e.r. .d.e. .c.o.l...l.e.c.c.i...:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler.....H.N.o. .s.'.h.a. .p.o.g.u.t. .c.r.e.a.r. .e.l. .d.i.r.e.c.t.o.r.i.:. .%.1..........Cannot create directory: %1.....QHelpCollect

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_help_cs.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	15297
Entropy (8bit):	4.708378368926237
Encrypted:	false
SSDEEP:	384:hmv1gdEYEiNrVhTBvAn1ca1f5lwHoJr0vwuxqsP/5jxA:o1gdEvgbloCof9ixqspW
MD5:	ED228F0F60AE9AEC28AB9171D5AE9590
SHA1:	7F061CF0C699D125A5531E3480C21964452F45EA
SHA-256:	4AC56FC63E400943BAB13F1D4C418502138908E1D488C24AEE6131D3D17552AA
SHA-512:	794CC671C08BFC50980820A6389B9D0D3514619AD0A8F18EFD5554CBBF2482192DF00B9D3B05FEE45F42276E63E2375FB28E193930D426245035B4B0E3E14ED8
Malicious:	false
Preview:	<.d....!..`.......cs_CZB...H.(.......(.......0T......0T......5w...0..Uj......`.......a[......a[....$.......p..........t.......t...........!..1"....T.39....T.39.......s...0......(......7/.................B<s...L..MQ......M^../q..........J..6@.0....B.O5Q..'..O5^..(A..)Q...X..)^......o>..........+....J..6.......4....t.....8dz..5..D ....R.D ......k.A.....k.A.....k.N.....k.N.......n.."....I..........................2...21......2>..........d.............T..G...4...w...!N......&O......&....!..".......#E..,...,.......)....Q..$/...^..$................$a......6.>.. t......5...K.......K....)......5E.W.b..-.._Xa..%a._Xn..%...GA......GN...?......,9..~.......TH..3..!......K.H..4h.........pA...J..pN..........7..P.~.. ..o.....0..(....*..(..........3V..~....T.s.1.....s.>..._.o....0..o....1p.z.q..........'9.....#........^.........h....2................Z..e... .i..8J......(.D.o.v.o.d.e.m. .p.r.o. .t.o. .b.y. .m.o.h.l.o. .b...t.,. .~.e. .d.o.k.u.m.e.n.t.a.c.e. .j.e. .s.t...l.e. .j.e.a.t...

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_help_da.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	4795
Entropy (8bit):	4.530246422531362
Encrypted:	false
SSDEEP:	96:X82wNlnKfN1LMFy7LsF3ZqBFZjWo0koBLqBXXjGL0qU7UqB7zoElmP5MUu4DZIHU:XM01f7eOnoB8X2s7Vfg5Mi4beXiOUu
MD5:	1D09BEE1FB55A173F7EB39B9A662A170
SHA1:	C77F0A148262A91679F19689E4790B754D45D5D5
SHA-256:	6BB092552A398687119F6D52145F04BF8373977446D8F00C0DCBD56B96829F0F
SHA-512:	BE5A31A6135E8DB024A8B0EB20C4D8EECBF76861F83FF83B4CA97327DB74AD94BB5D77B4E0A59A33B697C32A4EACD61B8C878951F2C545385C74D99FCE56FEE1
Malicious:	false
Preview:	<.d....!..`.......daB.....%.....m.0T......Uj....V.`....................k.B<s.....B\>..........6.+.s...............t.....D ....\|.k.N...9...I...O..2.......G....B...N...O..............!..K...._..........GN...........@.K.H.............pN..............>.....~.....m..%c.....z.q....i..........U.n.a.v.n.g.i.v.e.t..........Untitled.....QHelp.....D.K.a.n. .i.k.k.e. .k.o.p.i.e.r.e. .s.a.m.l.i.n.g.s.f.i.l.e.n.:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler.....6.K.a.n. .i.k.k.e. .o.p.r.e.t.t.e. .m.a.p.p.e.n.:. .%.1..........Cannot create directory: %1.....QHelpCollectionHandler.....V.K.a.n. .i.k.k.e. .o.p.r.e.t.t.e. .i.n.d.e.k.s.t.a.b.e.l.l.e.r. .i. .f.i.l.e.n. .%.1...........&Cannot create index tables in file %1......QHelpCollectionHandler.....J.K.a.n. .i.k.k.e. .o.p.r.e.t.t.e. .t.a.b.e.l.l.e.r. .i. .f.i.l.e.n. .%.1........... Cannot create tables in file %1......QHelpCollectionHandler.....P.K.a.n. .i.k.k.e. .i.n.d.l...s.e. .s.q.l.i.t.e.-.d.a.t.a.b.a.s.e.-.d.r

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_help_de.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	7570
Entropy (8bit):	4.550982634910665
Encrypted:	false
SSDEEP:	96:8y/gPmmhL/7LlSivP6kBL7jb0RNUzzpld4UGG3Ik18fLP0L7fGc0OeVP8a8hiAwj:1OD7hx/Bv3oNuFX4iqgv34fZsu
MD5:	3B070D169E3381E2FB081172934AAD00
SHA1:	70886EB7EF566B296D0814BD4C2440AC176699D6
SHA-256:	9962523FBAE9F1E4C3B5C3C16860D059291CB30DC5EBE5A5EDA4C836A03FED1E
SHA-512:	271B730B5A7358E923BBBC6FA074A72DA52FA47E3B7726779EF7034200EDA09BF0E1AE4E7B11B59F76805F48DC285F6EFC245EB9C7F4A748BE82B25CEE1DDCAE
Malicious:	false
Preview:	<.d....!..`.......deB..........B.%.....5.0T......K:^.....Uj....?.`.....f..YJ...V.E.4...............>............B<s...z.B\>...\........+.s...Q.zq....C..9....4..vR...B..@.......@.......:......8Z......g.N......F....>...........t.....D ......k.N.......I......^....\|.`#....I..2....<..G....^...N.........................;..........K....y..........GN......NO...........,.K.H.............pN......V...................."..........>.............~........%c.....z.q....i........".F.i.l.t.e.r. .h.i.n.z.u.f...g.e.n..........Add Filter.....FilterNameDialogClass.....".N.a.m.e. .d.e.s. .F.i.l.t.e.r.s.:..........Filter Name:.....FilterNameDialogClass.......O.h.n.e. .T.i.t.e.l..........Untitled.....QHelp.....\.D.i.e. .K.a.t.a.l.o.g.d.a.t.e.i. .k.a.n.n. .n.i.c.h.t. .k.o.p.i.e.r.t. .w.e.r.d.e.n.:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler.....\.D.a.s. .V.e.r.z.e.i.c.h.n.i.s. .k.a.n.n. .n.i.c.h.t. .a.n.g.e.l.e.g.t. .w.e.r.d.e.n.:. .%.1..........Cannot create directory: %

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_help_en.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	16
Entropy (8bit):	4.0
Encrypted:	false
SSDEEP:	3:j2wZC4n:CwZ
MD5:	BCEBCF42735C6849BDECBB77451021DD
SHA1:	4884FD9AF6890647B7AF1AEFA57F38CCA49AD899
SHA-256:	9959B510B15D18937848AD13007E30459D2E993C67E564BADBFC18F935695C85
SHA-512:	F951B511FFB1A6B94B1BCAE9DF26B41B2FF829560583D7C83E70279D1B5304BDE299B3679D863CAD6BB79D0BEDA524FC195B7F054ECF11D2090037526B451B78
Malicious:	false
Preview:	<.d....!..`...

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_help_es.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10704
Entropy (8bit):	4.481291573289571
Encrypted:	false
SSDEEP:	192:q9J9j7e4BQhD0h61nnKz+DJF/45ojDU9V1Wa/rmtIBMH:Wp64ShDnnKz+FhjQpWa/ytoMH
MD5:	9EDF433AB9EE5FC7CF7782370150B26A
SHA1:	A918AE15A0DF187C7789BE8599A80E279F039964
SHA-256:	FD16B279F8CF69077F75E94D90C9C07A2AFFF3948A579E3789F5FFB5E5F4202D
SHA-512:	88245F6FBAAF603A03D7EA2341411AE040791D47C9FF110C6D6CDD8165F0A8BA7A4A0DA5CD543BBE95A4E93FE3A81E95B3664E00C11791FBCB4923E3A80ABC60
Malicious:	false
Preview:	<.d....!..`.......es_ESB...(.(.....7.0T..../.5w... C.Uj......`.......a[....0..........t..............39..........&e.........B<s...D..M^..............J..%p.O5^...I..)^...1..o>.......J..%.......#....t.....8dz..$..D ......k.N.....k.N.......n.......I..............2>....................G...#...w............!.......%..,................^............$a......6.>..........#...K...........$C.W.b....._Xn......GN...\|..~.......TH.."..!.....5.K.H..#f.........pN...j......'..P.~... .o........(....>....."<..~....c.s.>.....o.... ..z.q..........................u.h....!p.......*..e....Qi..'}......(.L.a. .r.a.z...n. .d.e. .e.s.t.o. .p.u.e.d.e. .s.e.r. .q.u.e. .l.a. .d.o.c.u.m.e.n.t.a.c.i...n. .a...n. .e.s.t... .s.i.e.n.d.o. .i.n.d.e.x.a.d.a...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.......N.o.t.a.:..........Note:.....QCLuceneResultWidget.....2.R.e.s.u.l.t.a.d.o.s. .d.e. .l.a. .B...s.q.u.e.d.a..........Search Results.....QCLu

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_help_fr.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10922
Entropy (8bit):	4.459946393010639
Encrypted:	false
SSDEEP:	192:w4BIn67/WsmoB3r6M/eYlSbyE7DnvE7pcn9nPJZe7nOFovzcNn7Uhmio+2/p53I/:w4N19fq3n2c9Bucuhmi52/X3Qpam
MD5:	D520C7F85CC06C66715A2B6622BF0687
SHA1:	47292D068172FBC9DC0D9BE2F479E890A37CE138
SHA-256:	687E351C062F688AAFF6CF05218D6017B80B1A1B4238D1D30250A55EE41C5FED
SHA-512:	736B50BB64751B127300BCAFE88888A9D9A2081CBF934EDCFFEF6CEF0575505AFDF714273A97671ABB598AE3D23C8E55F7DCD632FB0AA219ED5F763768576E04
Malicious:	false
Preview:	<.d....!..`.......fr_FRB...(.(.....y.0T....K.5w...!1.Uj....*.`.......a[............5..t..............39....m.....'W.......S.B<s...d..M^.. ...........J..&`.O5^...+..)^......o>.......J..&.......$....t.....8dz..%..D ......k.N.....k.N...D...n.......I...........c..2>..........M.........G...$...w....K..................,................^............$a......6.>...c......$...K....'......%M.W.b....._Xn...j..GN......~.......TH..#..!.......K.H..$Z......,..pN..........'..P.~.....o........(....h.....#4..~......s.>...M.o....!..z.q...........p......L.........h...."^.......b..e.....i..(W......(.I.l. .e.s.t. .p.o.s.s.i.b.l.e. .q.u.e. .c.e.l.a. .s.o.i.t. .d... .a.u. .f.a.i.t. .q.u.e. .l.a. .d.o.c.u.m.e.n.t.a.t.i.o.n. .e.s.t. .e.n. .c.o.u.r.s. .d.'.i.n.d.e.x.a.t.i.o.n...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.......N.o.t.e. .:..........Note:.....QCLuceneResultWidget.....2.R...s.u.l.t.a.t.s. .d.e. .l.a. .r.e.c.h.e.r.c.h.e.

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_help_gl.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10891
Entropy (8bit):	4.5087667371046205
Encrypted:	false
SSDEEP:	192:Im7gBZHx4hCTNarW6EJDvoIR765f40wqNcMi/8F/Ihon:v0fHccarW6Eh61wqNcMi/Q/won
MD5:	B62C74793741FC386332A59113E8D412
SHA1:	589CE099F2C1D92581B5CF0E17BE49A2BF0014D4
SHA-256:	7399A248609974773F60866C87B78EA7DFBC4F750313D692F7886CD763883C9F
SHA-512:	D8E1A3B3732662BA572A1387651F2625742710834BEDB41809DA47B5D23020AA1B558B64A00C10C605D1844F0544483163F4A6227CAFFA5ECDABF3BBF4E12D9B
Malicious:	false
Preview:	<.d....!..`.......gl_ESB...8.(.......0T......Uj......`.....`.a[....F..........t..............1"... S.39.......s...!.............'F.........B<s...8..MQ.. ...........J..&S.0.....x.O5Q......)Q...O..o>...{.......#...J..&.......$....t.....8dz..%..D ......k.A.....k.A.......n.......I.................."...21....................G...#...w............[...!...?...........Q...?........$a....v.6.>..........$...K...........%0._Xa......GA...n..........~.......TH..#..K.H..$M.........pA...Z......'..P.~...B.o........(..........#+..~......s.1.....o....!..z.q...e.............................. ..e....wi..((......(.A. .r.a.z...n. .d.i.s.t.o. .p.o.d.e. .s.e.r. .q.u.e. .a. .d.o.c.u.m.e.n.t.a.c.i...n. .a...n.d.a. .e.s.t.e.a. .a. .i.n.d.e.x.a.r.s.e...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.......N.o.t.a.:..........Note:.....QCLuceneResultWidget.....*.R.e.s.u.l.t.a.d.o.s. .d.a. .p.r.o.c.u.r.a..........Search Results.....QCLucene

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_help_hu.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10284
Entropy (8bit):	4.674501432335502
Encrypted:	false
SSDEEP:	192:RNY+rCG3e7LBqYqYseBb/FEWBgSn62TdJgDO9esYGY3DtgGh621XlZ/8kWvIMK:4+rheHYYZdBb/pgSn62T/FeVD3DGGh62
MD5:	5A56E9E2ED6ECE3F249D1C2A7EB3B172
SHA1:	D6F079F40FBB813B0293C1D2210BAE7084092FEC
SHA-256:	70F33B569C2942F41C6D634EA6A61CB8D80EB2C7011BAD48EF6DBAE9677960D5
SHA-512:	28947128FC51791CFDBFD3958FAF9B33979DB52C90AE0159EDB01FE6032284EB37BC05187162983A0435560BCEA864B008F499CDB4CE662792599FE20A37972A
Malicious:	false
Preview:	<.d....!..`.......hu_HUB...(.(.......0T......5w......Uj......`.....4.a[....N..........t....".........39..........%..........B<s...8..M^...8..........J..$..O5^......)^...]..o>.......J..$......."N...t.....8dz..#g.D ......k.N...>.k.N.......n.......I..............2>..........a.........G...!...w.......................,................^............$a......6.>.........."...K....m......"..W.b...l._Xn...~..GN......~.......TH..!F.!.......K.H..!..........pN..........%..P.~...<.o........(.......... ...~......s.>...{.o.....c.z.q...K.......v......l.........h.... ........t..e....mi..%.....~.(.E.z. .a.m.i.a.t.t. .l.e.h.e.t.,. .h.o.g.y. .a. .d.o.k.u.m.e.n.t...c.i... .m...g. .i.n.d.e.x.e.l...s. .a.l.a.t.t. .v.a.n...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.......M.e.g.j.e.g.y.z...s.:..........Note:.....QCLuceneResultWidget.....&.K.e.r.e.s...s.i. .e.r.e.d.m...n.y.e.k..........Search Results.....QCLuceneResultWidget.......A

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_help_it.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10612
Entropy (8bit):	4.458970627057882
Encrypted:	false
SSDEEP:	192:nRxcfy71b+myBN16cbc+w45rtlTnzo7uHp3JQJ9cVu4BJ1G82g33vOVrNL/7nEF1:RR4R/fJn9JizTgnqrNL/b0hH2K
MD5:	3639B57B463987F6DB07629253ACD8BF
SHA1:	65935A67C73F19FCF6023FB95030A5ACAF9DA21C
SHA-256:	316FE8D0815E2B4B396895BEB38EF1A40431915B5E054DF80F4C0CD556F26E4B
SHA-512:	AD7CA93D93A69F273CE80BE7F2F477543B9C5F9C7E4D7448223BFF084EA956B626D6837F22D83C5E282688B938F58C29073C4B5C6F26A797F716C14FABF9FFEE
Malicious:	false
Preview:	<.d....!..`.......it_ITB...(.(.....g.0T....y.5w... ..Uj....2.`.......a[............'..t..............39..........&..........B<s...j..M^...h......K...J..%..O5^...K..)^......o>...u...J..%.......#....t.....8dz..$..D ......k.N.....k.N.......n.......I..............2>.................o..G..."...w............-......./..,................^...'........$a......6.>..........#...K...........$..W.b....._Xn......GN......~.......TH.."n.!.....5.K.H..#"......>..pN..........&..P.~.....o.....~..(....p.....!...~....A.s.>.....o.... ..z.q..........................q.h....!0.......*..e....;i..'!......(.L.a. .c.a.u.s.a. .d.i. .c.i... .p.o.t.r.e.b.b.e. .e.s.s.e.r.e. .c.h.e. .l.'.i.n.d.i.c.i.z.z.a.z.i.o.n.e. .d.e.l.l.a. .d.o.c.u.m.e.n.t.a.z.i.o.n.e. ... .a.n.c.o.r.a. .i.n. .c.o.r.s.o...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.......N.o.t.a.:..........Note:.....QCLuceneResultWidget.......R.i.s.u.l.t.a.t.i. .d.e.l.l.a. .r.i.c.e.r.c.

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_help_ja.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	7917
Entropy (8bit):	5.680408580146589
Encrypted:	false
SSDEEP:	192:mP6J37GcBzRjYEPEJJGTnwfJJxb7FTPjzzZBL3/q/I53:mSVqclR5s6Tnwfb7Pj/PL3/q/w3
MD5:	1380A9352C476071BDA5A5D4FED0B6C5
SHA1:	9B737ED05F80FE5D3CD8F588CCEC16BB11DD3560
SHA-256:	AE603B2C0D434D40CDE433FFCBA65F9EE27978A9E19316007BE7FE782A5B8B47
SHA-512:	EC3D68126488C3A163898BACAF7E783217868573635182CAF511ED046B4BE1F99A71FBB24DA607CCB50EDAF70893007AAEE9A6BAAE4C1CD33465A0915AA965DA
Malicious:	false
Preview:	<.d....!..`.......jaB...(.(.....S.0T......5w....'.Uj......`.......a[............u..t............!.39.....................B<s......M^..............J...>.O5^...O..)^......o>.......J...............t...w.8dz.....D ......k.N.....k.N...H...n.......I...........i..2>...<......G......9..G....P..w............i..........,................^..........'.$a......6.>...5..........K............S.W.b...2._Xn......GN...@..~.......TH.....!.......K.H.............pN...........S.P.~.....o.....\|..(..............~....o.s.>.....o.......z.q..................@.........h.....&....... ..e.....i........@.(0.0.0.0.0.0.0n}"_.0nO\b.0L}BN.0W0f0D0j0D0_0.0K0.0W0.0~0[0.0..).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget......l..:..........Note:.....QCLuceneResultWidget......i.}"}Pg...........Search Results.....QCLuceneResultWidget.....R0.0.0.0.0.0.0n}"_.0nO\b.0L}BN.0W0f0D0j0D0_0.0.i.}"}Pg.0LN.[.Qh0jS..`'0L0B0.0~0Y0..........VThe search results may

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_help_ko.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	5708
Entropy (8bit):	5.698914195742074
Encrypted:	false
SSDEEP:	96:elPQHJ6L4c7LaQaFQv2QEhBL+Ejma0W40U0BzlQlcrnUSaTIdspIc18CLRSM3LBY:dHI97W1BbNz1VqqzJpoj5y5uY7OGrWFE
MD5:	CD15674A652C2BF435F7578E119182F8
SHA1:	AEA22E4A0D21396733802C7AB738DDD03737B7D6
SHA-256:	F11C64694E8E34E1D2C46C1A1D15D6BA9F2DB7B61DE4FDF54ECA5AB977C3E052
SHA-512:	88BFA112F4DBC0BFB4013CE0937E5180B4AB4A217FC8A963798C7C86532E794E4A1AD88416AE42F26A1C0631B465A5D69BFE75366E048502F5E21F4115A12F19
Malicious:	false
Preview:	<.d....!..`.......koB............%.......0T......K:^...g.Uj......`........YJ...>.E.4...........z...>..........;.B<s...K.B\>...b........+.s.....zq....[..9....F..vR......@.......@.......:....c.8Z......g.N...7..F....\|...........t.....D ......k.N.......I...m..^......`#....!..2.......G....@...N.................................X..K....{.......i..GN......NO.............K.H..........S..pN...z..V...............................>...........:.~.....i..%c.....z.q....i...s......D.0. .............Add Filter.....FilterNameDialogClass.......D.0. .t...:..........Filter Name:.....FilterNameDialogClass........... ...L..........Untitled.....QHelp.....(...L... ...\|.D. .....`. ... ...L.:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler.....".....0...\|. .... ... ...L.:. .%.1..........Cannot create directory: %1.....QHelpCollectionHandler.....2...\|. .%.1... ...x. .L.t...D. .... ... .................&Cannot create index tables in file %1......QHelpCollectionHandler.....,.

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_help_pl.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	9673
Entropy (8bit):	4.622652249027856
Encrypted:	false
SSDEEP:	192:TO/7kBL9wGu3wtCnlhLJUBB7oph+mZ18LgP:T8QnwcCnlhdvphpZ18LgP
MD5:	2B68446B69D9AA40B273D75A581D2992
SHA1:	8A09BD38998543B74E2673478EDD54FB4BBDD068
SHA-256:	CC6CB4D8C54086224672F2E49E623C8CB7C0C1CD65B8D5ECD42FC9BA3A6065BD
SHA-512:	F3A3D6A416B3411613B06FC3EE56625D4D4DE80087182AB0D0601E49314861ABEF97D11A15B4C0511911544A59FBC4A4A52F0CCF0FD43F763A76A8922D8E57B6
Malicious:	false
Preview:	<.d....!..`.......plB.....(.......0T....T.5w......Uj... R.`.......a[...............t............2.39....H......6.......n.B<s.. ...M^..._......6.O5^...F..)^......o>...............t.....D ......k.N.....k.N.../...n.......I...W..........2>...w................G.......w............&.......:..,................^...(..... ..$a....?.6.>...$..........K......W.b....._Xn......GN...Y..~......!.....*.K.H...E....."...pN...-.........P.~...}.o........(....1..~......s.>......%c.."..o.....r.z.q............................h................e.....i..#.......N.i.e.n.a.z.w.a.n.y..........Untitled.....QHelp.....P.N.i.e. .m.o.\|.n.a. .s.k.o.p.i.o.w.a... .p.l.i.k.u. .z. .k.o.l.e.k.c.j...:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler.....>.N.i.e. .m.o.\|.n.a. .u.t.w.o.r.z.y... .k.a.t.a.l.o.g.u.:. .%.1..........Cannot create directory: %1.....QHelpCollectionHandler.....H.N.i.e. .m.o.\|.n.a. .u.t.w.o.r.z.y... .t.a.b.e.l. .w. .p.l.i.k.u. .%.1........... Cannot create tables in file

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_help_ru.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	7288
Entropy (8bit):	5.297177914619657
Encrypted:	false
SSDEEP:	192:dBJjvfq7D6X68uBAzlp5W9+yBPZZZMM7vL0PXJL:JKrMEL0PXJL
MD5:	794AF445A5D7082D51BD22683449F86D
SHA1:	3A0C369872B112A1572AA17EEB814B168B225D98
SHA-256:	557B644E6DA5F1EC720EF93965617087E4D1F40B2494CC5AA524CF3796108DE7
SHA-512:	D42C870A16AEE7626BBE24886AD423895529A2F1A51AC2DBC303BC0E4EF9D3241FE894ECA3F7217AD408C8DCEE165CA4B89D84570357B0EB80340A3F72B0A846
Malicious:	false
Preview:	<.d....!..`.......ruB..........\.%.......0T......K:^.....Uj....L.`........YJ...X.E.4...............>............B<s.....B\>............+.s.....zq.......9....B..vR...L..@.......@....G..:......8Z......g.N......F....>...........t.....D ....R.k.N...E...I...W..^......`#....s..2.......G....^...N.........................K.......d..K............O..GN...b..NO.............K.H.............pN...P..V....................g..........>.............~........%c.....z.q....i........$...>.1.0.2.;.5.=.8.5. .D.8.;.L.B.@.0..........Add Filter.....FilterNameDialogClass.........<.O. .D.8.;.L.B.@.0.:..........Filter Name:.....FilterNameDialogClass.........5.7.K.<.O.=.=.K.9..........Untitled.....QHelp.....b...5. .C.4.0.;.>.A.L. .A.:.>.?.8.@.>.2.0.B.L. .D.0.9.;. .:.>.;.;.5.:.F.8.8. .A.?.@.0.2.:.8.:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler.....<...5. .C.4.0.;.>.A.L. .A.>.7.4.0.B.L. .:.0.B.0.;.>.3.:. .%.1..........Cannot create directory: %1.....QHelpCollectionHandler.....`

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_help_sk.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10388
Entropy (8bit):	4.70568613551943
Encrypted:	false
SSDEEP:	192:uPq7iBWseXKkVu4+Qv9zEJ1xGMaLNmBgJqdC6/MxIMt:LWcseV04Xv9zEoLNDJqdX/MxRt
MD5:	75C94E59F1FC5312AE25381C247AF992
SHA1:	E3E5F4582CC5FAFE6DF43644D11484861023C084
SHA-256:	F41E33E1D790BD0D3EB180F1F875BC191FE74773628F25C2CAD95E1402E66867
SHA-512:	959B8F4D57FC9728DD4804322333D1792D45A0EE85615B559E0CA3BD2DEA22E2C8C68C6482AE9425D29C819B0ED27473EDDC82EF4B6ECFFB2E2E7B56E1509B63
Malicious:	false
Preview:	<.d....!..`.......sk_SKB...8.(.......0T......Uj......`.....0.a[....8..........t..............1"......39.......s........... .....%..........B<s...6..MQ..............J..$-.0.......O5Q......)Q...;..o>...........G...J..$......."....t.....8dz..#..D ......k.A...2.k.A.......n..._...I.................. ...21..........e.........G...!...w....Y...........!...........=...Q............$a......6.>.........."...K....i......# ._Xa..."..GA..............~.......TH..!{.K.H.."7.........pA..........%..P.~.....o........(..........!...~....u.s.1.....o.......z.q...c..............................f..e....9i..&-......(.D...v.o.d.o.m. .m...~.e. .b.y.e. .t.o.,. .~.e. .d.o.k.u.m.e.n.t...c.i.a. .s.t...l.e. .n.i.e. .j.e. .z.i.n.d.e.x.o.v.a.n.....).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.......P.o.z.n...m.k.a.:..........Note:.....QCLuceneResultWidget.....".V...s.l.e.d.k.y. .h.>.a.d.a.n.i.a..........Search Results.....QCLuceneResultWidg

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_help_sl.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10363
Entropy (8bit):	4.613473842638716
Encrypted:	false
SSDEEP:	192:vNBqTi7qBCVIQf54EslZ2Jy/L/BnmpP0bX3caK6q1B6/hgIlCCUb0:vjq2+UVT4ESZOYmpP0bX26q1I/yqCCUw
MD5:	3B0AEE27B193A8A563C5CB5C7C4FE60F
SHA1:	C94E832595EC765370553468F87C02DB7E7D138A
SHA-256:	2EC955E662407EBCD8DCDAE5AAA21E4108E0B5B0AEE0E9DB712C27072943535F
SHA-512:	EBC25C378126876F44279E23CA0CF06FC9E7D5F51AD7E3DBDABA7A50C81112EDC1C76F7FD0AF47E447A93C3593BB953A0C9C1FBBFC49494E6B29BF21655F690E
Malicious:	false
Preview:	<.d....!..`.......slB...8.(.....E.0T......Uj......`.......a[............!..t..............1"....;.39.......s....^............$........i.B<s...,..MQ..........}...J..#..0.....Z.O5Q...[..)Q......o>...............J..$I......"W...t...C.8dz..#H.D ......k.A.....k.A.......n.......I.................. P..21....................G...!...w............?...!...3...........Q...+........$a....>.6.>.........."...K...........".._Xa......GA..............~....A..TH..!I.K.H..!..........pA...>......%..P.~...>.o........(....d..... ...~......s.1.....o.......z.q.....................................e....{i..&.....z.(.R.a.z.l.o.g. .j.e. .m.o.r.d.a. .t.o.,. .d.a. .s.e. .d.o.k.u.m.e.n.t.a.c.i.j.o. .a.e. .v.e.d.n.o. .i.n.d.e.k.s.i.r.a...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.......O.p.o.m.b.a.:..........Note:.....QCLuceneResultWidget.....".R.e.z.u.l.t.a.t.i. .i.s.k.a.n.j.a..........Search Results.....QCLuceneResultWidget.......R.e.

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_help_tr.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	4629
Entropy (8bit):	4.68793836539357
Encrypted:	false
SSDEEP:	96:BoiK0UD2wMLb7Lqlguotqbww5BLNwWjK0kHU9zuQlUVUfniqthweEIFwC18lLEGA:PXFf7pU75BWWOpcJcVqDFNz8brgyf76r
MD5:	32D6EE3D8EE6408A03E568B972F93BCB
SHA1:	582EE079DBD42000C378E0701D26405750524DBA
SHA-256:	EBDECA0CFEE7A9441DEB800BABFD97C63BC4E421DA885C55B3BD49725EBACD25
SHA-512:	24AAA30B9CB4DB82A57411FBA24A87D70D8B845AE48A6FDA633D0BE6B824B58FDD2F450C2B385F16F49E2F9C6FA0A3124FD0F28594726940F996C66F8F3216CC
Malicious:	false
Preview:	<.d....!..`.......tr_TRB.....%.....[.0T......Uj......`.....$..............L.B<s.....B\>..........4.+.s...............t.....D ......k.N...5...I......2.......G....5...N..........a...............f..K....9..........GN...........@.K.H..........q..pN...t..........>...z.~...../..%c.....z.q....i..........B.a._.l.1.k.s.1.z..........Untitled.....QHelp.....J.K.o.l.e.k.s.i.y.o.n. .d.o.s.y.a.s.1. .k.o.p.y.a.l.a.n.a.m.1.y.o.r.:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler.....2.D.i.z.i.n. .o.l.u._.t.u.r.u.l.a.m.1.y.o.r.:. .%.1..........Cannot create directory: %1.....QHelpCollectionHandler.....\.%.1. .d.o.s.y.a.s.1.n.d.a. .d.i.z.i.n. .t.a.b.l.o.l.a.r.1. .o.l.u._.t.u.r.u.l.a.m.1.y.o.r...........&Cannot create index tables in file %1......QHelpCollectionHandler.....N.%.1. .d.o.s.y.a.s.1.n.d.a. .t.a.b.l.o.l.a.r. .o.l.u._.t.u.r.u.l.a.m.1.y.o.r........... Cannot create tables in file %1......QHelpCollectionHandler.....P.S.q.l.i.t.e. .v.e.r.i.t.a.b.a.n.1. .s...r...c...

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_help_uk.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	9750
Entropy (8bit):	5.281035122342072
Encrypted:	false
SSDEEP:	192:eMp79BCN+u8hhbHbny+HJouHgei50JBSfDvbetpP/RIkT:eIhgNgBbny+phiS3SfDDetpP/RRT
MD5:	90A776917D534B65942063C319573CDC
SHA1:	5DF3B213D985A3BBDB476B37B7780D7D7DF17E41
SHA-256:	497CFC473684692EE44D7A3795E8FB2270C57069FD9EB98A615DD29AB9BE8A7C
SHA-512:	B34A019716B50CE8E1E20AC32756B3B0D5802971F7A04F4BDDE2418DA551AFB9742B79E934979DB6FAB9DAC05D7D26A3B19ABA77158321F8D9AAB08AEBBD455A
Malicious:	false
Preview:	<.d....!..`.......uk_UAB...(.(.....?.0T......5w......Uj......`.......a[...............t............K.39....u....."..........B<s...8..M^...j......y...J..!..O5^...Y..)^......o>...o...J..":...... <...t...E.8dz..!3.D ....".k.N.....k.N...d...n.......I..............2>...>......o.........G.......w............E.......e..,................^...S........$a......6.>...'...... y..K........... ..W.b....._Xn......GN...p..~.......TH...4.!.....9.K.H.............pN..........#].P.~...~.o.....N..(....b.........~......s.>.....o.....o.z.q..........................U.h.............D..e.....i..#.......(...@.8.G.8.=.>.N. .F.L.>.3.>. .<.>.6.5. .1.C.B.8. .B.5.,. .I.>. .4.>.:.C.<.5.=.B.0.F.V.O. .4.>.A.V. .V.=.4.5.:.A.C.T.B.L.A.O...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.........@.8.<.V.B.:.0.:..........Note:.....QCLuceneResultWidget.....". .5.7.C.;.L.B.0.B.8. .?.>.H.C.:.C..........Search Results.....QCLuceneResultWidget....... .5.7

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_help_zh_CN.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	6441
Entropy (8bit):	5.790303416386852
Encrypted:	false
SSDEEP:	192:pB37nBD4H5PCyLDxLSzJPduYx9vja/FIgH9yIFqfs:rTZ4HUAD1S1JFe/F59PFqfs
MD5:	9297A6905B8B1823BF7E318D9138A104
SHA1:	3DB992A1B3BBCAF314B7EA4A000D6334D7492A52
SHA-256:	C02AAA20923F18ADDAB520BE5CB84EFD4C723396BDC24B4C9A72D406F101C7B4
SHA-512:	01F12CEE0AE456D78942A6049E1C77F94B406C8FFB4A5944DE15E54D1C760CDBA13279530A8F29B1443D1BBC647D3AF5436AAD8C43EB3944316C48300B3827E4
Malicious:	false
Preview:	<.d....!..`.......zhB......I....L.0T......Uj......`.......a[...............t....P..@....Z.......<.........39.......s....2.................B<s......MQ..........9...J......31.....0.......O5Q......)Q...^..o>...........(...........J...V...........t.....8dz.....D ....Z.k.A.....k.A.......n.......I...........t..w................!...........o.......D...Q...E........$a......6.>...h...............%._Xa......GA..........._..TH...r.........pA.............P.~.....o.....].~.q.............~......o.....h.z.q...........H..0q....................i........2..S.u...y.`.Q.v.S.V.S..f/V.N:..e.hckcW(..}"_.0............M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget......l..............Note:.....QCLuceneResultWidget......d.}"~.g...........Search Results.....QCLuceneResultWidget.....,d.}"~.g.N_..^vN.[.et..V.N:..e.hckcW(..}"_............VThe search results may not be complete since the documentation is still being indexed!.....QCLuceneResultWidget..

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_help_zh_TW.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	9301
Entropy (8bit):	5.80411750798786
Encrypted:	false
SSDEEP:	192:4bgIXwsL78BQp4dRDP0ludqODa/wkB/tTWn5dJ6mO8IZiT9Dzz/wI3HyRWqUqS:lI/oS4dR5c/tTWn5/EZA9D/w+H8WqUqS
MD5:	47C3328D3918CF627112BB6C50E30B86
SHA1:	05705603AB3F28402A6C103E1C41DDFF21D140C0
SHA-256:	3697F1660D7F2AC9B37AC33CD1C7ECAE08ADBD26710E7E0076497CCDDC8BC830
SHA-512:	8DE1C3C5A48965CF6D8AA545DA9F0A5C00AE124F3E4153597915E7C0F4CAE1E26723270F58A47AA9FFA4AAF30E6EBA522D4EBAD27DECF17EF108E353E611980E
Malicious:	false
Preview:	<.d....!..`.......zh_TWB......I....[.%.......0T......0T......Uj......Uj....R.`.....>.a[....................g..t....7..@......................39.......s................... .........B<s.....B<s.....B\>......MQ..........[...J...]..31.....+.s...c.0.....U.O5Q......)Q...C..o>.......................J...............t...3...t.....8dz.....D ....R.D ......k.A.....k.A.....k.N...'...n.......I.......I...........[..2....x..G........N......w................!...........:...........Q...&...............$a......6.>...I.......L.......$..K......................_Xa...y..GA...O..GN...........$..........TH...I.K.H................ Y..pA...K..pN.............P.~.....o.....D.~.q......>.............~......~........%c.. ..o.....!.z.q...........#..0q....................i..!Y....(..g.S..f/V.p.N.W(^.z.e.N.v.}"_.uvN-0............M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget......P..;............Note:.....QCLuceneResultWidget......d.\.}Pg...........Sea

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_hu.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	146
Entropy (8bit):	3.6255640074603277
Encrypted:	false
SSDEEP:	3:j2wZC4C/IrLlAlHekfK/gp1MUXaMlI+rwtbWlMiayIPldkOgn:CwDrC+TYIUrIRt6HoiHn
MD5:	5A46979B45C67DD6312F33CCEA2ED7BC
SHA1:	4C56836B1FB10D9903B299CBCB925947D515B4C8
SHA-256:	BB246AABD501E14CED8B1FFC1369E3D5D26567AAE62B3EAD4D94C22FB77C3471
SHA-512:	BDBA4E1731CF254E95B0F1337410937C765E96FBB1D42F1D053033E1511FEE6F50C02705F781F4DAA0347E2299DC78A5A9942AC4EA343ED1F8F401F9ACD961E4
Malicious:	false
Preview:	<.d....!..`.......hu....v.....q.t.b.a.s.e._.h.u.....q.t.s.c.r.i.p.t._.h.u.....q.t.m.u.l.t.i.m.e.d.i.a._.h.u... .q.t.x.m.l.p.a.t.t.e.r.n.s._.h.u

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_it.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153
Entropy (8bit):	3.5752972123113778
Encrypted:	false
SSDEEP:	3:j2wZC4C/EbFlAlHeke5zOp1MUWLt7KlI+rwtbWlMj5FKIPldkOA9kk:CwDM+35aIUW5SIRt6Q50oi9Gk
MD5:	2BB8C94D420D3BC344C79A01043BDC89
SHA1:	3FBA773D58E6D3699C20AB41AEE6801E71E2DDAE
SHA-256:	9117AAC2D07BC86DFA55A29B8825ED27C7093300FCC90E143E135E00E85F09D7
SHA-512:	C6B13655AFB206B0056F5656B4A9BF33CC267FCC928F6973258131CFA6443970510226FE45A041E5AA988809E17D0B11C7458F4A241C71521EDED186596C6055
Malicious:	false
Preview:	<.d....!..`.......it....v.....q.t.b.a.s.e._.i.t.....q.t.s.c.r.i.p.t._.i.t.....q.t.m.u.l.t.i.m.e.d.i.a._.i.t... .q.t.x.m.l.p.a.t.t.e.r.n.s._.i.t.......

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_ja.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	146
Entropy (8bit):	3.599979504080125
Encrypted:	false
SSDEEP:	3:j2wZC4C/il/lAlHekd6hY1MUV6JAlI+rwtbWlMgel3UlIPldkOG:Cwz4+pjUGAIRt6qVUloiB
MD5:	8A1EE3433304838CCD0EBE0A825E84D8
SHA1:	2B3476588350C5384E0F9A51FF2E3659E89B4846
SHA-256:	23457CE8E44E233C6F85D56A4EE6A2CECD87C9C7BDDE6D8B8A925902EED1CD9C
SHA-512:	2D8ACD668DF537E98B27161F9FA49828EB2EB6E9CF41DB38E7F5D31F610D150CD1B580A8AE9B472A4DFDE4D4BF983C24A56293BB911CF5879368664E4D4CF3D2
Malicious:	false
Preview:	<.d....!..`.......ja....v.....q.t.b.a.s.e._.j.a.....q.t.s.c.r.i.p.t._.j.a.....q.t.m.u.l.t.i.m.e.d.i.a._.j.a... .q.t.x.m.l.p.a.t.t.e.r.n.s._.j.a

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_ko.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	146
Entropy (8bit):	3.652277257665055
Encrypted:	false
SSDEEP:	3:j2wZC4C/rrr/lAlHekcQ/01MUUQMlI+rwtbWlMhQGlIPldkORn:CwCC+1Q/UUpIRt6SBloimn
MD5:	7B2659AF52B824EAC6C169CDD9467EE9
SHA1:	5727109218B222E3B654A8CC9933E970EB7C2118
SHA-256:	4CC1AF37E771F0A43898849CFF2CD42A820451B8D2B2E88931031629D781DB05
SHA-512:	E9475AC80BDBBEFF54F2724A2B6BA76992F18FD1913FD8EE1540A99FD7A112B79FED5A130B6AC6D7460E4420C06354FC6E4CF7770A7C6CBD3EAC1BDAF0082DE5
Malicious:	false
Preview:	<.d....!..`.......ko....v.....q.t.b.a.s.e._.k.o.....q.t.s.c.r.i.p.t._.k.o.....q.t.m.u.l.t.i.m.e.d.i.a._.k.o... .q.t.x.m.l.p.a.t.t.e.r.n.s._.k.o

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_lt.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	165383
Entropy (8bit):	4.805977227348512
Encrypted:	false
SSDEEP:	1536:i5v3+zmayloj6yJjhnBAbnrKnGrhA7WgdXclIsooY9i:SvOzAloj6yJ9BA7riGr+7WKXc+s5ui
MD5:	8992B652D1499F5D2F12674F3F875A35
SHA1:	E22766A49612F79156C550D83C6C230345DDA433
SHA-256:	47EB5F97467DF769261421D54A5BEA1131C9FB9B6388791D38BB6574335B64BF
SHA-512:	9B8B6DBFF432F2A46C14BC183A6BAF84ACBF02BF2C5BB8C306C6538FBD9BE1C0A9015BD46728F2F652F9163AFC56B1E16D16EB95D8F7728F3C562AE9F4F1AE1E
Malicious:	false
Preview:	<.d....!..`.......ltB..0X.....)C...+...\|......P....@..9....A..9....B..:....C..:....D..;....E..;....F..<6...G..<....H..=)...I..=....P..>q...Q..>....R..?....S..@f...T..@....U..A\...V..B....W..B....X..C....Y..Cy...]..k....t..........t>......th......t.......pd...;..J'...;.._h...;.......;...{...;..J....;...)...M..l....O...R...O...............}..l9...m..lo......^S..(5..P{..+;..4...+;......+;......+O..4...+O......1...^...E@..?p..F...C...H4......HY......H.......I...D...I@..s...IA..t...IC...2..J.......J....Y..J.......J.......K...9...LD...`..L.......PS......R.......T...q...Zr...`..[`......[`..&@..\....e..\....b.._......._....P..1........E..........5........L..1...O...1...PP......7......../...........$.......$.......,.......y.......y..........K^..............x......8................L...E.......E.......E......................%..:....%.........0U.....W......Zo.....^....5.......0..I....0...F...0...\|...0.......0.......0..+\...5...}.......... D...g.. D......+....j..,.......,.......<U...+..<U

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_lv.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	89
Entropy (8bit):	4.156834975253888
Encrypted:	false
SSDEEP:	3:j2wZC4C/HzllldQlHekbxplUp1MUTJ+b:Cwv+DIUEb
MD5:	19F1B919BB531E9E12E7F707BEBD8497
SHA1:	46E82683CEA28D877C73A5CE02F965BB1130FC62
SHA-256:	03467738042A15676E504BA02CB326DCDB773B171FADA3CD62B7A0E0564314A0
SHA-512:	901D7B26CAC7A4D0FFDB39A1D25767B5BC71BED4AFBE788D70BF19D4C58A8295167111675AB45E743FDF4768AF874D69417414C01CF23D5C525A3F6C8BF7D21F
Malicious:	false
Preview:	<.d....!..`.......lv....0.....q.t.b.a.s.e._.l.v.....q.t.s.c.r.i.p.t._.l.v........)....

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_pl.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	161
Entropy (8bit):	3.8693516202048612
Encrypted:	false
SSDEEP:	3:j2wZC4C/5J/p/lAlHekHp/7KlI+rwtbWlM6Tl/z21MUPp/FOlIPldkOjehB:Cwr+26IRt6nFURkloiT
MD5:	D71EA9FEFD97464B178235150EC8759E
SHA1:	61026FE602FD1B8B442A0D341C6BD759EEC75488
SHA-256:	BD7DD0C2CAB119A973DC10C3BFF7499D9728B928B541F86056921B30C8DB78E6
SHA-512:	ECD76A7D8B8D733E635B2BFEA90A4CD387B83D9D8A4EB6D299F59FF22AAA8D617A4C886A825A1CDDD901925C7839E2C18BDD4E0CD84152641922B66B62663F77
Malicious:	false
Preview:	<.d....!..`.......pl....v.....q.t.b.a.s.e._.p.l.....q.t.m.u.l.t.i.m.e.d.i.a._.p.l.....q.t.s.c.r.i.p.t._.p.l... .q.t.x.m.l.p.a.t.t.e.r.n.s._.p.l............,..

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_pt.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	70334
Entropy (8bit):	4.732724622610353
Encrypted:	false
SSDEEP:	768:OKGUuWW+WHjS0gMBd483+Y7bDPs4RHBloLUIltlzAJnx4nnliM1OPlOibLG:JGUuWPuSgm0Jn+n4Mhj
MD5:	6656500F7A28EF820AE9F97FD47FB5BB
SHA1:	CC112B9C9513BCF7497F3417168B4C8A9F7640A9
SHA-256:	2C1E7BBF5168A64B43752DD4C547601C0BDE6D610F8671FA3E3AF38597E84783
SHA-512:	5C3CBFCF86AF6B4D949C1D914CD379E512E73BA350AF661033A386EE7FB981FBFCB43D9A35FDE7656E17BB09F64F1469F84867A780573C3359D645269461D5A6
Malicious:	false
Preview:	<.d....!..`.......pt_PTB...(......9...+...e...]..6....;.......;..-....;..;`...;..};...;.......M..6....O... ...O...w...........}..7....m..7B..........+;......+;..8S..+;..>...+O......+O..8#..H4......H.......J......K.......LD...)..L....}..PS...l..Zr...B..[`...;..[`.....\...kU.._......._.......1...?...............8...............E............,..................p........0...............v...........%...O...%..G........4...0.......0..:....0..y....0..\|....0.......0...X...5.......5...... D..=... D..Kn..+....L..,...>...,......<U..z...<U......<.......F...>...F.......H5...4..H5..=...H5..K...H5......f....p..f...1...f...;...f...I...f...\|H..f.......f.......l....................b......<...............>.......L ...........`......`..._.......A......2....e...g...e..>D...e..LW................y...,..y......y..o...y......T..L...0..'..*.0....+F...y..+F......+f......+f...C..+.z..0..+.....d.+....p0.+.....R.+.z..0U.+.....u.+....8..+....Ct.+....L..+....y..+.....Z.+......+...pc.+.....+....0..

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_ru.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	164
Entropy (8bit):	3.984562388316898
Encrypted:	false
SSDEEP:	3:j2wZC4C/oZlAlHekF8Op1MUNKJKlI+rwtbWlM4KKIPldkOSxRMugB:CwY+GIUgcIRt61oihM3
MD5:	F7A8C75408B9A34A2B185E76F51B7B85
SHA1:	065E987139C5FB809A6F9CDF3845BCD79707FDBB
SHA-256:	6492B267608C6FB76907BD8FCFC8F1EF57E9F4EBBC2E81ACA81715A88388F94A
SHA-512:	E768C5B438EC899801B22B1325F2244ACCC5E7C2EC5D270F510BC3CBC2D9A0536949C026DB7FB5862835E506A9F2020DEB2CC4001E7011FF974324542734F855
Malicious:	false
Preview:	<.d....!..`.......ru....v.....q.t.b.a.s.e._.r.u.....q.t.s.c.r.i.p.t._.r.u.....q.t.m.u.l.t.i.m.e.d.i.a._.r.u... .q.t.x.m.l.p.a.t.t.e.r.n.s._.r.u........)......,..

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_sk.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	157
Entropy (8bit):	3.7731953311404336
Encrypted:	false
SSDEEP:	3:j2wZC4C/3xRlAlHekE8lgp1MUM8lMlI+rwtbWlM5UllyIPldkOfll6kchn:CwS0+t8CIUM86IRt6KUlsoi2CVh
MD5:	24C179481B5EF574F33E983A62A34D53
SHA1:	0A67F1ED8CA4A5182F504806F8D47D499789F2D2
SHA-256:	B6ADFFD889FF96BF195CB997327E7D7005A815CAD67823FA6915A19C2D9BB668
SHA-512:	4757F3693120DAB2FBB7BCF1734EA20B3E3D9056B4B4E934A3129D660CFDC6C58B230459DB55912AF24AD5692BD221830BE0FF91E41D3EECD9439E79AC23FFE6
Malicious:	false
Preview:	<.d....!..`.......sk....v.....q.t.b.a.s.e._.s.k.....q.t.s.c.r.i.p.t._.s.k.....q.t.m.u.l.t.i.m.e.d.i.a._.s.k... .q.t.x.m.l.p.a.t.t.e.r.n.s._.s.k...........

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_sl.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	228428
Entropy (8bit):	4.726953418955661
Encrypted:	false
SSDEEP:	3072:9zQH0hOtgmiAZu0eeAEv+v49JnnSmICgr3n7jhCQUeinqyU5UggtRLGrQ2LZO+Y1:RpUsSpGr36wsR
MD5:	D35A0FE35476BE8BD149CEE46E42B5E9
SHA1:	9F3C85C115A283E5230D1EEAD84C8CB73A71FA03
SHA-256:	C44E0313A9414CC0E490B65B0C036FA11BCA959353B228886547BC2C8492034F
SHA-512:	BEEB1751882AF081E80BE93F7464D4C6322B724EFA2CBD3E1CBE709181D380C1C57E770FA962BB706D6FCF4A8CB393E3F6E187C1F604F8CEEFB201CA3200BD1C
Malicious:	false
Preview:	<.d....!..`.......slB..<....*.......+.......@...C...A.......B...<...C.......D...2...E.......F...d...G.......H...W...I.......P.......Q.......R.......S...x...T.......U...n...V...%...W.......X.......Y.......]..g~...t...V.......f..................................;..G....;..[....;...q...;..ia...;... ...M..g....O.......O.......[..,e...........}..g....m..h........Q..(5......+;..2...+;...b..+;...i..+O..2...+O...4..1......E@......F.......H4......HY...%..H.......I.......I@......IA...9..IC......J...6...J.......J.......J...^...K...7...LD......L....n..PS...U..R.......T....=..Zr......[`...V..[`......\...!,..\...8U.._..."b.._.../h..1.......E...9......4...............5........e...................$...<...$..Z....[.......,.......y...L...y..].......H.......@.......J.......6........~..........E...O...E..+....E...~..............,1...%..8r...%...........^..............................5.......0..Gx...0.......0..P....0..h....0.......0.......5...^.......... D...... D......+....`..,.......,...-...<U

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_sv.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	65851
Entropy (8bit):	4.7906769989650515
Encrypted:	false
SSDEEP:	1536:4u6DkpgyKmRmG15mGM6iFPi6Q/qTlOQZY2dKN8gKw:4u6DotUG1sGMZPi6Q/qTlO2Y2YKw
MD5:	0E85E0E0E7DDFE3D4BDE302F27047F9C
SHA1:	AE59348E0C2E4F86F99DA6CF5DAB3B7E92504B7C
SHA-256:	4B4B6FF7FD237C9DA0301B4946132E68653D15EB5FAF38E4C5FBFEBB12DD97F7
SHA-512:	8CAAB6C61E9FA26A3A289A9E4DC515D157B3092D6D4ED43861220261BD2B7CC79B35B52F9ADE4EF558B5385B37EAC14575420DD55C475F435BB95B6C1E2561B6
Malicious:	false
Preview:	<.d....!..`...B..............+...i...]..6....;.......;..-f...;..:;...;..t....;.......M..64...O.......O...........q...}..6\...m..6........(..+;......+;..7...+;..=...+O......+O..7c..H4......H.......J.......K....F..LD...+..L.......PS...N..Zr......[`...7..[`...N..\...h4.._....J.._....k..1...>...............7........}......D............,.................i....................................%.......%..Fc.......6...0.......0..9....0..q....0..t....0.......0.......5.......5...... D..<}.. D..I...+.......,...=X..,.......<U..r...<U...n..<.......F...=...F....F..H5......H5..<...H5..J4..H5......f.......f...1V..f...:f..f...H;..f...t&..f.......f.......l..................8......;z..............<.......Je.......6...`...&...`...!.......9......1....e.......e..=....e..J..............g...y......y.../..y..h...y......T..J...0..'[..0...K.+F...q..+F.....+f......+f...A..+.z../..+.......+....i`.+.....X.+.z../..+.....S.+....7..+....Bi.+....K..+....q..+.......+......+...i..+.....+....0..F0i.....G.

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_tr.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	110
Entropy (8bit):	3.630483009136986
Encrypted:	false
SSDEEP:	3:j2wZC4C/7zl9lAlHekDN/01MULV4LlI+rwtbWlM+N:Cw5+wUGRIRt6n
MD5:	16CDF5B9D48B0F795D532A0D07F5C3A0
SHA1:	6E403C9096B3051973E2B681DFEBBC8DD024830D
SHA-256:	F574A2CFD4715885C3DBDF5AE60995252673BD94FDAA9586F7E0586F6C1AC0EE
SHA-512:	36A0431368010157EA8A45DCB00458076CCFFC08B37E443DEBD1AAD4A30C6080803337725A7A3DCBF2B410DC7BE89CEAF6C07C46F876E4EF5B08159E3BF38E6D
Malicious:	false
Preview:	<.d....!..`.......tr....R.....q.t.b.a.s.e._.t.r.....q.t.s.c.r.i.p.t._.t.r.....q.t.m.u.l.t.i.m.e.d.i.a._.t.r

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_uk.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	164
Entropy (8bit):	4.021402900389864
Encrypted:	false
SSDEEP:	3:j2wZC4C/ZlRlAlHekCczOp1MUKUt7KlI+rwtbWlM/cFKIPldkONRMugB:CwUl0+rjIUKUcIRt6M/oioM3
MD5:	9B101363343847FE42167183320C03F0
SHA1:	F0DF2CFF913E588B7CADFDABBF69F4F632B2F96A
SHA-256:	F1621E680E1642F9463E4B07E7E78B50F9A7BDB7C321D7302039CB3405CBDEA4
SHA-512:	DA14FDF8DB514902733CAAC492293873351C595EBBE0ACB0849BECE24AB822602EE64D01051F1426CD1FC13A95D8607302CF9B515D9806FDD3BD047087DE447C
Malicious:	false
Preview:	<.d....!..`.......uk....v.....q.t.b.a.s.e._.u.k.....q.t.s.c.r.i.p.t._.u.k.....q.t.m.u.l.t.i.m.e.d.i.a._.u.k... .q.t.x.m.l.p.a.t.t.e.r.n.s._.u.k........)......,..

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_zh_CN.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	117347
Entropy (8bit):	5.8593733369029195
Encrypted:	false
SSDEEP:	1536:51dXW89nqEFu54aekvRzHHSVuf8j2+/xc3lhnbsfdAoz/w:v9qEFeLekvRznSVHJG3lhn+djY
MD5:	0D02F0DE5A12BCB338B7042DFBDAACF3
SHA1:	B7C10D249D8986AD8C6939B370407D07227A39F5
SHA-256:	28CDE75D7B32C81FEF1D4630C37B79A61DEC24B357632FF00D6365A57D8BE43B
SHA-512:	21F02EBA36B4411921EA3C70310B8E454E8FC2B8F09957FD6A63B71689DC381F7A5E2C3BDF2810734D659AB43D8A7BD46EF6436ECC52F75C71B5F5C313365444
Malicious:	false
Preview:	<.d....!..`.......zhB..+...........+.......@.......A...8...B.......C.......D.......E...V...F.......G...L...H.......I...9...P.......Q...e...R...^...S.......T...T...U.......V...\|...W.......X...o...Y.......]..4 ...;...2...;..,....;..8....;.......;.......M..4H...O.......O...........#...}..4p...m..4........N..(5......+;...f..+;..6Y..+;..<...+O...8..+O..6'..1......E@......F....Y..H4..."..HY..J...H.......I.......J.......J.......K....5..LD..._..L......PS...V..Q....6..R...N...W..../..Zr.....[`.....[`......\...lU.._......._....L..1...<........j......6...............B........I...$..K....$.......,...g...y...3.......A......r...........................9..L7......;w...E..5b...E...G.......5...%.......%..D........`..............................0.......0..8W...0..}y...0...6...0.......0.......5.......5...... D..:... D..J...+....R..,...;...,......<U..~...<U......<......F...;...F......H5...i..H5..:...H5..Jk..H5...w..VE...[..f....u..f...0X..f...9...f...E...f.......f.......f....j..g....A..l.

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qt_zh_TW.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	141
Entropy (8bit):	3.7198292994386235
Encrypted:	false
SSDEEP:	3:j2wZC4C/0N6xg/Rl/gl+kNXDelHrwtbWlMwTolIPldkOfDn:CwOO2+g6Mt63oloiUn
MD5:	ED4135D705AEF3D97F8BF6B8FF11F09C
SHA1:	308E2B8F74B863A61AD0B68F4A18ED06965EBEAA
SHA-256:	751ECDA0C33E061D91241268357FBD2F6B7F70A1116E714F28D22EFD61EC7A1A
SHA-512:	B6E6D00553A9C427130129B9D30E862028E549F372A832F0F05747C8E2A79E443F4932EC3AE177537C8BA00D26B5B6CB97D5B35426AB5229F6A468CA485BE0B1
Malicious:	false
Preview:	<.d....!..`.......zh_TW....n.....q.t.b.a.s.e._.z.h._.T.W...$.q.t.m.u.l.t.i.m.e.d.i.a._.z.h._.T.W...&.q.t.x.m.l.p.a.t.t.e.r.n.s._.z.h._.T.W

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qtbase_ar.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	160017
Entropy (8bit):	5.35627970915292
Encrypted:	false
SSDEEP:	1536:XGlAMfkX1M0RdaCkR8lfv8vtc8EFrVYA2I4AJZWEWgHg1C8COvzHKHC6Jp9NV0V7:XUr0RACkIwDEpV1Lgf1ubtw3Bb
MD5:	A7E4D0BA0FC5DF07F62CC66EC9878979
SHA1:	21FD131B23BDD1BBA7BBB86F3ED5C83876F45638
SHA-256:	E03FE68D83201543698FD7FE267DD5DFC5BFD195147E74FF2F19AC3491401263
SHA-512:	D9E6B10506FCF20B5B783F011908083D9DF6C5DF88E21B10D07F53A01AD6506A4B921C85335A25BAE54E27BAD7D01B6E240D58FDEEAABC7FF32014EC120C2ECF
Malicious:	false
Preview:	<.d....!..`.......arB..2....*.......+.......@.......A.......B..._...C......D.......E......F.......G... ...H...D...I...h...P...C...Q...g...R......S.......T.......U.......V...x...W......X.......Y.......]..'=...s......t...........]...........;..'....;..(....;.......;.......M..'e...O.......O...9...........}..'........C...=......m..'....t..........!o..(5...Z..+;..5u..+;..c...+O......1...!...D@...8..E@.....H4...,..HY..QI..H.......IC......J....1..J.......J.......LD......L.......PS......QR...R..R...V2..T.......U....]..X.......Zr.....[`......\....t..]x......_......._.......yg......1...6....E..8V..............C............................$..RN...[...0...,.......y.......y...................K...........9..R....E.."............z.......................%..F;...D...[..................................!....5.......0...I...0.......0...5...0..#....5.......5...p..............W}.. D..(... D..P=..+.......<U......<U......<.......H5..(...H5..P...L.......VE......VE......V....B..f...JJ..f.......f.

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qtbase_bg.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	165337
Entropy (8bit):	5.332219158085151
Encrypted:	false
SSDEEP:	1536:9ULiyUxPoT6qx+J7FJlaaMJnxjqxq+0Uiff0mbVeb7wiEwYuYqDKBkKHMXHCIMll:9ULpIVFnpwUiEujw27ncUQUz
MD5:	660413AD666A6B31A1ACF8F216781D6E
SHA1:	654409CDF3F551555957D3DBCF8D6A0D8F03A6C5
SHA-256:	E448AC9E3F16C29EB27AF3012EFE21052DAA78FABFB34CD6DFF2F69EE3BD3CDB
SHA-512:	C6AE4B784C3D302D7EC6B9CE7B27DDAF00713ADF233F1246CD0475697A59C84D6A86BAA1005283B1F89FCC0835FD131E5CF07B3534B66A0A0AA6AC6356006B8F
Malicious:	false
Preview:	<.d....!..`.......bg_BGB../......,....+..."...@...]...A.......B.......C.......D...P...E...!...F.......G.......H.......I.......P.......Q.......R...A...S...e...T.......U.......V.......W...1...X...U...Y...y...]..,....s...,...t...................P...;..+....;..-E...;..!....;..+....M..,Y...O...,...O..............}..,............=...Q...m..,....t...\|......>...(5..1...+;..<...+;..o...+O...r..1...>...D@......E@......H4......HY..[...H.......IC......J....E..J....X..J.......LD......L....L..PS......QR.."...R...`...T....X..U.......X.......Zr...q..[`...`..\.......]x......_......._....T..yg.....1...=....E..?...............L(.......(...............'...$..\....[.......,...I...y...!...y...................S...........9..]%...E..5p...........z..!q...................%..O....D..................D.....8......:......?....5...&...0.......0.. ....0...c...0..5....5.......5..................b:.. D..-... D..Z...+.......<U......<U...0..<.......H5..-...H5..[...L.......VE..#a..VE..;...V.......f...T...f...!..

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qtbase_ca.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	210159
Entropy (8bit):	4.666388181115542
Encrypted:	false
SSDEEP:	3072:P/DVhdlafzvZfeW+6kXEVjSVPzC3ceKdP2:xYf7UW+WjwP2
MD5:	B383F6D4B9EEA51C065E73ECB95BBD23
SHA1:	DD6C2C4B4888B0D14CEBFC86F471D0FC9B07FE42
SHA-256:	52E94FCC9490889B55812C5433D009B44BDC2DC3170EB55B1AF444EF4AAE1D7F
SHA-512:	9401940A170E22CE6515E3C1453C563D93869A3C3686C859491A1F8795520B61BF3F0BFE4687A7380C0CC0C75E25559354FDB5CEF916AF4C5B6CD9661464A54A
Malicious:	false
Preview:	<.d....!..`.......caB..7....*.......+.../...@..:P...A..:t...B..:....C..:....D..;=...E..<....F..<Z...G..<~...H..<....I..<....P..>....Q..>....R..?....S..?R...T..?v...U..?....V..?....W..@....X..@<...Y..@`...]../....s..1....t..........2s......#p...;.......;../....;..W....;..e+...M../3...O.......O..9.......J....}../]......8....=..9....m../....t..9Y.......S..(5..lB..+;.._...+;...=..+O..U...1.......D@..:...E@..?...H4...J..HY..~...H..."...IC...0..J....W..J....0..J.......LD..!...L...!f..PS..)...QR.."...R.......T...9~..U...9...U...z...X...>...Zr..E...[`...e..\...LD..]x..7U.._......._...M...yg..f...1...a....E..c....7.........U.......p........b.......4.......K...$.......[.......,.......y.......y...................^...........9...:...E...s...... (...z..":.......d......!....%..tQ...D.."......."......2......ve.....y...........5..#H...0...\...0..W+...0..';...0.......5..(....5..........)s.......... D..0w.. D..}...+...1...<?..5x..<U......<U..5...<...6@..H5..0...H5..~...L...9...VE..$...V...SV..f.

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qtbase_cs.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	174701
Entropy (8bit):	4.87192387061682
Encrypted:	false
SSDEEP:	3072:5WjuhX0CVRaakGjW9E8SSOQfX/JlwVOMxrboRPqWxXfQvO7zjBf:5iFGj1QfXr8Gd
MD5:	C57D0DE9D8458A5BEB2114E47B0FDE47
SHA1:	3A0E777539C51BB65EE76B8E1D8DCE4386CBC886
SHA-256:	03028B42DF5479270371E4C3BDC7DF2F56CBBE6DDA956A2864AC6F6415861FE8
SHA-512:	F7970C132064407752C3D42705376FE04FACAFD2CFE1021E615182555F7BA82E7970EDF5D14359F9D5CA69D4D570AA9DDC46D48CE787CFF13D305341A3E4AF79
Malicious:	false
Preview:	<.d....!..`.......cs_CZB..3p.....F....+.......@..!....@..Ef...A..!....A..E....B.."1...B..E....C.."U...C..E....D.."....D..F....E..#p...E..F)...F..#....F..FP...G..#....G..Fw...H..$....H..F....I..$6...I..F....P..&%...P..Gr...Q..&I...Q..G....R..&....R..G....S..&....S..H....T..&....T..H8...U..'....U..H_...V..'Z...V..H....W..'~...W..H....X..'....X..H....Y..'....Y..H....]..,....]..,....s.......t...9..................;.......;..+....;..1B...;......;..?x...;..N....;..iY...;..s3...M..,B...M..,....O.......O...w...O..rr...........}..,j...}..-....... 5...=.. ....m..,....m..-8...t.. .......ay..(5..TT..+;...A..+;..B...+;..u...+O......+O..=a..1...a...D@.."...E@..&m..E@..G...F...J...H4...=..HY..`...H.......I...J...IC......J....-..J.......J.......LD......L....(..PS.....QR.."S..R...e...T.... ..U......X.......Zr...g..[`......\......]x......_......._......._...v...yg......1...C....E..E...............=.......Q........................s...$..a....[.......,.......y.......y...y..............G..........

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qtbase_da.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	181387
Entropy (8bit):	4.755193800761075
Encrypted:	false
SSDEEP:	3072:XzswP2UvZ5aZ9jFTkmq/gnBNW/+PcWrqm2Vliz0DGdaS4KSLZjwTTgwUR0toT:j3m27AjCT
MD5:	859CE522A233AF31ED8D32822DA7755B
SHA1:	70B19B2A6914DA7D629F577F8987553713CD5D3F
SHA-256:	7D1E5CA3310B54D104C19BF2ABD402B38E584E87039A70E153C4A9AF74B25C22
SHA-512:	F9FAA5A19C2FD99CCD03151B7BE5DDA613E9C69678C028CDF678ADB176C23C7DE9EB846CF915BC3CC67ABD5D62D9CD483A5F47A57D5E6BB2F2053563D62E1EF5
Malicious:	false
Preview:	<.d....!..`.......daB..4......h....+......@...f...A.......B.......C.......D...U...E.......F...v...G.......H.......I.......P.......Q.......R...6...S...Z...T...~...U.......V.......W..."...X...F...Y...j...]..+....s.......t..................-...;..+....;..,....;../....;..;....M..+....O.......O...r...........}..,............=...8...m..,0...t...c......T...(5..B...+;..NH..+;..~H..+O..,...1...UP..D@......E@......H4...E..HY..j...H.......IC...#..J....J..J.......J.......LD......L....1..PS...B..QR......R...o...T.......U.......X.......Zr......[`...W..\....}..]x...[.._....-.._.......yg...e..1...O....E..R....7..........-!......]............................$..k....[...7...,.......y...c...y.................j4...........9..l8...E..p............z...;..................%..a....D...~.............-.....L......OH.....Uz...5.......0.......0...U...0.......0..p....5...7...5..L$..............p... D..-... D..i...+....@..<U.....<U.....<....S..H5..-2..H5..j$..L....B..VE.. ...VE..P...V......f...e...f.

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qtbase_de.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	220467
Entropy (8bit):	4.626295310482312
Encrypted:	false
SSDEEP:	3072:7w8go8+ph6JVB8XVXYWpSNEeg8+vaD+p4N8DDiEKugwGZulh15ce4M+4NsPYXCZW:88h8Sj286tTiDD
MD5:	40760A3456C9C8ABE6EA90336AF5DA01
SHA1:	B249AA1CBF8C2636CE57EB4932D53492E4CE36AC
SHA-256:	553C046835DB9ADEF15954FA9A576625366BA8BFD16637038C4BCD28E5EBACE1
SHA-512:	068E55F39B5250CC937E4B2BD627873132D201D351B9351BE703CD9B95D3BAFB4BD649CB4DF120A976D7C156DA679758D952CAC5E0523107244E517D323BC0C5
Malicious:	false
Preview:	<.d....!..`.......de_DEB..7....*.......+..3....@..R....A..R....B..S....C..S@...D..S....E..T]...F..T....G..T....H..T....I..U#...P..W....Q..W6...R..W....S..W....T..W....U..W....V..XG...W..Xk...X..X....Y..X....]..2%...s..J$...t..9R......J.......B....;..1....;..3....;..q....;.......M..2O...O.......O..X@......ia...}..2y......Q....=..Q....m..2....t..Q...........(5......+;..ev..+;......+O..oh..1....4..D@..R...E@..WZ..H4..4...HY...[..H...AY..IC..>o..J...>...J.......J...>6..LD..@A..L...@...PS..I...QR..#...R....h..T...W...U...Xh..U....~..X...]...Zr..e(..[`..)...\...j...]x..O..._....K.._...lI..yg...U..1...f....E..i....7..........o.......wG......6.......6.......8....$...n...[..8....,..9....y.......y..=................3......>....9.......E..."......?_...z..#d.......0......A%...%..z....D..A.......B......KP......2.............^...5..B....0.......0..p....0..F....0...}...5..G....5..........H........... D..3}.. D...O..+...Q...<?..Ti..<U......<U..T...<...U)..H5..3...H5......L...X...VE..%j..V...l..

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qtbase_en.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	16
Entropy (8bit):	4.0
Encrypted:	false
SSDEEP:	3:j2wZC4n:CwZ
MD5:	BCEBCF42735C6849BDECBB77451021DD
SHA1:	4884FD9AF6890647B7AF1AEFA57F38CCA49AD899
SHA-256:	9959B510B15D18937848AD13007E30459D2E993C67E564BADBFC18F935695C85
SHA-512:	F951B511FFB1A6B94B1BCAE9DF26B41B2FF829560583D7C83E70279D1B5304BDE299B3679D863CAD6BB79D0BEDA524FC195B7F054ECF11D2090037526B451B78
Malicious:	false
Preview:	<.d....!..`...

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qtbase_es.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	165170
Entropy (8bit):	4.679910767547088
Encrypted:	false
SSDEEP:	1536:JVwzuvb+Ta64KQd84arHX5pxiVhA8QlOD/BnFNa8NsvsfFsfcoZtIx6F:JVwSTG4KqVaLX5pEVK7OJFczstgRtIx8
MD5:	C7C58A6D683797BFDD3EF676A37E2A40
SHA1:	809E580CDBF2FFDA10C77F8BE9BAC081978C102B
SHA-256:	4FFDA56BA3BB5414AB0482D1DDE64A6F226E3488F6B7F3F11A150E01F53FA4C8
SHA-512:	C5AED1A1AA13B8E794C83739B7FDDEAFD96785655C287993469F39607C8B9B0D2D8D222ECD1C13CF8445E623B195192F64DE373A8FB6FE43743BAF50E153CDA5
Malicious:	false
Preview:	<.d....!..`.......es_ESB../......,...+...y...@.......A.......B.......C.......D...v...E...=...F.......G.......H.......I.......P.......Q... ...R...k...S.......T.......U.......V...1...W...U...X...y...Y.......]..+....s.......t...................c...;..+....;..,....;...%...;..#....;..-....M..+....O.......O...............}..,............=...]...m..,/...t..........A...(5..3...+;..<...+;..o...+O..!b..1...Ap..D@......E@...D..H4...-..HY..[F..H.......IC...%..J....L..J.......J.......LD......L....O..PS......QR..!...R...`K..T.......U....&..X.......Zr.....[`...h..\......]x...\|.._....Y.._....A..yg......1...=....E..?a......!.......K........G...............R...$..\Q...[.......,...z...y.......y..................+............9..\....E..2............z.. ....................%..ON...D........................:......=B.....A....5...7...0.......0......0.."....0...,...0..3....5...}...5...Y..............a... D..-!.. D..Z6..+....0..<U...h..<U......<.......H5..-M..H5..Z...L.......VE.."...VE..>...V......

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qtbase_fi.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	179941
Entropy (8bit):	4.720938209922096
Encrypted:	false
SSDEEP:	3072:lvdTgO2Yl97ZWnbgTLt/Tf9IlqAeiy5uWkYGM0wNCdRjSK2YUlUs:lvdkA9vh5uWkY0MK2YXs
MD5:	8472CF0BF6C659177AD45AA9E3A3247C
SHA1:	7B5313CDA126BB7863001499FB66FB1B56C255FC
SHA-256:	E47FE13713E184D07FA4495DDE0C589B0E8F562E91574A3558A9363443A4FA72
SHA-512:	DE36A1F033BD7A4D6475681EDC93CC7B0B5DCB6A7051831F2EE6F397C971B843E1C10B66C4FB2EFF2A23DC07433E80FBF7B95E62C5B93E121AB5AD88354D9CB8
Malicious:	false
Preview:	<.d....!..`.......fiB..38.....ct...+......@.......A.......B.......C...@...D.......E...]...F.......G.......H.......I...#...P.......Q...6...R.......S.......T.......U.......V...G...W...k...X.......Y.......]......s...T...t.......................;......;..+....;..&....;..3....M..+!...O.......O...e...........}..+K...........=.......m..+w...t..........J...(5..9...+;..:y..+;..mW..+O..$...1...KY..D@......E@...Z..H4...l..HY..X&..H.......IC......J.......J...."..J......LD.....L.......PS...'..QR.. L..R...]...T.......U.......X.......Zr......[`......\.......]x......_....k.._....>..yg.. /..1...;....E..>....7..{(......%.......J........T.......&.......U...$..Y[...[......,...s...y.......y...a.......}......d...........9..Y....E..k'...........z...........V..........%..M....D...Q.......{......d.....A......E......K....5.......0.......0..&J...0.......0..k....5......5..I9.............._:.. D..,O.. D..W...+....9..<U...G..<U...*..<.......H5..,y..H5..W...H5......L....5..VE..!u..VE..E...V..."{..f.

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qtbase_fr.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	166167
Entropy (8bit):	4.685212271435657
Encrypted:	false
SSDEEP:	1536:CLZ1w8McowCppcPwL5pYFw+G00QsbLckCiWxvq+sjs06oFm:C91wxcowspc4L5pUw+cz39CiQ7tloFm
MD5:	1F41FF5D3A781908A481C07B35998729
SHA1:	ECF3B3156FFE14569ECDF805CF3BE12F29681261
SHA-256:	EDB32A933CEF376A2636634E14E2977CED6284E4AA9A4AC7E2292F9CA54C384A
SHA-512:	A492E8AC88095A38A13549C18C68E1F61C7054AB9362C2B04C65B93E48E4A07941C8DA6950BAE79041094623E0ED330CA975110FDE8248B4D9380B9F729AD891
Malicious:	false
Preview:	<.d....!..`.......fr_FRB../....*..-....+.......@.......A.......B.......C...?...D.......E...\...F.......G.......H.......I..."...P.......Q...5...R.......S.......T.......U.......V...F...W...j...X.......Y.......]..+....s...=...t.......................;..+....;..,....;.......;..$b...;.......M..,....O.......O...5...........}..,3...........=.......m..,]...t..........A...(5..5j..+;..<T..+;..o...+O.."+..1...B\..D@......E@...Y..H4...8..HY..[{..H.......IC......J.......J.......J.......LD...\|..L.......PS...?..QR..!...R...`j..T.......U....[..X.......Zr.....[`...)..\......]x......_....7.._.......yg...i..1...=Q...E..?@......"Y......K............................$..\....[...^...,...'...y.......y...+.......o....../c.......Y...9..\....E..6(...........z..!................j...%..OC...D...+.......[......a.....;......>......B....5.......0.......0...m...0..#....0.......0..6....5.......5..................a... D..-Y.. D..Ze..+....]..<U...;..<U......<.......H5..-...H5..Z...L.......VE.."...VE..?...V......

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qtbase_gd.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	189580
Entropy (8bit):	4.630160941635514
Encrypted:	false
SSDEEP:	1536:SiaI3C87jhakhR0VGkw7ys7CskUH6y4e6IFB4xyMuhvDnJGhFaCo527arBbm07LZ:S2yGjh17yGqxTXhvQoejJd8FUjVgk
MD5:	EB1FB93B0BE51C2AD78FC7BA2F8B9F42
SHA1:	24F7FF809E2F11C579CD388FEA5A4C552FF8D4D0
SHA-256:	63B439DD44139AA3AED54C2EBE03FA9BC77F22C14ED8FBA8EFF2608445BB233D
SHA-512:	E13770AEF33B6666ED7D54E03EE20CA291D4167D673BA6C61D8E64CDD5F7FFE0A9521B95AF67BE719BF263932ECF16E2B2D0B5F3404F9BCD7879114FCC6FC474
Malicious:	false
Preview:	<.d....!..`.......gd_GBB..2....*...u...+......@.......A...B...B.......C.......D.. ....E.. ....F..!&...G..!J...H..!n...I..!....P..#m...Q..#....R..#....S..$....T..$$...U..$H...V..$....W..$....X..$....Y..%....]../....s...'...t...................F...;.......;../....;..=V...;..G....M../G...O.......O...k......$....}../o.......i...=.......m../....t..........[...(5..M...+;..@...+;..x...+O..:...1...\7..D@...f..E@..#...H4...p..HY..be..H.......IC......J.......J....R..J.......LD......L.......PS......QR..#l..R...g...T.......U.......X....\..Zr......[`......\...&...]x......_....C.._...'t..yg..?...1...BM...E..D.......;.......R'.......t.......@.......?...$..c....[......,...i...y.......y...Y.......f.......+...........9..c....E...............z.."....................%..U....D..................G.....UB.....W......\]...5.......0.......0..<....0...;...0.......5.......5..ij..............h... D..0... D..aC..+....K..<U.....<U...~..<.......H5..0...H5..a...L....1..VE..$...VE..X...V...8\|..f...Z...f...=..

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qtbase_he.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	138690
Entropy (8bit):	5.515748942553918
Encrypted:	false
SSDEEP:	3072:XSue8Z7T3iJsqBejt/zNHSLzdetY2ZISfC/S:XSueK3w7Ijt8zUtYAISfC/S
MD5:	DEAF87D45EE87794AB2DC821F250A87A
SHA1:	DB39C6BAA443AA9BB208043EF7FB7E3403C12D90
SHA-256:	E1EBCA16AFE8994356F81CA007FBDB9DDF865842010FE908923D873B687CAD3F
SHA-512:	276FCE81249EFFE19E95607C39F9ACB3A4AFA3F90745DA21B737A03FEA956B079BCA958039978223FD03F75AC270EC16E46095D0C6DDA327366C948EC2D05B9C
Malicious:	false
Preview:	<.d....!..`.......he_ILB../....*......+..Sw...@......A......B.......C.......D...X...E.......F.../...G...O...H...o...I......P.......Q.......R...I...S...i...T......U......V.......W.......X.../...Y...O...]..$....s......t..X:.......4......`Y...;..$....;..%....;.......;...5...;.......M..$....O...6...O..s............}..%-...........=...m...m..%k...t..........^..(5......+;..2...+;..^...+O...N..1.......D@......E@...(..H4..T...HY..L...H..._...IC..\...J...\...J.......J...\j..LD..^...L...^o..PS..fl..QR......R...Q...T...su..U...s...X...x3..Zr..~...[`..L\..\.......]x....._......._....o..yg...(..1...3....E..5C.......z......?V......U.......U.......W....$..M....[..W....,..X....y.......y..\........a..............\@...9..NO...E...?......]s...z...G.......(......^....%..B^...D.._......._.................... ..........5..`/...0.......0...L...0......0..d(...0......5..ek...5..........fB......R... D..&O.. D..K...+...l...<U......<U..p)..<...p...H5..&w..H5..La..L...s...VE......VE......V.....

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qtbase_hu.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	160494
Entropy (8bit):	4.831791320613137
Encrypted:	false
SSDEEP:	3072:BmOMZadV9n51xXeQvjOiIzz7/Vs9Db3ihuJNvMfWxBNlYzYbTrIkfwb03l24cNKu:HkWa5pg0MahBHDd
MD5:	E9D302A698B9272BDA41D6DE1D8313FB
SHA1:	BBF35C04177CF290B43F7D2533BE44A15D929D02
SHA-256:	C61B67BB9D1E84F0AB0792B6518FE055414A68E44D0C7BC7C862773800FA8299
SHA-512:	12947B306874CF93ABA64BB46FAC48179C2D055E770D41AF32E50FFFB9F0C092F583AFCEA8B53FE9E238EF9370E9FFFBEB581270DFA1A7CB74EBE54D9BFF459F
Malicious:	false
Preview:	<.d....!..`.......hu_HUB../...........+.......@.......A...0...B...{...C.......D.......E.......F.......G...<...H...`...I.......P...s...Q.......R.......S.......T......U...N...V.......W.......X.......Y.......]..+y...s.......t.......................;..+Q...;..,U...;.......;.......;..&....M..+....O.......O...U..........}..+............=.......m..+....t..........9c..(5..,...+;..;...+;..m7..+O......1...9...D@...T..E@......H4...v..HY..Y...H.......IC......J.......J.......J.......LD......L.......PS...}..QR..!...R...]...T.......U....{..X.......Zr...=..[`......\......]x...-.._......._......yg...M..1...<....E..>...............J........T.......(.......S...$..Z....[.......,...u...y.......y...[...............#...........9..Z....E..#&...........z..!'...................%..Mv...D..._....................32.....5......9....5.......0...h...0...E...0.......0.......0..#....5...Z...5...........G......_2.. D..,... D..W...+....W..<U......<U...B..<.......H5..,...H5..X{..L....)..VE.."...VE..6l..V.....

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qtbase_it.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	161172
Entropy (8bit):	4.680034416311688
Encrypted:	false
SSDEEP:	1536:eSfxfdO4BKJb0td5pqCOIUP/PFIM7gxGQ9sRrFM6QJ4m8ihkM:eSfxFO4BKJb0td5pnOrvCqg9mRK4IkM
MD5:	88D040696DE3D068F91E0BF000A9EC3E
SHA1:	F978B265E50D14FDDE9693EC96E99B636997B74D
SHA-256:	7C7DC8B45BF4E41FEC60021AB13D9C7655BE007B8123DB8D7537A119EB64A366
SHA-512:	F042637B61C49C91043D73B113545C383BD8D9766FD4ACC21675B4FF727652D50863E72EA811553CB26DF689F692530184A6CE8FE71F9250B5A55662AFE7D923
Malicious:	false
Preview:	<.d....!..`.......it_ITB../....*.......+.......@.......A..."...B...m...C.......D.......E.......F.......G...0...H...T...I...x...P...q...Q.......R.......S.......T...(...U...L...V.......W.......X.......Y.......]..+....s...'...t...................^...;..+[...;..,g...;.......;.......;..!B...M..+....O...D...O...........(...}..+........I...=.......m..,....t..........4...(5..'...+;..<...+;..oV..+O......1...5...D@...F..E@......H4...J..HY..Z...H.......IC...L..J....s..J....j..J.......LD......L....f..PS......QR..!...R..._...T.......U....3..X.......Zr......[`...Q..\.......]x......_......._....0..yg...C..1...=....E..?o..............Kf.......h.......8.......I...$..[....[.......,...m...y...9...y...........z.......z...........9..\=...E..$u.......:...z.. k...................%..N....D..................M............0......5/...5...2...0.......0...0...0...A...0...)...0..$....5.......5...J.......a......a... D..,... D..Y...+.......<U......<U......<....v..H5..-...H5..Z...L.......VE.."c..VE..1...V....X.

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qtbase_ja.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	129911
Entropy (8bit):	5.802855391832282
Encrypted:	false
SSDEEP:	1536:W8YYSCjKBJ26c1Z7f25pVmuLXpxfqt7FEUWNrfQje9kWI23pKXvx:xYuKBJ01Z7u5pQuLbESUWNzAAI23pKfx
MD5:	608B80932119D86503CDDCB1CA7F98BA
SHA1:	7F440399ABA23120F40F6F4FCAE966D621A1CC67
SHA-256:	CBA382ACC44D3680D400F2C625DE93D0C4BD72A90102769EDFD1FE91CB9B617B
SHA-512:	424618011A7C06748AADFC2295109D2D916289C81B01C669DA4991499B207B781604A03259C546739A3A6CF2F8F6DFA753B23406B2E2812F5407AEE343B5CBDD
Malicious:	false
Preview:	<.d....!..`.......jaB../....*...'...+..=....@.......A.......B...?...C...c...D......E......F.......G.......H..."...I...F...P.......Q...'...R...r...S......T......U.......V...8...W...\...X......Y......].."k...s...Q...t..A...............I....;.."C...;..#A...;.......;.......;.......M.."....O...B...O..[?......h....}.."........m...=.......m.."....t...........M..(5......+;......+;..WU..+O......1.......D@......E@...K..H4..>=..HY..F...H...Hr..IC..E...J...F...J.......J...E...LD..Gz..L...G...PS..O...QR......R...K!..T...Z...U...[e..X..._f..Zr..e...[`..7...\...i...]x...'.._......._...j...yg..~+..1.../....E..1?.......#......:.......?.......?n......A....$..G....[..Ap...,..B....y.......y..Ew......\|...............E....9..H....E..........F....z...]..............HL...%..=R...D..H.......I!......[......J......M..........5..It...0...3...0.......0...C...0..M....0...a...5..N....5..........N.......L6.. D..#... D..E...+...U%..<U......<U..X ..<...X...H5..#...H5..FK..L...[...VE......VE......V......f.

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qtbase_ko.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	156799
Entropy (8bit):	5.859529082176036
Encrypted:	false
SSDEEP:	1536:rvTy18hhPekHs1iNXVExWbStnn8TExgkYOvYejZOvXx4Mmf0MwUL8smk/pDZyy:y18hJ61nMStnn8TOgknQRLWZmkxNyy
MD5:	082E361CBAC2E3A0849F87B76EF6E121
SHA1:	F10E882762DCD2E60041BDD6CC57598FC3DF4343
SHA-256:	0179ED1B136E1CB3F583351EAA2C545BA3D83A6EE3F82C32505926A1A5F5F183
SHA-512:	F378A42116924E30FA0B8FFF1D3C3CB185DC35B2746DCE2818BE7C2AA95C5DE103DF44AAC74DA969C36C557F1D4DE42AC7647EC41066247F8AD2697BDED667EA
Malicious:	false
Preview:	<.d....!..`.......koB..7...........+.......@...K...A...o...B......C.......D...8...E.......F...U...G...y...H......I.......P......Q.......R.......S...C...T...g...U.......V.......W.......X...-...Y...Q...]..$....s...>...t...................y...;..${...;..%....;...u...;...l...M..$....O.......O...8...........}..$............=...C...m..%!...t...n..........(5...a..+;..E@..+;..l\|..+O......1.......D@.....E@......H4......HY..\...H....]..IC......J.......J....8..J.......LD...a..L.......PS......QR......R...`...T.......U....^..U.......X....y..Zr......[`..y...\....A..]x......_......._....o..yg......1...FJ...E..HE...7..................Q........a.......5...........$..]....[...;...,.......y.......y...V...............!.......\|...9..]....E...R...........z...4.......f.......5...%..Te...D..................D......^................5...S...0.......0.......0.......0.......5.......5...........n......a... D..%... D..[...+.......<?......<U...;..<U...+..<.......H5..&...H5..\...L.......VE......V....A..f.

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qtbase_lv.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153608
Entropy (8bit):	4.843805801051326
Encrypted:	false
SSDEEP:	3072:y5pmbKIhooMbGe91MrjOhmGzP6LJbWz5XIxELpU6:yObeqrjPGzeJyJLy6
MD5:	BD8BDC7BBDB7A80C56DCB61B1108961D
SHA1:	9538C4D8BB9A95C0D9DC57C7708A99DD53A32D1F
SHA-256:	846E047573AE40C83671C3BA7F73E27EFC24B98C82701DA0DF9973E574178BB2
SHA-512:	F040EC410EBFEA21145F944E71ADCAE8E5F60907D1D3716A937A9A59A48F70C6B7EAAC91C2C554F59357A7BC820CDBD17C73A4DECC20B51F68EB79EDD35C5554
Malicious:	false
Preview:	<.d....!..`.......lv_LVB..........B...+..y....@.......A...=...B......C......D.......E.......F...#...G...G...H...k...I.......P...~...Q......R.......S.......T...5...U...Y...V......W.......X.......Y.......]..%....s.......t...8.......n.......A...;..&....;.......;...!...;...A...;../....M..%....O.......O...............}..%...........=.......m..&....t...(......(g..(5...+..+;..4...+;..d...+O......1...(...D@...a..E@......H4..z...HY..Q...H.......IC......J....6..J.......J.......LD......L....9..PS......QR......R...U...T....S..U.......X...._..Zr......[`..r...\.......]x....._......._....{..yg......1...5v...E..7........(......B.......\|.......\|W......~r...$..R....[..~....,.......y...l...y...............................9..S....E...g...........z...z...................%..F....D........................"Z.....$......)....5.......0...\...0.......0...r...0.......0.......5...a...5..........J......V... D..&... D..P...+.......<U......<U......<.......H5..'"..H5..P...L....~..VE...R..VE..%...V......

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qtbase_pl.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	162982
Entropy (8bit):	4.841899887077422
Encrypted:	false
SSDEEP:	1536:sXpestp/YIFtDT8FIWYbIJmPYuIpnmxAk6mwyJNqSm9+P:sxpTDT8FIWfJmdCmxApmbnqSm9+P
MD5:	F9475A909A0BAF4B6B7A1937D58293C3
SHA1:	76B97225A11DD1F77CAC6EF144812F91BD8734BD
SHA-256:	CE99032A3B0BF8ABAD758895CC22837088EAD99FD2D2514E2D180693081CFE57
SHA-512:	8A4F1B802B6B81FF25C44251FB4A880E93E9A5FE25E36825A24BFE0EFB34E764E7E1EE585D3A56554964B7921E7813C67F12D200D6E0C5EAF4BB76B064B5C890
Malicious:	false
Preview:	<.d....!..`.......pl_PLB..0......"....+.......@...F...A...j...B......C.......D...3...E.......F...P...G...t...H.......I.......P.......Q.......R.......S...>...T...b...U.......V.......W.......X...(...Y...L...]......s.......t...r.......o.......+...;......;..+....;..."...;... ...M......O...6...O...........a...}..+...........=.......m..+G...t...G......,...(5......+;..:...+;..k...+O......1...-[..D@.....E@......H4...U..HY..WU..H.......IC......J....6..J.......J.......LD......L....%..PS......QR.. ...R...[...T....1..U.......X......Zr......[`......\.......]x...A.._......._....}..yg......1...;W...E..=........%......H....................$..Xp...[.......,.......y...i...y...........}......$R...........9..X....E..+)...........z.. E...................%..K....D...p....................&......(......-....5.......0.......0...e...0.......0..+....5...]...5...........f......]-.. D..,%.. D..V?..+....V..<U......<U......<....-..H5..,M..H5..V...L....Z..VE..!...VE..)...V.......f...P...f....K..f......

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qtbase_ru.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	203767
Entropy (8bit):	5.362551648909705
Encrypted:	false
SSDEEP:	1536:hn4dEJ63pdhPpy6gu5fs4MHQv6sLlxnrncF423ZL9xyuXwdcX8LZuf76CW+WeXFx:aN3pdV5fZbpItXsttRY+WSq
MD5:	5096AD2743BF89A334FBA6A2964300D4
SHA1:	405F45361A537C7923C240D51B0FF1C46621C203
SHA-256:	3DA6605668F9178D11A838C4515478084DCFB4F9CF22F99D7A92B492DB9C224B
SHA-512:	7B88B501792B5831426BAA669138192ED94CC3F8323A3DF9D5287655DC4D877706908C517AB7523AE8A283BF50B47123F13B8AE40EA2F3081C3459EDC47FC8DD
Malicious:	false
Preview:	<.d....!..`.......ru_RUB..7.......L...+...W...@..,....A..,....B..-1...C..-U...D..-....E...r...F.......G.......H../....I../8...P..1'...Q..1K...R..1....S..1....T..1....U..2....V..2\...W..2....X..2....Y..2....].......s..$c...t...'......%........r...;..-....;.......;..J....;..V....M...C...O.......O..&.......8....}...m......+3...=..+....m.......t..+.......p...(5..]@..+;..[0..+;......+O..H...1...qM..D@..-...E@..1o..H4...p..HY..xm..H......IC...@..J....g..J.......J.......LD......L....p..PS......QR..!...R...}...T...&...U...'...U...ki..X...+...Zr..3...[`......\...:...]x..)..._......._...;...yg..S...1...\....E..__...7.........H.......k................j.......U...$..y....[.......,.......y...k...y...............................9..y....E...O...........z..!*...................%..nW...D.................%w.....g......j~.....qw...5...H...0.......0..I....0..._...0......5.......5..................~... D../k.. D..wa..+....?..<?.."t..<U......<U.."...<...#z..H5../...H5..w...L...&...VE.."...V...F$.

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qtbase_sk.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	125763
Entropy (8bit):	4.80343609423322
Encrypted:	false
SSDEEP:	3072:roXDuC1u/2lUBGjJirE5tsd/aev1GIfOdvhw:OucMGjH5tbm
MD5:	3D60E50DCBCBD70EE699BC9B1524FCB9
SHA1:	0211B4911B5B74CC1A46C0FCA87D3BF5632AA44A
SHA-256:	D586AE2C314074CF398417FDECB40709D5478DFEB0A67C2FE60D509EE9B59ED7
SHA-512:	F98211867F1DBCB8A342C00E23FA5718BE6E999F7449CB8470B41BF0F527C7F78CC4D6666E28968F32E96026907156753979BFADA7E6BF4225D02A902D24906D
Malicious:	false
Preview:	<.d....!..`.......sk_SKB..$x...*.......+..>....@......A......B.......C.......D...3...E...Z...F......G......H.......I.......P.......Q...D...R.......S......T.......U.......V...1...W...X...X.......Y......]...Y...t..D-......K....;...3...;.......;.......;......;...V...M.......O.._ ......l....}.......m...........T..(5...(..+;......+;..%...+O......1......E@...k..F.......H4..?I..HY..@7..H...J...I....,..IC..HT..J...H{..J...H...LD..J"..L...Jv..PS..Q...R...D...Zr..i]..[`..7...\...nB.._...o...1...&....E..(........B......19......A.......A....$..AF...[..C....,..D....y..G.......v........g......G....9..A....E..........IH...%..4.......Kf..............................5..K....0...,...0.......0.......0..Of...0.......5..P....5..........E... D...C.. D..?'..+...Y`..<U......<U..\...<...]...H5...m..H5..?...L...^...VE......f.......f...8...g.......l...aP.......................6......d....D..f(...`..f...............?....`..h5...y..H....5..j........E...e.......e..@....... ......>......oZ......l..

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qtbase_tr.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	194487
Entropy (8bit):	4.877239354585035
Encrypted:	false
SSDEEP:	3072:yRRhAFCvqDBitD/iDG9AOH+l4TcwZBPqHo9fd9CFRK+2IKAimxsjucV2p0ZqvRu7:yRRHs5mksWVX3lA3
MD5:	6CBC5D8E1EABEC96C281065ECC51E35E
SHA1:	4E1E6BA3772428227CB033747006B4887E5D9AD1
SHA-256:	6A0BF6E70E7920C2B193E76E92F78F315936955D3B06AC039D917F2E06C43281
SHA-512:	CE1F9EE180176153D5F523D71E0DB06F4DEA65C24E5E2CD56341CFAEE349A8E9A0F606D99F7219A35DD4516D1528C90AEA4BB87548A55392B8F2B36164D478B1
Malicious:	false
Preview:	<.d....!..`.......tr_TRB..7....*.......+...-...@.......A.......B.......C...%...D.......E...F...F.......G.......H.......I.......P.. ....Q.. ....R..!D...S..!h...T..!....U..!....V.."....W.."0...X.."T...Y.."x...]..,g...s.../...t......................;..,9...;..-I...;..9@...;..E....M..,....O.......O...G...........}..,............=...\...m..,....t.........._3..(5..LJ..+;..Wt..+;...\..+O..7...1..._...D@......E@..!...H4...@..HY..t...H....2..IC...r..J......J....D..J....K..LD...$..L....x..PS......QR..!...R...x...T.......U....q..U...Y...X...."..Zr...%..[`......\....:..]x......_......._.......yg..6...1...X....E..[....7...Z......7Q......f............................$..u....[...:...,...5...y.......y...........7...............!...9..u....E...........P...z.. ........p...........%..j....D..................A.....U......Y......_....5...V...0.......0..8....0...U...0.......5.......5..~b..............z+.. D..-... D..s...+.......<?...8..<U...s..<U...p..<.......H5..-...H5..s...L.......VE.."0..V...4..

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qtbase_uk.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	158274
Entropy (8bit):	5.402056706327934
Encrypted:	false
SSDEEP:	1536:jXwjFVUDdMUD4TzdAhpQgO5poZHvJllEnhmdK4I77/dnPJX/imfb1jhvv3BxT8ue:jBzD4Tzaw5pCvJ8hVPdlvj3p8
MD5:	D6234E4E21021102B021744D5FA22346
SHA1:	63A14327D0CF0941D6D6B58BFA7E8B10337F557B
SHA-256:	51B8FF55B37DC5907D637A8DDDA12FBE816852B0244C74EB4F0FB84867A786E0
SHA-512:	37D24A092C5F29BACB7A4CA8207C4EEFD0F073B7E74A492402867F758084091BF1D79D2BA2B4A28B35FEF42E8023C371FDE97578F74BB2033551154E77102DE6
Malicious:	false
Preview:	<.d....!..`.......uk_UAB../.......E...+...l...@.......A.......B...G...C...k...D.......E.......F.......G.......H......I...N...P...=...Q...a...R.......S.......T.......U.......V...r...W.......X.......Y.......]..y...s.......t...........;.......n...;..Q...;..+U...;.......;...x...;..!(...M......O.......O...........6...}..........E...=.......m..*....t..........3...(5..&...+;..:...+;..k0..+O...A..1...4-..D@... ..E@......H4...8..HY..W...H....2..IC...V..J....}..J.......J....%..LD...&..L....z..PS......QR.. ...R...\...T....(..U.......X.......Zr......[`..~...\.......]x......_......._....4..yg...c..1...;....E..=w.......m......I............................$..X....[...<...,.......y.......y...........M...................9..Y....E...F.......D...z.. ........P...........%..LB...D.......................-n...../......4W...5...F...0...p...0...W...0.......0...k...0.......5.......5..................^... D..+... D..V...+.......<U.../..<U......<....>..H5..+...H5..V...L....S..VE..!...VE..0...V......

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\translations\qtbase_zh_TW.qm

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	127849
Entropy (8bit):	5.83455389078597
Encrypted:	false
SSDEEP:	3072:Fv2cHP10gOs6dcFxsJopMqOWv2WIrPFP8pa:Fh6s6iFxEodjef8pa
MD5:	9C6A3721D01ECAF3F952CE96F46CE046
SHA1:	4A944E9E31DF778F7012D8E4A66497583BFD2118
SHA-256:	085D29EAF9BBB788B2F2503D74A1EF963A9411CEB600441254CE49A120E1AB63
SHA-512:	6E2807B8785F42A26C9CCBDBA0327DD40B529B10C468593F0E74113774D1CCDAA4FD9ACE9B259B9040E1475911428ECAEA49425B0F170862CF8147D23DB48E46
Malicious:	false
Preview:	<.d....!..`.......zh_TWB..2x..........+..)....@.......A.......B...j...C......D.......E......F.......G...)...H...M...I...q...P...%...Q...I...R......S......T.......U.......V...Z...W...~...X......Y.......]..!....s.......t..-...............4....;..!z...;.."\|...;.......;.......M..!....O.......O..Ay......N)...}..!............=.......m.." ...t...(.........(5......+;..;...+;.._...+O......1.......D@...C..E@...m..H4..W..HY..Pm..H...3...IC..1...J...1...J.......J...1...LD..2...L...38..PS..6...QR...T..R...T...T...A...U...A...X...E...Zr..K...[`..$...\...OW..]x......_......._...P...yg..a^..1...<....E..>....7...>.......;......Fo......+.......+.......-L...$..QR...[..-....,...F...y.......y..1J...............6......1p...9..Q....E..........2....z...........<......3....%..H....D..4W......4}....................Z...... ...5..4....0...?...0...K...0..5....0...L...5..6....5..........6.......U... D.."... D..O...+...<%..<U......<U..>...<...?:..H5..#...H5..O...L...AS..VE...M..VE......V.......f...L..

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\QtCore.pyd

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2483712
Entropy (8bit):	6.241719144701645
Encrypted:	false
SSDEEP:	49152:ZYS8YHrNj4/7RsRLvYpiW3pCBU+Z7bJWvCSBYgbxGJ5M2GM/fXR1fUdihfSbCo6e:9bpj4/7RsRLvYpiW3pCBU+Z7bJWvCSBv
MD5:	678FA1496FFDEA3A530FA146DEDCDBCC
SHA1:	C80D8F1DE8AE06ECF5750C83D879D2DCC2D6A4F8
SHA-256:	D6E45FD8C3B3F93F52C4D1B6F9E3EE220454A73F80F65F3D70504BD55415EA37
SHA-512:	8D9E3FA49FB42F844D8DF241786EA9C0F55E546D373FF07E8C89AAC4F3027C62EC1BD0C9C639AFEABC034CC39E424B21DA55A1609C9F95397A66D5F0D834E88E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........}.........../....td./..../...td./...td./...td./...n../...1../......P...c./....c./....c./...Rich...........................PE..d....p.f.........." ...(............+.......................................0&...........`.............................................L.....................#.$.............%.... t.......................t..(....r..@............@..(o...........................text...~(......................... ..`.rdata..x....@......................@..@.data...h...........................@....pdata..$.....#......n#.............@..@.reloc.......%......L%.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\QtGui.pyd

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2494976
Entropy (8bit):	6.232020603277999
Encrypted:	false
SSDEEP:	24576:SUjOoTFrwI8nc6EmRAQ9RzgpP2bXYUKuXeLQp5PjYq0zb:SUqCgnZXRAQ9RzggbozJLQp5Mq
MD5:	AE182C36F5839BADDC9DCB71192CFA7A
SHA1:	C9FA448981BA61343C7D7DECACAE300CAD416957
SHA-256:	A9408E3B15FF3030F0E9ACB3429000D253D3BB7206F750091A7130325F6D0D72
SHA-512:	8950244D828C5EDE5C3934CFE2EE229BE19CC00FBF0C4A7CCEBEC19E8641345EF5FD028511C5428E1E21CE5491A3F74FB0175B03DA17588DAEF918E3F66B206A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......... j..sj..sj..sc..sn..s.p.rh..s1..rh..s.p.ri..s.p.rb..s.p.r...s...rh..s..ro..sj..s...syw.ra..syw.rk..syw.rk..sRichj..s........PE..d....p.f.........." ...(.....................................................P&...........`.........................................`&..L....&................$...............%.....................................p...@...............@{...........................text...O........................... ..`.rdata..............................@..@.data...xz.......^...t..............@....pdata........$.......#.............@..@.reloc........%......^%.............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\QtWidgets.pyd

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5144576
Entropy (8bit):	6.262739223310643
Encrypted:	false
SSDEEP:	49152:Qi+reIG7QwktsFPKoe2yicbbqgkcY9abW7KnTYK2bjMkTDGM7y:uqT7Q1kyTvoWW7EYvM9M
MD5:	E8C3BFBC19378E541F5F569E2023B7AA
SHA1:	ACA007030C1CEE45CBC692ADCB8BCB29665792BA
SHA-256:	A1E97A2AB434C6AE5E56491C60172E59CDCCE42960734E8BDF5D851B79361071
SHA-512:	9134C2EAD00C2D19DEC499E60F91E978858766744965EAD655D2349FF92834AB267AC8026038E576A7E207D3BBD4A87CD5F2E2846A703C7F481A406130530EB0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................=....1M............1M.....1M.....1M.....+......t.............J......J......J.....Rich...........................PE..d....p.f.........." ...(..,...!.....P.,.......................................N...........`..........................................><.T...D?<...............H..z...........pM..O..Pa8..............................`8.@.............,..............................text.....,.......,................. ..`.rdata........,.......,.............@..@.data... :....A.......A.............@....pdata...z....H..\|....H.............@..@.reloc...O...pM..P...0M.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\sip.cp313-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	120320
Entropy (8bit):	6.034057886020456
Encrypted:	false
SSDEEP:	1536:pPd5NTdYgpmMrZhekwFH4PqgZNBQmT6V6WRFYE9Icx7pz4H5B:NhTdtmMdEkwuFTSvYE9Iczz4H5
MD5:	4F7F9E3A9466F4C0103FB04E1987E098
SHA1:	D4A339702E936AA5ECC1FE906AE2BA3BB0E481D7
SHA-256:	EBF27146466D61411493D2E243EAC691740F9C4B7A4B9AB0D408BE45B5E0AA35
SHA-512:	920BA8D58DCA7946341C1CC01FEA0B76CCE008F1D10061F84455A3DE9BA00FD9534F40C983486211BE92B85F786CD610C386529711A6F573A02BFAF8CA543A19
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........kSR...R...R...[...Z....X..P.......P....X..Q....X..Z....X.._....^..Q...R.......G_..[...G_..S...G_..S...G_..S...RichR...........PE..d.... g.........." ...(.H...........J.......................................0............`.............................................X...h................................ ..........................................@............`...............................text...(G.......H.................. ..`.rdata..lU...`...V...L..............@..@.data.... ..........................@....pdata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	120400
Entropy (8bit):	6.6017475353076716
Encrypted:	false
SSDEEP:	1536:N9TXF5LLXQLlNycKW+D4SdqJk6aN1ACuyxLiyazYaCVoecbdhgOwAd+zfZ1zu:N9jelDoD9uyxLizzFzecbdPwA87S
MD5:	862F820C3251E4CA6FC0AC00E4092239
SHA1:	EF96D84B253041B090C243594F90938E9A487A9A
SHA-256:	36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153
SHA-512:	2F8A0F11BCCC3A8CB99637DEEDA0158240DF0885A230F38BB7F21257C659F05646C6B61E993F87E0877F6BA06B347DDD1FC45D5C44BC4E309EF75ED882B82E4E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\=..\...\...\..S$...\...$...\...\..5\...\...\.....\.....\.....\.....\......\.....\..Rich.\..........PE..d.....x.........." ...).$...d............................................................`A........................................0u..4...d}..........................PP...........^..p............................\..@............@...............................text............................... ..`fothk........0...................... ..`.rdata...C...@...D...(..............@..@.data................l..............@....pdata...............p..............@..@_RDATA...............\|..............@..@.rsrc................~..............@..@.reloc..............................@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\VCRUNTIME140_1.dll

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49744
Entropy (8bit):	6.701724666218339
Encrypted:	false
SSDEEP:	768:ApzzO6ujT3MbR3v0Cz6SR8q83yaFdWr9zRcmgEl6U9zSC:9q/oGw3fFdwzRcmZFzSC
MD5:	68156F41AE9A04D89BB6625A5CD222D4
SHA1:	3BE29D5C53808186EBA3A024BE377EE6F267C983
SHA-256:	82A2F9AE1E6146AE3CB0F4BC5A62B7227E0384209D9B1AEF86BBCC105912F7CD
SHA-512:	F7BF8AD7CD8B450050310952C56F6A20B378A972C822CCC253EF3D7381B56FFB3CA6CE3323BEA9872674ED1C02017F78AB31E9EB9927FC6B3CBA957C247E5D57
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?.{...{...{...0...y.......y...r.H.p...{...H.......\|.......`.......~.......z.....$.z.......z...Rich{...........PE..d...l0.?.........." ...).<...8.......@...............................................b....`A........................................pm.......m..x....................r..PP......D....c..p...........................`b..@............P..`............................text....;.......<.................. ..`.rdata.."#...P...$...@..............@..@.data................d..............@....pdata...............f..............@..@.rsrc................l..............@..@.reloc..D............p..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\_bz2.pyd

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	84240
Entropy (8bit):	6.607563436050078
Encrypted:	false
SSDEEP:	1536:Kdrz7l1EVLsSuvX3dUK4MLgqK7YEog8y5sV8lIJLVy7SyFB:urzcuvXvrEo7y6V8lIJLVyB
MD5:	CB8C06C8FA9E61E4AC5F22EEBF7F1D00
SHA1:	D8E0DFC8127749947B09F17C8848166BAC659F0D
SHA-256:	FC3B481684B926350057E263622A2A5335B149A0498A8D65C4F37E39DD90B640
SHA-512:	E6DA642B7200BFB78F939F7D8148581259BAA9A5EDDA282C621D14BA88083A9B9BD3D17B701E9CDE77AD1133C39BD93FC9D955BB620546BB4FCF45C68F1EC7D6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e...!m..!m..!m..(.o.+m..1...#m..1..."m..1...%m..1...)m..1...,m..i..."m..j...#m..!m..\|m..i...)m..i... m..i... m..i... m..Rich!m..........PE..d.....g.........." ...).....\......0........................................P......7[....`.............................................H...(........0....... .. ......../...@..........T...........................`...@...............x............................text............................... ..`.rdata...=.......>..................@..@.data...............................@....pdata.. .... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\_ctypes.pyd

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	131344
Entropy (8bit):	6.311142284249784
Encrypted:	false
SSDEEP:	3072:3RF024DWkT/DKGkXY402iXnVJf/FO50XnekZ39gPhvEQZIJyPArm:j0nHT/DKFXZorf/FO50uW3SEQt
MD5:	A55E57D7594303C89B5F7A1D1D6F2B67
SHA1:	904A9304A07716497CF3E4EAAFD82715874C94F1
SHA-256:	F63C6C7E71C342084D8F1A108786CA6975A52CEFEF8BE32CC2589E6E2FE060C8
SHA-512:	FFA61AD2A408A831B5D86B201814256C172E764C9C1DBE0BD81A2E204E9E8117C66F5DFA56BB7D74275D23154C0ED8E10D4AE8A0D0564434E9761D754F1997FC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........h~..............q...............................................q.......q......!u.............................................Rich....................PE..d.....g.........." ...).............h....................................... .......Z....`.........................................P.................................../...........=..T............................;..@............0...............................text............................... ..`.rdata...y...0...z..................@..@.data....$....... ..................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\_decimal.pyd

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	277776
Entropy (8bit):	6.5855511991551
Encrypted:	false
SSDEEP:	6144:x9iD78EIq4x4OA5bZZ0KDgQcI79qWM53pLW1AFR8E4wXw76TPlpV77777VMvyk:xwDGqr5b8EgQ5+w6k
MD5:	F3377F3DE29579140E2BBAEEFD334D4F
SHA1:	B3076C564DBDFD4CA1B7CC76F36448B0088E2341
SHA-256:	B715D1C18E9A9C1531F21C02003B4C6726742D1A2441A1893BC3D79D7BB50E91
SHA-512:	34D9591590BBA20613691A5287EF329E5927A58127CE399088B4D68A178E3AF67159A8FC55B4FCDCB08AE094753B20DEC2AC3F0B3011481E4ED6F37445CECDD5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j2U..\...\...\..s....\..]...\.._...\..X...\..Y...\...]...\..s]...\...].z.\..._...\...Q...\...\...\.......\...^...\.Rich..\.........................PE..d......g.........." ...).....Z...............................................P......W.....`.................................................L........0..........t+......./...@..........T...............................@............... ............................text.............................. ..`.rdata..\...........................@..@.data...8'......."..................@....pdata..t+.......,..................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\_hashlib.pyd

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	64272
Entropy (8bit):	6.220967684620152
Encrypted:	false
SSDEEP:	768:eNJI0DWiflFwY9X3Th1JnptE462TxNvdbj4dIJvI75YiSyvE62Em:2LDxflFwY9XDhPfVNv+dIJvIF7Syc6c
MD5:	32D76C9ABD65A5D2671AEEDE189BC290
SHA1:	0D4440C9652B92B40BB92C20F3474F14E34F8D62
SHA-256:	838D5C8B7C3212C8429BAF612623ABBBC20A9023EEC41E34E5461B76A285B86C
SHA-512:	49DC391F4E63F4FF7D65D6FD837332745CC114A334FD61A7B6AA6F710B235339964B855422233FAC4510CCB9A6959896EFE880AB24A56261F78B2A0FD5860CD9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W.A.6...6...6...N%..6.......6.......6.......6.......6.......6...N...6.......6...6..26.......6.......6....I..6.......6..Rich.6..........PE..d......g.........." ...).P...~.......=..............................................!.....`.........................................p...P................................/......X....l..T............................k..@............`...............................text....N.......P.................. ..`.rdata...M...`...N...T..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..X...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\_lzma.pyd

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	157968
Entropy (8bit):	6.854644275249963
Encrypted:	false
SSDEEP:	3072:KbbS4R/G4Z8r7NjwJTSUqCRY4By7znfB9mNowgn0lCelIJ012+j:KbR/8oWeBi5YOwflCe8o
MD5:	1BA022D42024A655CF289544AE461FB8
SHA1:	9772A31083223ECF66751FF3851D2E3303A0764C
SHA-256:	D080EABD015A3569813A220FD4EA74DFF34ED2A8519A10473EB37E22B1118A06
SHA-512:	2B888A2D7467E29968C6BB65AF40D4B5E80722FFDDA760AD74C912F3A2F315D402F3C099FDE82F00F41DE6C9FAAEDB23A643337EB8821E594C567506E3464C62
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........7...V.,.V.,.V.,...,.V.,..-.V.,..-.V.,..-.V.,..-.V.,..-.V.,...-.V.,.V.,.V.,..-.V.,..-.V.,..u,.V.,..-.V.,Rich.V.,................PE..d......g.........." ...).`...........1.......................................p.......P....`.............................................L.......x....P.......0.......:.../...`..4....\|..T...........................P{..@............p...............................text...^^.......`.................. ..`.rdata.......p.......d..............@..@.data........ ......................@....pdata.......0......................@..@.rsrc........P......................@..@.reloc..4....`.......8..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\_queue.pyd

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	33552
Entropy (8bit):	6.446391764486538
Encrypted:	false
SSDEEP:	384:7GpPCRjqMu/AoS6rf7sif0NHQibZIJ9UoOHQIYiSy1pCQ5xX1rSJIVE8E9VF0Nyf:fkTM6rg9aeZIJ9Uok5YiSyvTo2Et
MD5:	1C03CAA59B5E4A7FB9B998D8C1DA165A
SHA1:	8A318F80A705C64076E22913C2206D9247D30CD7
SHA-256:	B9CF502DADCB124F693BF69ECD7077971E37174104DBDA563022D74961A67E1E
SHA-512:	783ECDA7A155DFC96A718D5A130FB901BBECBED05537434E779135CBA88233DD990D86ECA2F55A852C9BFB975074F7C44D8A3E4558D7C2060F411CE30B6A915F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T...........-.........................................................................A...........Rich...................PE..d.....g.........." ...).....:.......................................................r....`.........................................PD..L....D..d....p.......`..l....T.../..........@4..T............................3..@............0...............................text............................... ..`.rdata..2....0....... ..............@..@.data........P.......>..............@....pdata..l....`.......D..............@..@.rsrc........p.......H..............@..@.reloc...............R..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\_socket.pyd

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	83728
Entropy (8bit):	6.331814573029388
Encrypted:	false
SSDEEP:	1536:XuV3gvWHQdMq3ORC/OypTXQlyJ+9+nzEYwsBI6tzOKuZIJywJ7Sy21:XuVQvcQTSypTXQlyJs+nzEYJI6QlZIJY
MD5:	FE896371430BD9551717EF12A3E7E818
SHA1:	E2A7716E9CE840E53E8FC79D50A77F40B353C954
SHA-256:	35246B04C6C7001CA448554246445A845CE116814A29B18B617EA38752E4659B
SHA-512:	67ECD9A07DF0A07EDD010F7E3732F3D829F482D67869D6BCE0C9A61C24C0FDC5FF4F4E4780B9211062A6371945121D8883BA2E9E2CF8EB07B628547312DFE4C9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............ll}.ll}.ll}...}.ll}..m\|.ll}..o\|.ll}..h\|.ll}..i\|.ll}..m\|.ll}.lm}.ll}..m\|.ll}..a\|.ll}..l\|.ll}..}.ll}..n\|.ll}Rich.ll}........PE..d.....g.........." ...).x.......... -.......................................`.......s....`.........................................@...P............@.......0.........../...P..........T...........................@...@............................................text....w.......x.................. ..`.rdata.. y.......z...\|..............@..@.data...............................@....pdata.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\_ssl.pyd

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	181520
Entropy (8bit):	5.972827303352998
Encrypted:	false
SSDEEP:	3072:kO+IWyXHllRhN1qhep7fM6CpqjZI8u7pUULbaLZErWreVEzvT3iFCNc6tYwJc1OW:kpSrhN1E2M6CpUuwg5dEW7
MD5:	1C0E3E447F719FBE2601D0683EA566FC
SHA1:	5321AB73B36675B238AB3F798C278195223CD7B1
SHA-256:	63AE2FEFBFBBBC6EA39CDE0A622579D46FF55134BC8C1380289A2976B61F603E
SHA-512:	E1A430DA2A2F6E0A1AED7A76CC4CD2760B3164ABC20BE304C1DB3541119942508E53EA3023A52B8BADA17A6052A7A51A4453EFAD1A888ACB3B196881226C2E5C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......FM.^.,k..,k..,k..T...,k...j..,k...h..,k...o..,k...n..,k.J.j..,k...j..,k..,j..-k.ITj..,k.J.f..,k.J.k..,k.J....,k.J.i..,k.Rich.,k.................PE..d......g.........." ...)............ /..............................................R\....`.............................................d................................/..............T...........................P...@............................................text...0........................... ..`.rdata..D%.......&..................@..@.data...`...........................@....pdata...............n..............@..@.rsrc................z..............@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\_wmi.pyd

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	38160
Entropy (8bit):	6.338856805460127
Encrypted:	false
SSDEEP:	768:fEkK9VgWOZbs3550QcJpPllIJLiX5YiSyvQ602Euf0:fE93jkbQcJvlIJLiJ7Syq00
MD5:	1C30CC7DF3BD168D883E93C593890B43
SHA1:	31465425F349DAE4EDAC9D0FEABC23CE83400807
SHA-256:	6435C679A3A3FF4F16708EBC43F7CA62456C110AC1EA94F617D8052C90C143C7
SHA-512:	267A1807298797B190888F769D998357B183526DFCB25A6F1413E64C5DCCF87F51424B7E5D6F2349D7A19381909AB23B138748D8D9F5858F7DC0552F5C5846AC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........H2.&a.&a.&a..a.&a..'`.&a..%`.&a.."`.&a..'`.&a..#`.&a..'`.&a.'a..&a.."`.&a../`.&a..&`.&a...a.&a..$`.&aRich.&a................PE..d.....g.........." ...).,...<.......)..............................................'.....`.........................................0V..H...xV.......................f.../......x...tG..T............................C..@............@.......T..@....................text....*.......,.................. ..`.rdata..d ...@..."...0..............@..@.data........p.......R..............@....pdata...............V..............@..@.rsrc................Z..............@..@.reloc..x............d..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\base_library.zip

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1394456
Entropy (8bit):	5.531698507573688
Encrypted:	false
SSDEEP:	12288:IW7WpLV6yNLeGQbVz3YQfiBgDPtLwjFx278e6ZQnHS91lqyL+DXUgnxOr+dx5/GO:B7WpLtHa9BHSHAW+dx5/GP05vddD
MD5:	A9CBD0455B46C7D14194D1F18CA8719E
SHA1:	E1B0C30BCCD9583949C247854F617AC8A14CBAC7
SHA-256:	DF6C19637D239BFEDC8CD13D20E0938C65E8FDF340622FF334DB533F2D30FA19
SHA-512:	B92468E71490A8800E51410DF7068DD8099E78C79A95666ECF274A9E9206359F049490B8F60B96081FAFD872EC717E67020364BCFA972F26F0D77A959637E528
Malicious:	false
Preview:	PK..........!..b.e............_collections_abc.pyc......................................\.....S.r.S.S.K.J.r.J.r. .S.S.K.r.\.".\.\.....5.......r.\.".S.5.......r.S...r.\.".\.5.......r.C./.S.Q.r.S.r.\.".\.".S.5.......5.......r.\.".\.".\.".5.......5.......5.......r.\.".\.".0.R%..................5.......5.......5.......r.\.".\.".0.R)..................5.......5.......5.......r.\.".\.".0.R-..................5.......5.......5.......r.\.".\."./.5.......5.......r.\.".\.".\."./.5.......5.......5.......r.\.".\.".\.".S.5.......5.......5.......r.\.".\.".\.".S.S.-...5.......5.......5.......r.\.".\.".\.".5.......5.......5.......r.\.".\.".S.5.......5.......r \.".\.".S.5.......5.......r!\.".\.".\"".5.......5.......5.......r#\.".0.R%..................5.......5.......r$\.".0.R)..................5.......5.......r%\.".0.R-..................5.......5.......r&\.".\.RN..................5.......r(S...r)\)".5.......r*C)\.".S...".5.......5.......r+S...r,\,".5.......r,\.".\,5.......r-\,R]..................5.......

C:\Users\user\AppData\Local\Temp\_MEI69322\certifi\cacert.pem

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	299427
Entropy (8bit):	6.047872935262006
Encrypted:	false
SSDEEP:	6144:QW1x/M8fRR1jplkXURrVADwYCuCigT/QRSRqNb7d8iu5Nahx:QWb/TRJLWURrI5RWavdF08/
MD5:	50EA156B773E8803F6C1FE712F746CBA
SHA1:	2C68212E96605210EDDF740291862BDF59398AEF
SHA-256:	94EDEB66E91774FCAE93A05650914E29096259A5C7E871A1F65D461AB5201B47
SHA-512:	01ED2E7177A99E6CB3FBEF815321B6FA036AD14A3F93499F2CB5B0DAE5B713FD2E6955AA05F6BDA11D80E9E0275040005E5B7D616959B28EFC62ABB43A3238F0
Malicious:	false
Preview:	.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

C:\Users\user\AppData\Local\Temp\_MEI69322\charset_normalizer\md.cp313-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	4.818583535960129
Encrypted:	false
SSDEEP:	96:Mvs10hZd9D74ACb0xx2uKynu10YLsgxwJiUNiL0U5IZsJFPGDtCFCCQAADo+cX6m:MXv9XFCk2z1/t12iwU5usJFuCyPcqgE
MD5:	56FE4F6C7E88212161F49E823CCC989A
SHA1:	16D5CBC5F289AD90AEAA4FF7CB828627AC6D4ACF
SHA-256:	002697227449B6D69026D149CFB220AC85D83B13056C8AA6B9DAC3FD3B76CAA4
SHA-512:	7C9D09CF9503F73E6F03D30E54DBB50606A86D09B37302DD72238880C000AE2B64C99027106BA340753691D67EC77B3C6E5004504269508F566BDB5E13615F1E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k............r_...........r................................................3..........Rich....................PE..d....$.g.........." ...).....................................................p............`..........................................'..p...`(..d....P.......@...............`..,...`#.............................. "..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\charset_normalizer\md__mypyc.cp313-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	124928
Entropy (8bit):	5.953784637413928
Encrypted:	false
SSDEEP:	3072:JDE+0ov6ojgN3qN8h51Zlh+YW5E38vCsmLS:JdefPZE2ICDLS
MD5:	10116447F9276F10664BA85A5614BA3A
SHA1:	EFD761A3E6D14E897D37AFB0C7317C797F7AE1D6
SHA-256:	C393098E7803ABF08EE8F7381AD7B0F8FAFFBF66319C05D72823308E898F8CFC
SHA-512:	C04461E52B7FE92D108CBDEB879B7A8553DD552D79C88DFA3F5D0036EED8D4B8C839C0BF2563BC0C796F8280ED2828CA84747CB781D2F26B44214FCA2091EAE4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........y.....................7...............7.......7.......7.......6..........D....6.......6.......6.......6......Rich............................PE..d....$.g.........." ...).@...........C.......................................0............`.........................................0...d.................................... ......................................P...@............P...............................text....?.......@.................. ..`.rdata..nY...P...Z...D..............@..@.data....=.......0..................@....pdata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\libcrypto-3.dll

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5232408
Entropy (8bit):	5.940072183736028
Encrypted:	false
SSDEEP:	98304:/V+Qs2NuR5YV0L8PQ1CPwDvt3uFlDC4SC9c:9rs2NuDYV0L841CPwDvt3uFlDC4SCa
MD5:	123AD0908C76CCBA4789C084F7A6B8D0
SHA1:	86DE58289C8200ED8C1FC51D5F00E38E32C1AAD5
SHA-256:	4E5D5D20D6D31E72AB341C81E97B89E514326C4C861B48638243BDF0918CFA43
SHA-512:	80FAE0533BA9A2F5FA7806E86F0DB8B6AAB32620DDE33B70A3596938B529F3822856DE75BDDB1B06721F8556EC139D784BC0BB9C8DA0D391DF2C20A80D33CB04
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........._~.._~.._~..V.S.M~.....]~.....[~.....W~.....S~.._~...~......T~..J....~..J...7}..J...^~..J.?.^~..J...^~..Rich_~..........................PE..d......f.........." ...(..7..<......v........................................0P.......O...`...........................................H.0.....O.@....@O.\|.... L. .....O../...PO.$...`{D.8............................yD.@.............O..............................text.....7.......7................. ..`.rdata........7.......7.............@..@.data...Ao....K..<....K.............@....pdata....... L.......K.............@..@.idata...%....O..&....N.............@..@.00cfg..u....0O.......N.............@..@.rsrc...\|....@O.......N.............@..@.reloc..~....PO.......N.............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\libffi-8.dll

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	39696
Entropy (8bit):	6.641880464695502
Encrypted:	false
SSDEEP:	768:NiQfxQemQJNrPN+moyijAc5YiSyvkIPxWEqG:dfxIQvPkmoyijP7SytPxF
MD5:	0F8E4992CA92BAAF54CC0B43AACCCE21
SHA1:	C7300975DF267B1D6ADCBAC0AC93FD7B1AB49BD2
SHA-256:	EFF52743773EB550FCC6CE3EFC37C85724502233B6B002A35496D828BD7B280A
SHA-512:	6E1B223462DC124279BFCA74FD2C66FE18B368FFBCA540C84E82E0F5BCBEA0E10CC243975574FA95ACE437B9D8B03A446ED5EE0C9B1B094147CEFAF704DFE978
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".H...(.......L...............................................n....`......................................... l.......p..P...............P....l.../......,...@d...............................c..@............`.. ............................text....G.......H.................. ..`.rdata..h....`.......L..............@..@.data................b..............@....pdata..P............d..............@..@.reloc..,............j..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\libssl-3.dll

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	792856
Entropy (8bit):	5.57949182561317
Encrypted:	false
SSDEEP:	12288:7LN1sdyIzHHZp5c3nlUa6lxzAG11rbmFe9Xbv:7LgfzH5I3nlUa2AU2Fe9Xbv
MD5:	4FF168AAA6A1D68E7957175C8513F3A2
SHA1:	782F886709FEBC8C7CEBCEC4D92C66C4D5DBCF57
SHA-256:	2E4D35B681A172D3298CAF7DC670451BE7A8BA27C26446EFC67470742497A950
SHA-512:	C372B759B8C7817F2CBB78ECCC5A42FA80BDD8D549965BD925A97C3EEBDCE0335FBFEC3995430064DEAD0F4DB68EBB0134EB686A0BE195630C49F84B468113E3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l.>..\|m..\|m..\|m.u.m..\|m+.}l..\|m.u}l..\|m+..l..\|m+.xl..\|m+.yl..\|m..}l..\|m..}m..\|m..xl..\|m..\|l..\|m...m..\|m..~l..\|mRich..\|m................PE..d......f.........." ...(.>..........K........................................0......!+....`..........................................x...Q..............s.... ...M......./......d...p...8...............................@............................................text....<.......>.................. ..`.rdata..hz...P...\|...B..............@..@.data...qN.......H..................@....pdata..pV... ...X..................@..@.idata...c.......d...^..............@..@.00cfg..u...........................@..@.rsrc...s...........................@..@.reloc..C...........................@..B........................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\psutil\_psutil_windows.pyd

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	67072
Entropy (8bit):	5.909456553599775
Encrypted:	false
SSDEEP:	1536:j3sHmR02IvVxv7WCyKm7c5Th4JBHTOvyyaZE:jnIvryCyKx5Th4J5OvyyO
MD5:	49AC12A1F10AB93FAFAB064FD0523A63
SHA1:	3AD6923AB0FB5D3DD9D22ED077DB15B42C2FBD4F
SHA-256:	BA033B79E858DBFCBA6BF8FB5AFE10DEFD1CB03957DBBC68E8E62E4DE6DF492D
SHA-512:	1BC0F50E0BB0A9D9DDDAD31390E5C73B0D11C2B0A8C5462065D477E93FF21F7EDC7AA2B2B36E478BE0A797A38F43E3FBEB6AAABEF0BADEC1D8D16EB73DF67255
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......nT..5..5..5..#M2. 5..x@..(5..x@..&5..x@.."5..x@...5...k..(5..aM..;5..5...5...@..:5...@..+5...@^.+5...@..+5..Rich*5..................PE..d...._.g.........." .........h......\........................................@............`.........................................0...`.......@.... .......................0..(.......................................8............................................text...h........................... ..`.rdata..\I.......J..................@..@.data...x...........................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..(....0......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\python3.dll

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	70416
Entropy (8bit):	6.1258200129869405
Encrypted:	false
SSDEEP:	768:pQEotsskOv6pWVCB4p/uKlZPRQcFIc9qunV0Jku/YFI1Hu1wEBbCpVNyD6VdPxiD:/otssyKcunV8PjZIJy0i7SyWH1
MD5:	16855EBEF31C5B1EBE767F1C617645B3
SHA1:	315521F3A748ABFA35CD4D48E8DD09D0556D989B
SHA-256:	A5C6A329698490A035133433928D04368CE6285BB91A9D074FC285DE4C9A32A4
SHA-512:	C3957B3BD36B10C7AD6EA1FF3BC7BD65CDCEB3E6B4195A25D0649AA0DA179276CE170DA903D77B50A38FC3D5147A45BE32DBCFDBFBF76CC46301199C529ADEA4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%?..a^e.a^e.a^e.).m.`^e.).e.`^e.)..`^e.).g.`^e.Richa^e.........PE..d......g.........." ...)............................................................z.....`.........................................`..................................../..............T............................................................................rdata..............................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\python313.dll

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6083856
Entropy (8bit):	6.126922729922386
Encrypted:	false
SSDEEP:	49152:fXGc3O7T4DKX+vLFMmKYxiAYNBD987KdJlI9HbeX2jrgQcw6Zc4h67mM+XDQ3bLi:Of42zJiwJl/YF7v3vaHDMiEN3Kr
MD5:	B9DE917B925DD246B709BB4233777EFD
SHA1:	775F258D8B530C6EA9F0DD3D1D0B61C1948C25D2
SHA-256:	0C0A66505093B6A4BB3475F716BD3D9552095776F6A124709C13B3F9552C7D99
SHA-512:	F4BF3398F50FDD3AB7E3F02C1F940B4C8B5650ED7AF16C626CCD1B934053BA73A35F96DA03B349C1EB614BB23E0BC6B5CC58B07B7553A5C93C6D23124F324A33
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........s]{v ]{v ]{v M.w!_{v M.. S{v M.u!Y{v M.r!U{v M.s!P{v T.. G{v ..w!V{v ]{w .zv ..{!.{v ..v!\{v ... \{v ..t!\{v Rich]{v ........................PE..d......g.........." ...).:+..T9......J........................................d.....uF]...`...........................................O.....h.P.......d......0].......\../....d..... A3.T.....................I.(....?3.@............P+..............................text....8+......:+................. ..`.rdata....%..P+...%..>+.............@..@.data...$9....P..N....P.............@....pdata.......0]...... U.............@..@PyRuntim.N...._..P....W.............@....rsrc.........d.......[.............@..@.reloc........d.......[.............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\select.pyd

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30992
Entropy (8bit):	6.554484610649281
Encrypted:	false
SSDEEP:	384:7hhxm9tKLhuoNHfzzlvFy0ZZIJ9GckHQIYiSy1pCQ4HWSJIVE8E9VF0Ny6sC:tCytHf98uZIJ9Gx5YiSyvy2ES
MD5:	20831703486869B470006941B4D996F2
SHA1:	28851DFD43706542CD3EF1B88B5E2749562DFEE0
SHA-256:	78E5994C29D8851F28B5B12D59D742D876683AEA58ECEEA1FB895B2036CDCDEB
SHA-512:	4AAF5D66D2B73F939B9A91E7EDDFEB2CE2476C625586EF227B312230414C064AA850B02A4028363AA4664408C9510594754530A6D026A0A84BE0168D677C1BC4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........tV..'V..'V..'_.j'T..'F:.&T..'F:.&R..'F:.&^..'F:.&Z..'.;.&T..'V..'...'...&S..'.;.&W..'.;.&W..'.;.'W..'.;.&W..'RichV..'................PE..d.....g.........." ...).....2............................................................`..........................................@..L...<A..x....p.......`.......J.../......L....3..T............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...p....P.......8..............@....pdata.......`.......:..............@..@.rsrc........p.......>..............@..@.reloc..L............H..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI69322\unicodedata.pyd

Download File

Process:	C:\Users\user\Desktop\WTvNL75dCr.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	709904
Entropy (8bit):	5.861739047785334
Encrypted:	false
SSDEEP:	12288:FYGdLI/X77mvfldCKGihH32W3cnPSqrUgLIe:FYGW7qNxr3cnPXLIe
MD5:	0902D299A2A487A7B0C2D75862B13640
SHA1:	04BCBD5A11861A03A0D323A8050A677C3A88BE13
SHA-256:	2693C7EE4FBA55DC548F641C0CB94485D0E18596FFEF16541BD43A5104C28B20
SHA-512:	8CBEF5A9F2D24DA1014F8F1CCBDDD997A084A0B04DD56BCB6AC38DDB636D05EF7E4EA7F67A085363AAD3F43D45413914E55BDEF14A662E80BE955E6DFC2FECA3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Q.............(.....(.....(.....(.....)................).....).....)x....)....Rich..................PE..d.....g.........." ...).B...f......P,..............................................<.....`.........................................P...X................................/..........p...T...........................0...@............`..h............................text....@.......B.................. ..`.rdata...?...`...@...F..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465585419180382
Encrypted:	false
SSDEEP:	6144:VIXfpi67eLPU9skLmb0b4rWSPKaJG8nAgejZMMhA2gX4WABl0uNBdwBCswSbt:WXD94rWlLZMM6YFHj+t
MD5:	54050E746BDFBA3D9ED5A7371F47DF1A
SHA1:	F5530D1C0D90334CAEAFACD630B8878203637289
SHA-256:	B7E3772DD7E307D07E93FE536E94DA6B10C4CF218AA47865BE286096AA594270
SHA-512:	B544B8908DDBC5D41F7ED7D755B36C57F60C1DC3024D1816937AB38FD1B3D2E7297B01C72C7A1BF30FC46D68771D9C3CDAF2DD8E23DD66C60A43652F1BAD6523
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.f...R.................................................................................................................................................................................................................................................................................................................................................<........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.995839128769757
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	WTvNL75dCr.exe
File size:	38'749'227 bytes
MD5:	41d0bfe78163967efad3c207926add4b
SHA1:	c9bc16bc1e3a6ec027a83b1efa0fc4c4a6234bf3
SHA256:	94b19d2d17eeb9168cb11f97d532ee65962f70a2c1249f3abfc8625c8c3193f8
SHA512:	2dc5fcbdb3f1afbc44bb0e039ee5c84be149465855d29a5a534c9b7922993f74676392ecae6a8158fc5c07711be8a44314f030df8ea01b97a90972883a7e6ccb
SSDEEP:	786432:I+gX4BMdhwzTQXR5FbPp6FcSS5U/LT2KzVyPVLBdebXMb8VH/zEa:uXGMK4XR3bLSCU/+6yPl3ebcBa
TLSH:	A7873300E5D409DEE5B22974F4F1528BD55DF0EE8B72C2EB81A002538577BC09B6EA7B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n=..\.Z\.Z\.Za$.[-\.Za$.[.\.Za$.[ \.Z:..Z)\.Z:..[#\.Z:..[;\.Z:..[.\.Za$.[!\.Z\.Z.\.Zb..[3\.Zb..[+\.ZRich*\.Z........PE..d..

File Icon


Icon Hash:	4a464cd47461e179

Static PE Info

General

Entrypoint:	0x14000cdb0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x67601DF1 [Mon Dec 16 12:32:49 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	72c4e339b7af8ab1ed2eb3821c98713a

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F7D20B50E5Ch
dec eax
add esp, 28h
jmp 00007F7D20B50A7Fh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 28h
call 00007F7D20B51228h
test eax, eax
je 00007F7D20B50C23h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007F7D20B50C07h
dec eax
cmp ecx, eax
je 00007F7D20B50C16h
xor eax, eax
dec eax
cmpxchg dword ptr [0003577Ch], ecx
jne 00007F7D20B50BF0h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007F7D20B50BF9h
int3
int3
int3
dec eax
sub esp, 28h
test ecx, ecx
jne 00007F7D20B50C09h
mov byte ptr [00035765h], 00000001h
call 00007F7D20B50355h
call 00007F7D20B51640h
test al, al
jne 00007F7D20B50C06h
xor al, al
jmp 00007F7D20B50C16h
call 00007F7D20B5E15Fh
test al, al
jne 00007F7D20B50C0Bh
xor ecx, ecx
call 00007F7D20B51650h
jmp 00007F7D20B50BECh
mov al, 01h
dec eax
add esp, 28h
ret
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [0003572Ch], 00000000h
mov ebx, ecx
jne 00007F7D20B50C69h
cmp ecx, 01h
jnbe 00007F7D20B50C6Ch
call 00007F7D20B5119Eh
test eax, eax
je 00007F7D20B50C2Ah
test ebx, ebx
jne 00007F7D20B50C26h
dec eax
lea ecx, dword ptr [00035716h]
call 00007F7D20B5DF52h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3ca5c	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x47000	0xf41c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x44000	0x2250	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x57000	0x764	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3a080	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x39f40	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b000	0x4a0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29f00	0x2a000	2a7ae207b6295492e9da088072661752	False	0.5514439174107143	data	6.487454925709845	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2b000	0x12a50	0x12c00	47617410db689a6344095ba39379f07d	False	0.5244661458333333	data	5.752642903186749	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x53f8	0xe00	dba0caeecab624a0ccc0d577241601d1	False	0.134765625	data	1.8392217063172436	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x44000	0x2250	0x2400	f5559f14427a02f0a5dbd0dd026cae54	False	0.470703125	data	5.291665041994019	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x47000	0xf41c	0xf600	455788c285fcfdcb4008bc77e762818a	False	0.803099593495935	data	7.5549760623589695	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x57000	0x764	0x800	816c68eeb419ee2c08656c31c06a0fff	False	0.5576171875	data	5.2809528666624175	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x47208	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.585820895522388
RT_ICON	0x480b0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.7360108303249098
RT_ICON	0x48958	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.755057803468208
RT_ICON	0x48ec0	0x952c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9975384937676757
RT_ICON	0x523ec	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.3887966804979253
RT_ICON	0x54994	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.49530956848030017
RT_ICON	0x55a3c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.7207446808510638
RT_GROUP_ICON	0x55ea4	0x68	data	0.7019230769230769
RT_MANIFEST	0x55f0c	0x50d	XML 1.0 document, ASCII text	0.4694508894044857

Imports

DLL	Import
USER32.dll	CreateWindowExW, ShutdownBlockReasonCreate, MsgWaitForMultipleObjects, ShowWindow, DestroyWindow, RegisterClassW, DefWindowProcW, PeekMessageW, DispatchMessageW, TranslateMessage, PostMessageW, GetMessageW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
COMCTL32.dll
KERNEL32.dll	GetACP, IsValidCodePage, GetStringTypeW, GetFileAttributesExW, SetEnvironmentVariableW, FlushFileBuffers, GetCurrentDirectoryW, LCMapStringW, CompareStringW, FlsFree, GetOEMCP, GetCPInfo, GetModuleHandleW, MulDiv, FormatMessageW, GetLastError, GetModuleFileNameW, LoadLibraryExW, SetDllDirectoryW, CreateSymbolicLinkW, GetProcAddress, GetEnvironmentStringsW, GetCommandLineW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, DeleteFileW, FindClose, FindFirstFileW, FindNextFileW, GetDriveTypeW, RemoveDirectoryW, GetTempPathW, CloseHandle, QueryPerformanceCounter, QueryPerformanceFrequency, WaitForSingleObject, Sleep, GetCurrentProcess, TerminateProcess, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LocalFree, SetConsoleCtrlHandler, K32EnumProcessModules, K32GetModuleFileNameExW, CreateFileW, FindFirstFileExW, GetFinalPathNameByHandleW, MultiByteToWideChar, WideCharToMultiByte, FlsSetValue, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, HeapReAlloc, WriteConsoleW, SetEndOfFile, CreateDirectoryW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ReadFile, GetFullPathNameW, SetStdHandle, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue
ADVAPI32.dll	OpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
GDI32.dll	SelectObject, DeleteObject, CreateFontIndirectW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 12:20:36.980871916 CET	49733	443	192.168.2.4	104.20.22.46
Dec 19, 2024 12:20:36.980925083 CET	443	49733	104.20.22.46	192.168.2.4
Dec 19, 2024 12:20:36.981511116 CET	49733	443	192.168.2.4	104.20.22.46
Dec 19, 2024 12:20:36.982299089 CET	49733	443	192.168.2.4	104.20.22.46
Dec 19, 2024 12:20:36.982326031 CET	443	49733	104.20.22.46	192.168.2.4
Dec 19, 2024 12:20:38.217075109 CET	443	49733	104.20.22.46	192.168.2.4
Dec 19, 2024 12:20:38.217946053 CET	49733	443	192.168.2.4	104.20.22.46
Dec 19, 2024 12:20:38.217964888 CET	443	49733	104.20.22.46	192.168.2.4
Dec 19, 2024 12:20:38.219381094 CET	443	49733	104.20.22.46	192.168.2.4
Dec 19, 2024 12:20:38.219454050 CET	49733	443	192.168.2.4	104.20.22.46
Dec 19, 2024 12:20:38.221091986 CET	49733	443	192.168.2.4	104.20.22.46
Dec 19, 2024 12:20:38.221246004 CET	443	49733	104.20.22.46	192.168.2.4
Dec 19, 2024 12:20:38.221297026 CET	49733	443	192.168.2.4	104.20.22.46
Dec 19, 2024 12:20:38.221364975 CET	49733	443	192.168.2.4	104.20.22.46

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 19, 2024 12:20:36.837318897 CET	51411	53	192.168.2.4	1.1.1.1
Dec 19, 2024 12:20:36.977215052 CET	53	51411	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 19, 2024 12:20:36.837318897 CET	192.168.2.4	1.1.1.1	0xab0b	Standard query (0)	nodejs.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 19, 2024 12:20:36.977215052 CET	1.1.1.1	192.168.2.4	0xab0b	No error (0)	nodejs.org		104.20.22.46	A (IP address)	IN (0x0001)	false
Dec 19, 2024 12:20:36.977215052 CET	1.1.1.1	192.168.2.4	0xab0b	No error (0)	nodejs.org		104.20.23.46	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	06:20:17
Start date:	19/12/2024
Path:	C:\Users\user\Desktop\WTvNL75dCr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\WTvNL75dCr.exe"
Imagebase:	0x7ff738f20000
File size:	38'749'227 bytes
MD5 hash:	41D0BFE78163967EFAD3C207926ADD4B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	06:20:23
Start date:	19/12/2024
Path:	C:\Users\user\Desktop\WTvNL75dCr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\WTvNL75dCr.exe"
Imagebase:	0x7ff738f20000
File size:	38'749'227 bytes
MD5 hash:	41D0BFE78163967EFAD3C207926ADD4B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PythonBackDoor_1, Description: Yara detected Python BackDoor, Source: 00000001.00000002.2502125804.000002B82CEB4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PythonBackDoor_1, Description: Yara detected Python BackDoor, Source: 00000001.00000003.1775945211.000002B82CEC0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:20:33
Start date:	19/12/2024
Path:	C:\Windows\System32\systeminfo.exe
Wow64 process (32bit):	false
Commandline:	systeminfo
Imagebase:	0x7ff6baeb0000
File size:	110'080 bytes
MD5 hash:	EE309A9C61511E907D87B10EF226FDCD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:20:33
Start date:	19/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:20:33
Start date:	19/12/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:20:34
Start date:	19/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic computersystem get manufacturer"
Imagebase:	0x7ff745410000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:20:34
Start date:	19/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	06:20:34
Start date:	19/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	wmic computersystem get manufacturer
Imagebase:	0x800000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	06:20:39
Start date:	19/12/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7092 -s 892
Imagebase:	0x7ff7396d0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	17%
Total number of Nodes:	2000
Total number of Limit Nodes:	35

Executed Functions

Function 00007FF738F289E0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257
synchronizationwindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF738F29390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF738F245F4,00000000,00007FF738F21985), ref: 00007FF738F293C9

SetConsoleCtrlHandler.KERNEL32(?,?,FFFFFFFF,00007FF738F23F7F), ref: 00007FF738F28A3B
GetStartupInfoW.KERNEL32(?,FFFFFFFF,00007FF738F23F7F), ref: 00007FF738F28A56

Part of subcall function 00007FF738F3A47C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF738F3A490

Part of subcall function 00007FF738F3871C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF738F38783

GetCommandLineW.KERNEL32(?,FFFFFFFF,00007FF738F23F7F), ref: 00007FF738F28AE6
CreateProcessW.KERNELBASE ref: 00007FF738F28B1E
GetLastError.KERNEL32(?,FFFFFFFF,00007FF738F23F7F), ref: 00007FF738F28B28

Part of subcall function 00007FF738F22C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF738F23706,?,00007FF738F23804), ref: 00007FF738F22C9E
Part of subcall function 00007FF738F22C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF738F23706,?,00007FF738F23804), ref: 00007FF738F22D63
Part of subcall function 00007FF738F22C50: MessageBoxW.USER32 ref: 00007FF738F22D99

RegisterClassW.USER32 ref: 00007FF738F28B80
GetLastError.KERNEL32(?,FFFFFFFF,00007FF738F23F7F), ref: 00007FF738F28B8B
CreateWindowExW.USER32 ref: 00007FF738F28BD5
GetLastError.KERNEL32(?,FFFFFFFF,00007FF738F23F7F), ref: 00007FF738F28BE7
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF738F23F7F), ref: 00007FF738F28C02
GetLastError.KERNEL32(?,FFFFFFFF,00007FF738F23F7F), ref: 00007FF738F28C15
PeekMessageW.USER32 ref: 00007FF738F28C39
TranslateMessage.USER32 ref: 00007FF738F28C47
DispatchMessageW.USER32(?,FFFFFFFF,00007FF738F23F7F), ref: 00007FF738F28C51
PeekMessageW.USER32 ref: 00007FF738F28C6C
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF738F23F7F), ref: 00007FF738F28C7E
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF738F23F7F), ref: 00007FF738F28C99
TerminateProcess.KERNEL32(?,FFFFFFFF,00007FF738F23F7F), ref: 00007FF738F28CAF
GetLastError.KERNEL32(?,FFFFFFFF,00007FF738F23F7F), ref: 00007FF738F28CB9
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF738F23F7F), ref: 00007FF738F28CC7
DestroyWindow.USER32(?,FFFFFFFF,00007FF738F23F7F), ref: 00007FF738F28E04
GetExitCodeProcess.KERNELBASE ref: 00007FF738F28E19
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF738F23F7F), ref: 00007FF738F28E22
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF738F23F7F), ref: 00007FF738F28E2F

Strings

Failed to create child process!, xrefs: 00007FF738F28B30
CreateProcessW, xrefs: 00007FF738F28B37
PyInstaller Onefile Hidden Window, xrefs: 00007FF738F28B95
PyInstallerOnefileHiddenWindow, xrefs: 00007FF738F28B54

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
API String ID: 3832162212-3165540532
Opcode ID: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
Instruction ID: 44288299a1d7df02f8ebae119478242b9bbc5a0218942e74f48737d1877fa20f
Opcode Fuzzy Hash: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
Instruction Fuzzy Hash: F1D1F233A08A97A6EB10AF74E8506ADF760FF84758F840236DA4E43AA5DF3DD104D718

Function 00007FF738F21000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 511
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

_PYI_APPLICATION_HOME_DIR, xrefs: 00007FF738F23A0B, 00007FF738F23CD4, 00007FF738F23F6B
Could not create temporary directory!, xrefs: 00007FF738F23CBF
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF738F23EBB
Failed to remove temporary directory: %s, xrefs: 00007FF738F23FCF
VCRUNTIME140.dll, xrefs: 00007FF738F23DB1
pkg, xrefs: 00007FF738F239BE
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF738F23971
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF738F23D12
pyi-runtime-tmpdir, xrefs: 00007FF738F23B68
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF738F23EA6
Failed to start splash screen!, xrefs: 00007FF738F23ED4
_PYI_PARENT_PROCESS_LEVEL, xrefs: 00007FF738F23A17, 00007FF738F23A2F, 00007FF738F23A9B
PYINSTALLER_RESET_ENVIRONMENT, xrefs: 00007FF738F23882, 00007FF738F238AF
Failed to convert DLL search path!, xrefs: 00007FF738F23DDC
_PYI_ARCHIVE_FILE, xrefs: 00007FF738F238D2, 00007FF738F239FF
pyi-disable-windowed-traceback, xrefs: 00007FF738F23BB2
_PYI_APPLICATION_HOME_DIR not set for onefile child process!, xrefs: 00007FF738F23D35
MEI, xrefs: 00007FF738F23933
Py_GIL_DISABLED, xrefs: 00007FF738F23AF4
Failed to load splash screen resources!, xrefs: 00007FF738F23E85
_PYI_SPLASH_IPC, xrefs: 00007FF738F23A23, 00007FF738F23EF5
pyi-python-flag, xrefs: 00007FF738F23AD6
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF738F239DE
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF738F23BE8
Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s, xrefs: 00007FF738F23B32
PYINSTALLER_SUPPRESS_SPLASH_SCREEN, xrefs: 00007FF738F23E0A
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF738F23C61
pyi-contents-directory, xrefs: 00007FF738F23B8D

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag$pyi-runtime-tmpdir
API String ID: 2776309574-4232158417
Opcode ID: 9de477ae995940a39e23314e20718922418974b9c8241bfba060ee61ec72f349
Instruction ID: 9e45f98571c6f26198d0d8ef12d63a7c0c67eccb922f59906332a274ac1fa62e
Opcode Fuzzy Hash: 9de477ae995940a39e23314e20718922418974b9c8241bfba060ee61ec72f349
Instruction Fuzzy Hash: 6D329F7BA0C69B71FA15BB24D4543B9E691AF84740FC44032DA4D432E6EF3EE558E328

Function 00007FF738F45C00 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF738F45C45

Part of subcall function 00007FF738F45598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF738F455AC

Part of subcall function 00007FF738F3A948: RtlFreeHeap.NTDLL(?,?,?,00007FF738F42D22,?,?,?,00007FF738F42D5F,?,?,00000000,00007FF738F43225,?,?,?,00007FF738F43157), ref: 00007FF738F3A95E
Part of subcall function 00007FF738F3A948: GetLastError.KERNEL32(?,?,?,00007FF738F42D22,?,?,?,00007FF738F42D5F,?,?,00000000,00007FF738F43225,?,?,?,00007FF738F43157), ref: 00007FF738F3A968

Part of subcall function 00007FF738F3A900: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF738F3A8DF,?,?,?,?,?,00007FF738F3A7CA), ref: 00007FF738F3A909
Part of subcall function 00007FF738F3A900: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF738F3A8DF,?,?,?,?,?,00007FF738F3A7CA), ref: 00007FF738F3A92E

_get_daylight.LIBCMT ref: 00007FF738F45C34

Part of subcall function 00007FF738F455F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF738F4560C

_get_daylight.LIBCMT ref: 00007FF738F45EAA
_get_daylight.LIBCMT ref: 00007FF738F45EBB
_get_daylight.LIBCMT ref: 00007FF738F45ECC
GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF738F4610C), ref: 00007FF738F45EF3

Strings

Eastern Standard Time, xrefs: 00007FF738F45F99
Eastern Summer Time, xrefs: 00007FF738F45FB1

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 4070488512-239921721
Opcode ID: c8e181fbda5929fcc8f6a75e148055e791a7ddaa32984997676ab034941af52a
Instruction ID: 03a1c221673bd757e20c345744a24230518c6f7fac8dcb5e75a9c2113d578cf0
Opcode Fuzzy Hash: c8e181fbda5929fcc8f6a75e148055e791a7ddaa32984997676ab034941af52a
Instruction Fuzzy Hash: 30D1F533A0866366E720FF21D4419B9E361EF88794FC88136EA0D47695DF3EE441E768

Function 00007FF738F46964 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF738F46698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF738F466D9
Part of subcall function 00007FF738F46698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF738F46757
Part of subcall function 00007FF738F46698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF738F467A8

CreateFileW.KERNELBASE ref: 00007FF738F46A6A
CreateFileW.KERNEL32 ref: 00007FF738F46ABA
GetLastError.KERNEL32 ref: 00007FF738F46AEA
GetFileType.KERNELBASE ref: 00007FF738F46AFF
GetLastError.KERNEL32 ref: 00007FF738F46B09
CloseHandle.KERNEL32 ref: 00007FF738F46B3C
CloseHandle.KERNEL32 ref: 00007FF738F46C9F
CreateFileW.KERNEL32 ref: 00007FF738F46CD4
GetLastError.KERNEL32 ref: 00007FF738F46CE3

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
Instruction ID: 922349331eae43235a3dd4efb9cc4fa0d26068352ccf433ce5660598ca27d8a2
Opcode Fuzzy Hash: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
Instruction Fuzzy Hash: ACC1DF33B28A5295EB10EFA8C4806ACB761FB49B98F850236DA1E973D5CF3ED451D314

Function 00007FF738F283C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,00007FF738F28919,00007FF738F23FA5), ref: 00007FF738F2842B
RemoveDirectoryW.KERNEL32(?,00007FF738F28919,00007FF738F23FA5), ref: 00007FF738F284AE
DeleteFileW.KERNELBASE(?,00007FF738F28919,00007FF738F23FA5), ref: 00007FF738F284CD
FindNextFileW.KERNELBASE(?,00007FF738F28919,00007FF738F23FA5), ref: 00007FF738F284DB
FindClose.KERNEL32(?,00007FF738F28919,00007FF738F23FA5), ref: 00007FF738F284EC
RemoveDirectoryW.KERNELBASE(?,00007FF738F28919,00007FF738F23FA5), ref: 00007FF738F284F5

Strings

%s\*, xrefs: 00007FF738F283F2

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
Instruction ID: b4f29409d8718f979b327219209ab2d9e2497c021b98d4b6c4086682d89626cc
Opcode Fuzzy Hash: 9215641a051a597ab69d89bbe09b444c24fb25eba6eed844fe9e008ab190e420
Instruction Fuzzy Hash: EB41D237A1C94BA2EA20BB64E4445BAE360FB94754FC40232D99E437C4EF3ED545D724

Function 00007FF738F45E7C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF738F45EAA

Part of subcall function 00007FF738F455F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF738F4560C

_get_daylight.LIBCMT ref: 00007FF738F45EBB

Part of subcall function 00007FF738F45598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF738F455AC

_get_daylight.LIBCMT ref: 00007FF738F45ECC

Part of subcall function 00007FF738F455C8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF738F455DC

Part of subcall function 00007FF738F3A948: RtlFreeHeap.NTDLL(?,?,?,00007FF738F42D22,?,?,?,00007FF738F42D5F,?,?,00000000,00007FF738F43225,?,?,?,00007FF738F43157), ref: 00007FF738F3A95E
Part of subcall function 00007FF738F3A948: GetLastError.KERNEL32(?,?,?,00007FF738F42D22,?,?,?,00007FF738F42D5F,?,?,00000000,00007FF738F43225,?,?,?,00007FF738F43157), ref: 00007FF738F3A968

GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF738F4610C), ref: 00007FF738F45EF3

Strings

Eastern Standard Time, xrefs: 00007FF738F45F99
Eastern Summer Time, xrefs: 00007FF738F45FB1

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3458911817-239921721
Opcode ID: 6f2171165b001c2744b9d494c76d2a7753c36df5ed5d67f3075860c83c0dbe14
Instruction ID: ba07474ad02e6a3cd4b36207a68137b8907483b363bd2541a9a6b24f420e825b
Opcode Fuzzy Hash: 6f2171165b001c2744b9d494c76d2a7753c36df5ed5d67f3075860c83c0dbe14
Instruction Fuzzy Hash: 3D519533A0865366E710FF25D4819B9E760FB88784FC44236EA4D47695DF3EE4409768

Function 00007FF738F29280 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF738F292B3
FindClose.KERNELBASE ref: 00007FF738F292C2

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
Instruction ID: 15731cb5969d890675e039b319559d1d655f038426d19a47c31c91ebdb284ac7
Opcode Fuzzy Hash: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
Instruction Fuzzy Hash: F0F0C837A1874786F7609F64B489B66F350AB84368F840339D9AE03AD4DF3DE048DA18

Function 00007FF738F408C8 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: 537422541fbed36a77ddee3a41e978a3695e14332b64c7d8d0a2d6c09592a1ae
Instruction ID: 2b0957c3ddad9158dab476256c6182d394eb5c721de08b679e71743f1aab18d0
Opcode Fuzzy Hash: 537422541fbed36a77ddee3a41e978a3695e14332b64c7d8d0a2d6c09592a1ae
Instruction Fuzzy Hash: 2D020733B1D667A2FA95BB219400679E690AF81BA0FD84636DD5D473C1DE7FE400B328

Function 00007FF738F21950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF738F27F90: _fread_nolock.LIBCMT ref: 00007FF738F2803A

_fread_nolock.LIBCMT ref: 00007FF738F21A1B

Part of subcall function 00007FF738F22910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF738F21B6A), ref: 00007FF738F2295E

Strings

Could not allocate buffer for TOC!, xrefs: 00007FF738F21B1B
malloc, xrefs: 00007FF738F21B22
Failed to seek to cookie position!, xrefs: 00007FF738F219EE
Could not read full TOC!, xrefs: 00007FF738F21B55
calloc, xrefs: 00007FF738F21A68
MEI, xrefs: 00007FF738F21991
fseek, xrefs: 00007FF738F219F5
Could not allocate memory for archive structure!, xrefs: 00007FF738F21A61
Error on file., xrefs: 00007FF738F21B8D
Failed to read cookie!, xrefs: 00007FF738F21A2B
fread, xrefs: 00007FF738F21A32, 00007FF738F21B5C

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: _fread_nolock$CurrentProcess
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 2397952137-3497178890
Opcode ID: 85af813c0b0c69426d4f81882584102d3122cb9bfe94396efcbe029e9c31af02
Instruction ID: 07528ba61522d78cabeee0b1229039844d400db3f7af72b8c1542f3cce8a63e4
Opcode Fuzzy Hash: 85af813c0b0c69426d4f81882584102d3122cb9bfe94396efcbe029e9c31af02
Instruction Fuzzy Hash: 12819577A0868BA6EB20FB24D0406F9E3A0EF44744FC44432D98D47786DE7EE585A76C

Function 00007FF738F21600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

malloc, xrefs: 00007FF738F21749
fopen, xrefs: 00007FF738F21663
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF738F21742
fwrite, xrefs: 00007FF738F217D1
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF738F217DF
fseek, xrefs: 00007FF738F216E1
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF738F216DA
Failed to extract %s: failed to open archive file!, xrefs: 00007FF738F216A2
fread, xrefs: 00007FF738F217E6
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF738F217CA
Failed to create symbolic link %s!, xrefs: 00007FF738F21622
Failed to extract %s: failed to open target file!, xrefs: 00007FF738F2165C

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2050909247-1550345328
Opcode ID: e3191d3c1863fdc148b865684561a8a90bf1fbfb0db1f2a60b60e414af9c3315
Instruction ID: c44cf28f2b035e1f3afedab0969cfe087bad5300e6ce59559ebb58b6f87eb983
Opcode Fuzzy Hash: e3191d3c1863fdc148b865684561a8a90bf1fbfb0db1f2a60b60e414af9c3315
Instruction Fuzzy Hash: 8651AF37A08A4BA2EA10BB61D4405A9E350BF90794FD84532ED4C077D6EE3EF585A72C

Function 00007FF738F28660 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(?,?,00000000,00007FF738F23CBB), ref: 00007FF738F28704
GetCurrentProcessId.KERNEL32(?,00000000,00007FF738F23CBB), ref: 00007FF738F2870A
CreateDirectoryW.KERNELBASE(?,00000000,00007FF738F23CBB), ref: 00007FF738F2874C

Part of subcall function 00007FF738F28830: GetEnvironmentVariableW.KERNEL32(00007FF738F2388E), ref: 00007FF738F28867
Part of subcall function 00007FF738F28830: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF738F28889

Part of subcall function 00007FF738F38238: _invalid_parameter_noinfo.LIBCMT ref: 00007FF738F38251

Part of subcall function 00007FF738F22810: MessageBoxW.USER32 ref: 00007FF738F228EA

Strings

LOADER: failed to set the TMP environment variable., xrefs: 00007FF738F286DC
TMP, xrefs: 00007FF738F286C2
LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF738F2877E
_MEI%d, xrefs: 00007FF738F28712
TMP, xrefs: 00007FF738F2869C, 00007FF738F287A3

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 3563477958-1339014028
Opcode ID: 191653d34e5a06968e8282251bef030903df87164e49fe651f79a53b4d97858f
Instruction ID: ff2c2ca850eb679c491bef6f42f8d1067989eeab594e961febd8ac6969977211
Opcode Fuzzy Hash: 191653d34e5a06968e8282251bef030903df87164e49fe651f79a53b4d97858f
Instruction Fuzzy Hash: B441B237B29A4761FA10BB2598516F9D290AF947C0FD84032ED0D477DADE7FE501A328

Function 00007FF738F21210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF738F212EF
malloc, xrefs: 00007FF738F212C1, 00007FF738F212F6
1.3.1, xrefs: 00007FF738F21249
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF738F21276
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF738F212BA
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF738F2141E

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: CurrentProcess
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2050909247-2813020118
Opcode ID: edbc7fc629fea5b907d296325bff14fa59ab7a9c376bf005d102d457c092301b
Instruction ID: 56c7474e29a3d9bc4e605baca1331d25a188b616b6b1e3013b7008664b980311
Opcode Fuzzy Hash: edbc7fc629fea5b907d296325bff14fa59ab7a9c376bf005d102d457c092301b
Instruction Fuzzy Hash: F2510637A0864BA1EA20BB21E4003BAE291FF85794FD84131ED4D477C5EE3EE541E728

Function 00007FF738F3ED10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF738F3F0AA,?,?,-00000018,00007FF738F3AD53,?,?,?,00007FF738F3AC4A,?,?,?,00007FF738F35F3E), ref: 00007FF738F3EE8C
GetProcAddress.KERNEL32(?,?,?,00007FF738F3F0AA,?,?,-00000018,00007FF738F3AD53,?,?,?,00007FF738F3AC4A,?,?,?,00007FF738F35F3E), ref: 00007FF738F3EE98

Strings

ext-ms-, xrefs: 00007FF738F3EDE9
api-ms-, xrefs: 00007FF738F3EDD6

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
Instruction ID: 8bdd2dff276b710308340de98d7aaca558b0da3bb2178a68ad3370839e4ecf24
Opcode Fuzzy Hash: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
Instruction Fuzzy Hash: 3C411233B09A13A1FE16EB16E800575E291BF48B94FC94139DC1D57B84EF7FE485A228

Function 00007FF738F236B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF738F23804), ref: 00007FF738F236E1
GetLastError.KERNEL32(?,00007FF738F23804), ref: 00007FF738F236EB

Part of subcall function 00007FF738F22C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF738F23706,?,00007FF738F23804), ref: 00007FF738F22C9E
Part of subcall function 00007FF738F22C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF738F23706,?,00007FF738F23804), ref: 00007FF738F22D63
Part of subcall function 00007FF738F22C50: MessageBoxW.USER32 ref: 00007FF738F22D99

Strings

\\?\, xrefs: 00007FF738F2375A
Failed to resolve full path to executable %ls., xrefs: 00007FF738F23739
Failed to convert executable path to UTF-8., xrefs: 00007FF738F23790
Failed to obtain executable path., xrefs: 00007FF738F236F3
GetModuleFileNameW, xrefs: 00007FF738F236FA

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 3187769757-2863816727
Opcode ID: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
Instruction ID: bd2df174826c20d484526a25798eb75a2c90875519feb411b35457336b573fa8
Opcode Fuzzy Hash: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
Instruction Fuzzy Hash: A02191B7B1C64761FA20B724E8003B6E250BF88398FC04232D65D875E5EE3EE504E328

Function 00007FF738F3BA5C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF738F3BE89

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 1c0df5e74df0118619baac061aee596465bcef498cfc928fc9eaa168a483e3b3
Instruction ID: 58262f9088fdbdeffb42c0e59f77c7e96ece93bda2c71434d73852daf1ee974e
Opcode Fuzzy Hash: 1c0df5e74df0118619baac061aee596465bcef498cfc928fc9eaa168a483e3b3
Instruction Fuzzy Hash: 5BC1B233A0CA87A1E760AB15D4502BDFB50FB91B80FD94131EA4D43791CEBFE585A728

Function 00007FF738F28570 Relevance: 10.6, APIs: 7, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF738F28590
OpenProcessToken.ADVAPI32 ref: 00007FF738F285A3
GetTokenInformation.KERNELBASE ref: 00007FF738F285C8
GetLastError.KERNEL32 ref: 00007FF738F285D2
GetTokenInformation.KERNELBASE ref: 00007FF738F28612
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF738F2862E
CloseHandle.KERNELBASE ref: 00007FF738F28646

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: 1c88e2159774aae00215e56fe2a2a719af09135261df6dbcfc7a62e4558c2eb4
Instruction ID: 180d1522c9da61ccbe4b9b54c40b046d2f413801deddc9d853e22fd112804a01
Opcode Fuzzy Hash: 1c88e2159774aae00215e56fe2a2a719af09135261df6dbcfc7a62e4558c2eb4
Instruction Fuzzy Hash: 8C21C332A0C64752EB10AB65F44022AE7A0EFC17A0F980231EA6D43AE9DE7ED8059714

Function 00007FF738F290E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF738F28570: GetCurrentProcess.KERNEL32 ref: 00007FF738F28590
Part of subcall function 00007FF738F28570: OpenProcessToken.ADVAPI32 ref: 00007FF738F285A3
Part of subcall function 00007FF738F28570: GetTokenInformation.KERNELBASE ref: 00007FF738F285C8
Part of subcall function 00007FF738F28570: GetLastError.KERNEL32 ref: 00007FF738F285D2
Part of subcall function 00007FF738F28570: GetTokenInformation.KERNELBASE ref: 00007FF738F28612
Part of subcall function 00007FF738F28570: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF738F2862E
Part of subcall function 00007FF738F28570: CloseHandle.KERNELBASE ref: 00007FF738F28646

LocalFree.KERNEL32(?,00007FF738F23C55), ref: 00007FF738F2916C
LocalFree.KERNEL32(?,00007FF738F23C55), ref: 00007FF738F29175

Strings

D:(A;;FA;;;%s), xrefs: 00007FF738F29157
D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF738F29142
S-1-3-4, xrefs: 00007FF738F29121
Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF738F29183

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 5ed7a9ba3e6ce910408607b93085540bd422a8d0f9e00f9f84049ca226c14b37
Instruction ID: 1d4ba8ff92c589727fa4d50a984b46aa20b1cd614e85ab1dce3308fc7ff9a160
Opcode Fuzzy Hash: 5ed7a9ba3e6ce910408607b93085540bd422a8d0f9e00f9f84049ca226c14b37
Instruction Fuzzy Hash: 5B216D36A08A47A1F610BB20E4157EAF260FF88780FC44032EA4D53796DF3ED904A7A4

Function 00007FF738F27E20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(00000000,?,00007FF738F2352C,?,00000000,00007FF738F23F23), ref: 00007FF738F27F32

Strings

%s%c, xrefs: 00007FF738F27EA4
%.*s, xrefs: 00007FF738F27EEB
\, xrefs: 00007FF738F27E97

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: 302ffdc47f1f131389ecc473fe7ae023bae846d875cccfc6523225b15fd92315
Instruction ID: 9c4a10158d1c765f6970c0ae1aae52af52fbebd8039c81bb8cd0e7798be0c378
Opcode Fuzzy Hash: 302ffdc47f1f131389ecc473fe7ae023bae846d875cccfc6523225b15fd92315
Instruction Fuzzy Hash: 27311636619ACB65EA21AB20E4107EAE364EF84BE0F840231EE6D437C9DF3DD2419714

Function 00007FF738F3CF60 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF738F3CF4B), ref: 00007FF738F3D07C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF738F3CF4B), ref: 00007FF738F3D107

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
Instruction ID: ef2470f56dec4b378a60f2e0807190415d9afeb159b500084fbc6c2947a413fe
Opcode Fuzzy Hash: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
Instruction Fuzzy Hash: 8791BE73E08653A5F761BF65D4406BDEAA0AF40B88F944139DE0E62685CEBBD442E324

Function 00007FF738F3F98C Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF738F3FA7C
_get_daylight.LIBCMT ref: 00007FF738F3FA8D
_get_daylight.LIBCMT ref: 00007FF738F3FA9E
_isindst.LIBCMT ref: 00007FF738F3FB69

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
Instruction ID: 869c8f3e0f42a4c788def9c2c32fcf80846c62ac4e22d9a70d52b78e01a304bd
Opcode Fuzzy Hash: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
Instruction Fuzzy Hash: A85111B3F04213ABEB14EF64C9516BCE7A1EF44368F900235DD1E52AE4DF3EA4069614

Function 00007FF738F3577C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE ref: 00007FF738F357AF
GetFileInformationByHandle.KERNELBASE ref: 00007FF738F35811
GetLastError.KERNEL32 ref: 00007FF738F358A2
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF738F356B4), ref: 00007FF738F358EE

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 601044899bb77d1db34704472f686b9691880a3163deed0eb7e9945e8072c835
Instruction ID: eb8e58d22a2589d81102b25acacbb48b4bd2ec353e08f00b52301377d7696e54
Opcode Fuzzy Hash: 601044899bb77d1db34704472f686b9691880a3163deed0eb7e9945e8072c835
Instruction Fuzzy Hash: C6517B33E087429AFB10EFB1D4503BDA7A1AF88B58FA44435DE0D5B689DF7AD4409328

Function 00007FF738F35628 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF738F35655
CreateFileW.KERNELBASE ref: 00007FF738F35694
CloseHandle.KERNEL32 ref: 00007FF738F356C9

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: 8f3d5377b4ca72f71b0fe910297a4b2920b1cd85568e136600ee028e7f718979
Instruction ID: dcfb24fc1188e79118681696eb59df9a1872d4ebfaf42fd51b0f884711c04bc0
Opcode Fuzzy Hash: 8f3d5377b4ca72f71b0fe910297a4b2920b1cd85568e136600ee028e7f718979
Instruction Fuzzy Hash: A1419373D1878293E711AB60D510379F260FBA83A4F508335E65D03AD2EFBEA1E09724

Function 00007FF738F2CC3C Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF738F2CE0C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF738F2CE20

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF738F2CC60
__scrt_release_startup_lock.LIBCMT ref: 00007FF738F2CCCE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF738F2CD21

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
Instruction ID: d71f749ddbaf8198ce70ef85a57da66230fc8d09b6933862c7d5639418a13a60
Opcode Fuzzy Hash: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
Instruction Fuzzy Hash: 5931693BE4854B61FA24BB61D4123B9D281AF42384FC44135DA0E472E3DE7FA904A33D

Function 00007FF738F39A30 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF738F39A2C), ref: 00007FF738F39A41
TerminateProcess.KERNEL32(?,?,?,00007FF738F39A2C), ref: 00007FF738F39A4C
ExitProcess.KERNEL32 ref: 00007FF738F39A5B

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 148d460979eed4a43ebbf671c65dc2dc638c0d89c9c01e8e00358d5495882c84
Instruction ID: bc9087224e475139a802532b99511eddfb8b6d633af2ab2f0999381893c11687
Opcode Fuzzy Hash: 148d460979eed4a43ebbf671c65dc2dc638c0d89c9c01e8e00358d5495882c84
Instruction Fuzzy Hash: BED09E32B0871762EF143BB19C55478D2556F8AB41F981539C85B07393DD7FA8496328

Function 00007FF738F3013C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF738F30180
_invalid_parameter_noinfo.LIBCMT ref: 00007FF738F30277

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
Instruction ID: 88395bd8ba7a731f1a301eaad00115ce10adbeccdee895d49b30fc4f2db690bb
Opcode Fuzzy Hash: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
Instruction Fuzzy Hash: 1551FC33B09643A7F725B926D40067AE181AFC4BA4F984736DDAD037D5CEBFD400A628

Function 00007FF738F3C134 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF738F3C2CD), ref: 00007FF738F3C180
GetLastError.KERNEL32(?,?,?,?,?,00007FF738F3C2CD), ref: 00007FF738F3C18A

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
Instruction ID: 711803ea283884ec88119c0f339c1b0bba4650d47107aa920eadbf010ec91a92
Opcode Fuzzy Hash: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
Instruction Fuzzy Hash: CA110133708A8291DA20AB25F800069F361AB41FF4F944331EEBD0B7E9CEBED0509704

Function 00007FF738F35924 Relevance: 3.0, APIs: 2, Instructions: 40timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF738F35839), ref: 00007FF738F35957
SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF738F35839), ref: 00007FF738F3596D

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: 497c6f3b45805196ef8f930e068bad9451f3f50de380bc241881b145e929bf5b
Instruction ID: 5b697849008a53384c2cb7213d3bbbf7b81db17677e21ed1fea36647c2418ac7
Opcode Fuzzy Hash: 497c6f3b45805196ef8f930e068bad9451f3f50de380bc241881b145e929bf5b
Instruction Fuzzy Hash: 1111917360C65392EB54AB55E41113AF760FB88771F900236FA9E819D8EF7ED014EB24

Function 00007FF738F3A948 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF738F42D22,?,?,?,00007FF738F42D5F,?,?,00000000,00007FF738F43225,?,?,?,00007FF738F43157), ref: 00007FF738F3A95E
GetLastError.KERNEL32(?,?,?,00007FF738F42D22,?,?,?,00007FF738F42D5F,?,?,00000000,00007FF738F43225,?,?,?,00007FF738F43157), ref: 00007FF738F3A968

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
Instruction ID: 70aad2d83dde128ea147236792df7a073b20d9deda51a838c0189c56a25cbb2c
Opcode Fuzzy Hash: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
Instruction Fuzzy Hash: 01E04F32E09A0362FE147BF2A445138D2505F98740FC80131C80D53292DD7FA981A338

Function 00007FF738F3AB58 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,00007FF738F3A9D5,?,?,00000000,00007FF738F3AA8A), ref: 00007FF738F3ABC6
GetLastError.KERNEL32(?,?,?,00007FF738F3A9D5,?,?,00000000,00007FF738F3AA8A), ref: 00007FF738F3ABD0

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
Instruction ID: 769b255ecbe459c0e14236d6c2c919449c9ac0d7c433d967da16c3ff216125d9
Opcode Fuzzy Hash: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
Instruction Fuzzy Hash: B6219233B18A8361EA94B762D49427DD6829F84790F984339D92E477D2CEFFE4416228

Function 00007FF738F3BEAC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF738F3BED4

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
Instruction ID: 1bc8ad72b154e176ac18673e3a25f4956179e24884866d7dea2537584989ee5b
Opcode Fuzzy Hash: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
Instruction Fuzzy Hash: F541E33390864397EA34AA69E450279F3A0EB55780F901235D6DE436D1CFBFE442EB78

Function 00007FF738F27F90 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF738F2803A

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 10e7562e960f8d99c449f474851a74073af959b335e7b5ea493964aac480507e
Instruction ID: d11191be54cbad0439c7d4ccaaf9d39f980c513c2e7d4d35d42838649350fd61
Opcode Fuzzy Hash: 10e7562e960f8d99c449f474851a74073af959b335e7b5ea493964aac480507e
Instruction Fuzzy Hash: EE219136B2869766EA10FA22A9047BAD641FF45BD4FCC4431EE4C0B786DE7EE041D218

Function 00007FF738F3B93C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF738F3B9C2

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 0fe3e981c7cf3185d146a9a4244026f2f164e791e6f92d2a50fd94940550a020
Instruction ID: d2fa4baa749bb5bc2b0107c056e396c560131cef33c48b89d66920b0ae5bf8a2
Opcode Fuzzy Hash: 0fe3e981c7cf3185d146a9a4244026f2f164e791e6f92d2a50fd94940550a020
Instruction Fuzzy Hash: C6317E33A18A03A5E6117B65C85137CEA90AF90B94FD10235E91D073D2CEFFE581A739

Function 00007FF738F39961 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF738F3998F

Part of subcall function 00007FF738F39A88: GetModuleHandleExW.KERNEL32 ref: 00007FF738F39AAD
Part of subcall function 00007FF738F39A88: GetProcAddress.KERNEL32 ref: 00007FF738F39AC3
Part of subcall function 00007FF738F39A88: FreeLibrary.KERNEL32 ref: 00007FF738F39AEA

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 42808d7c08696a35870eb95595f0ae95ff90971c005bfc8769c42bb91e99b0de
Instruction ID: 65e56f81bb4c75c02e290702ab0eb13d22bb3dfb483f0da3021af3b600712309
Opcode Fuzzy Hash: 42808d7c08696a35870eb95595f0ae95ff90971c005bfc8769c42bb91e99b0de
Instruction Fuzzy Hash: 5D21DE73B057469AEB20AF68C4802ECB3A0FB05318F84163AD76C06AC5DFBAD484D764

Function 00007FF738F35F94 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF738F35EF9

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction ID: 79038e875514f9cdd536339b77c8c5271c95976f3cb4d5acb5900c8f248480e2
Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction Fuzzy Hash: D1118E33A1864392EA61BF11D40117DE260AF99B80F940531EA4C57A96CFBFD5406728

Function 00007FF738F46354 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF738F46377

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
Instruction ID: 38cad8023dac211abce81c593c8904694ccf4bc6694eb0e81c8bdd3860a08e36
Opcode Fuzzy Hash: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
Instruction Fuzzy Hash: 1D210433A08A8396EB60AF28D040779F2A0FB84B54FA84235E75D877D9DF3ED4109B14

Function 00007FF738F303BC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF738F30410

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction ID: 82df270d589525c844fc34f34cca9effe624a490f2e38a173eec6e405afd5aad
Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction Fuzzy Hash: 31018232A0874291E504AB52D901069E691BFD5FE0F884632DEAC13BD6CE7FD5216318

Function 00007FF738F37EFC Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF738F37F3A

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: eb4e03bbc0b04cbc85d5aa4284f536322b5632f0a5d263bd1b62b358e696f9c3
Instruction ID: 169e1a08627966a13e125c844a5008f228cca8b73f7a307553aaeb1607152b54
Opcode Fuzzy Hash: eb4e03bbc0b04cbc85d5aa4284f536322b5632f0a5d263bd1b62b358e696f9c3
Instruction Fuzzy Hash: 7601AD32E1DA8BA1FA507B32E540179D190BF417D0FD44235EA1C426C6DFBFE440AA78

Function 00007FF738F38238 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF738F38251

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3541b91b086c77dfe17527b78ee7977ece0d5fdea915d925a3ffaee66e22a6c2
Instruction ID: 92f2f4073788916172fb46fabe5865219aea4c069cd3e3d896164ca12156e16b
Opcode Fuzzy Hash: 3541b91b086c77dfe17527b78ee7977ece0d5fdea915d925a3ffaee66e22a6c2
Instruction Fuzzy Hash: 92E08C72E2CA07A7FA113AB4C482178D0204FA5340FD40130ED08162C3DDFFA8447639

Function 00007FF738F3EB98 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FF738F3B32A,?,?,?,00007FF738F34F11,?,?,?,?,00007FF738F3A48A), ref: 00007FF738F3EBED

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 0190c006dd090f1dc8136ef035d08a675b61e1fdbed98732a32380f018d60316
Instruction ID: c8372327ea084f49f257af84204c12bc627ee86b582ecc91d7330e305014e960
Opcode Fuzzy Hash: 0190c006dd090f1dc8136ef035d08a675b61e1fdbed98732a32380f018d60316
Instruction Fuzzy Hash: 13F0AF36B09203B0FE5A7665C8112B4D2805F88B84FCC4130C90F867C2DEBFE4816238

Function 00007FF738F3D5FC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF738F30C90,?,?,?,00007FF738F322FA,?,?,?,?,?,00007FF738F33AE9), ref: 00007FF738F3D63A

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
Instruction ID: 9604fff59c656e14cc964c20ef692bd21e2e61ac591c3871c229c4c7624c8758
Opcode Fuzzy Hash: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
Instruction Fuzzy Hash: D9F05E32F0820761FE5437729801674D1A04FC47A0FC80730EC3E462C2EEBFA580A638

Non-executed Functions

Function 00007FF738F276C0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF738F276D7
GetLastError.KERNEL32 ref: 00007FF738F276E9
GetProcAddress.KERNEL32 ref: 00007FF738F27725
GetLastError.KERNEL32 ref: 00007FF738F27737
GetProcAddress.KERNEL32 ref: 00007FF738F27750
GetLastError.KERNEL32 ref: 00007FF738F27762
GetProcAddress.KERNEL32 ref: 00007FF738F2777B
GetLastError.KERNEL32 ref: 00007FF738F2778D
GetProcAddress.KERNEL32 ref: 00007FF738F277A9
GetLastError.KERNEL32 ref: 00007FF738F277BB
GetProcAddress.KERNEL32 ref: 00007FF738F277D7
GetLastError.KERNEL32 ref: 00007FF738F277E9
GetProcAddress.KERNEL32 ref: 00007FF738F27805
GetLastError.KERNEL32 ref: 00007FF738F27817
GetProcAddress.KERNEL32 ref: 00007FF738F27833
GetLastError.KERNEL32 ref: 00007FF738F27845
GetProcAddress.KERNEL32 ref: 00007FF738F27861
GetLastError.KERNEL32 ref: 00007FF738F27873

Strings

Tcl_ThreadQueueEvent, xrefs: 00007FF738F279C7, 00007FF738F279E9
Tk_Init, xrefs: 00007FF738F27C79, 00007FF738F27C9B
Tcl_GetCurrentThread, xrefs: 00007FF738F27857, 00007FF738F27879
Tcl_ConditionWait, xrefs: 00007FF738F27999, 00007FF738F279BB
Tcl_CreateObjCommand, xrefs: 00007FF738F27A7F, 00007FF738F27AA1
Tcl_GetString, xrefs: 00007FF738F27AAD, 00007FF738F27ACF
Tcl_Alloc, xrefs: 00007FF738F27C1D, 00007FF738F27C3F
Tcl_EvalFile, xrefs: 00007FF738F27B93, 00007FF738F27BB5
Tcl_MutexFinalize, xrefs: 00007FF738F2790F, 00007FF738F27931
Tcl_EvalEx, xrefs: 00007FF738F27BC1, 00007FF738F27BE3
Tcl_Free, xrefs: 00007FF738F27C4B, 00007FF738F27C6D
Tcl_JoinThread, xrefs: 00007FF738F27885, 00007FF738F278A7
Tcl_GetVar2, xrefs: 00007FF738F27A23, 00007FF738F27A45
Tcl_FinalizeThread, xrefs: 00007FF738F277CD, 00007FF738F277EF
Tcl_NewStringObj, xrefs: 00007FF738F27ADB, 00007FF738F27AFD
Tcl_DeleteInterp, xrefs: 00007FF738F277FB, 00007FF738F2781D
Tcl_Finalize, xrefs: 00007FF738F2779F, 00007FF738F277C1
Tcl_ThreadAlert, xrefs: 00007FF738F279F5, 00007FF738F27A17
Tcl_CreateInterp, xrefs: 00007FF738F2771B, 00007FF738F2773D
Tcl_ConditionNotify, xrefs: 00007FF738F2796B, 00007FF738F2798D
Tk_GetNumMainWindows, xrefs: 00007FF738F27CA7, 00007FF738F27CC9
Tcl_MutexUnlock, xrefs: 00007FF738F278E1, 00007FF738F27903
Tcl_FindExecutable, xrefs: 00007FF738F27746, 00007FF738F27768
Tcl_NewByteArrayObj, xrefs: 00007FF738F27B09, 00007FF738F27B2B
Tcl_SetVar2Ex, xrefs: 00007FF738F27B37, 00007FF738F27B59
Tcl_CreateThread, xrefs: 00007FF738F27829, 00007FF738F2784B
Tcl_ConditionFinalize, xrefs: 00007FF738F2793D, 00007FF738F2795F
Tcl_EvalObjv, xrefs: 00007FF738F27BEF, 00007FF738F27C11
Tcl_SetVar2, xrefs: 00007FF738F27A51, 00007FF738F27A73
Failed to get address for %hs, xrefs: 00007FF738F276F8
Tcl_GetObjResult, xrefs: 00007FF738F27B65, 00007FF738F27B87
GetProcAddress, xrefs: 00007FF738F276FF
Tcl_MutexLock, xrefs: 00007FF738F278B3, 00007FF738F278D5
Tcl_Init, xrefs: 00007FF738F276D0, 00007FF738F276EF
Tcl_DoOneEvent, xrefs: 00007FF738F27771, 00007FF738F27793

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 199729137-3427451314
Opcode ID: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
Instruction ID: 8425bd88a58a7f1c188df1c8deca02dfd1be4f0cd7ec8683cd9ace5107ba4a45
Opcode Fuzzy Hash: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
Instruction Fuzzy Hash: C802C636A0DB1BB1FA54BB69B810974E260AF04756FC90132C46E03261FF7EB149B238

Function 00007FF738F440AC Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF738F440FA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF738F44766
_invalid_parameter_noinfo.LIBCMT ref: 00007FF738F448DC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF738F44B9A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF738F44DBA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF738F44FF7
memcpy_s.LIBCPMT ref: 00007FF738F450D2
memcpy_s.LIBCPMT ref: 00007FF738F4517D
memcpy_s.LIBCPMT ref: 00007FF738F4524C

Strings

1#QNAN, xrefs: 00007FF738F44213
1#INF, xrefs: 00007FF738F44223
1#SNAN, xrefs: 00007FF738F4420A
1#IND, xrefs: 00007FF738F441E7

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 7da0388417e7c773b0aab48e07e342724827a26e5879d16e5decf6c79e081c8c
Instruction ID: 7594715e970dfe2d8e30be590bfbbdb17e70c4f4f43f56228063bcb7ddaf5eab
Opcode Fuzzy Hash: 7da0388417e7c773b0aab48e07e342724827a26e5879d16e5decf6c79e081c8c
Instruction Fuzzy Hash: 94B23973A196A39BE7249F24D440BFCF3A1FB54344F981136DA0D67A84DF3AA600DB54

Function 00007FF738F2ACAD Relevance: 12.0, Strings: 9, Instructions: 744COMMON

Download Yara Rule

Strings

invalid code -- missing end-of-block, xrefs: 00007FF738F2B0C6
invalid distance too far back, xrefs: 00007FF738F2B670
invalid distance code, xrefs: 00007FF738F2B5B4
invalid distances set, xrefs: 00007FF738F2B1A0
invalid code lengths set, xrefs: 00007FF738F2AE2D
too many length or distance symbols, xrefs: 00007FF738F2AE46
invalid bit length repeat, xrefs: 00007FF738F2B099
invalid literal/lengths set, xrefs: 00007FF738F2B133
invalid literal/length code, xrefs: 00007FF738F2B3E2

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
API String ID: 0-2665694366
Opcode ID: 55880860ec2df9374ed9e05eb7c1f9660e2769407a38999da05ffb99d6c3dc89
Instruction ID: 65c93f921673a4764d3a8181fe193dfcc500f349666bef4007c98fcbd00b822a
Opcode Fuzzy Hash: 55880860ec2df9374ed9e05eb7c1f9660e2769407a38999da05ffb99d6c3dc89
Instruction Fuzzy Hash: F6523777A146AB9BD7A49F14C458B7DBBA9FB44340F914238EA4A837C0DB3ED800DB14

Function 00007FF738F2D12C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF738F2D148
RtlCaptureContext.KERNEL32 ref: 00007FF738F2D175
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF738F2D18F
RtlVirtualUnwind.KERNEL32 ref: 00007FF738F2D1D0
IsDebuggerPresent.KERNEL32 ref: 00007FF738F2D224
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF738F2D241
UnhandledExceptionFilter.KERNEL32 ref: 00007FF738F2D24C

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
Instruction ID: 2103c09f497c455b3a4b1c348f7f3053c70119c9be4a8e9dc5951837325b91a7
Opcode Fuzzy Hash: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
Instruction Fuzzy Hash: 51315277608B8696EB60AF60E8407EDB360FB84704F84403ADA4D47B95DF3DD648D724

Function 00007FF738F3A614 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF738F3A68D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF738F3A6A5
RtlVirtualUnwind.KERNEL32 ref: 00007FF738F3A6E0
IsDebuggerPresent.KERNEL32 ref: 00007FF738F3A719
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF738F3A723
UnhandledExceptionFilter.KERNEL32 ref: 00007FF738F3A72E

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
Instruction ID: ee6cc4c0c318b56388eb83ee1edd329da2d6828c338906e5b740e5ef2032fb21
Opcode Fuzzy Hash: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
Instruction Fuzzy Hash: EB319337608F8296EB20DF25E8406AEB3A4FB88754F940236EA9D43B55DF3DC145DB14

Function 00007FF738F41874 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF738F418C0
FindFirstFileExW.KERNEL32 ref: 00007FF738F419CA

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: ee5daded1920a45b930385d49f4c9fb7106de6f00b6358014c2482279c1420ad
Instruction ID: 06f65fe2ab08ccbabbb65d0b3cfc5a461af4bc1d05d040974086f7e8569e1fc1
Opcode Fuzzy Hash: ee5daded1920a45b930385d49f4c9fb7106de6f00b6358014c2482279c1420ad
Instruction Fuzzy Hash: E9B1E533B186A351EA60FB23D5009B9E390EB44BE4F984132DE5D47B85EE7EE485D318

Function 00007FF738F2D010 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF738F2D03C
GetCurrentThreadId.KERNEL32 ref: 00007FF738F2D04A
GetCurrentProcessId.KERNEL32 ref: 00007FF738F2D056
QueryPerformanceCounter.KERNEL32 ref: 00007FF738F2D066

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
Instruction ID: f8d4e360ef513501079096dfe83e19eee2608d1d7915984777f6d7e3654e3baa
Opcode Fuzzy Hash: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
Instruction Fuzzy Hash: 3E114C32B14F069AEB00EFB0E8542A9B3A4FB59758F840E31DA2D47BA4DF38D1588354

Function 00007FF738F43C10 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF738F43C76
memcpy_s.LIBCPMT ref: 00007FF738F43CA1

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction ID: 59dc4074e6cca6b74c4b569704ecc7b53d179bda17457d258fa9a9ae3813f147
Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction Fuzzy Hash: A3C13573B1969687E724DF19A044E6AF7A1F798B84F888136DB4E53744DB3EE900CB04

Function 00007FF738F2A474 Relevance: 4.1, Strings: 3, Instructions: 398COMMON

Download Yara Rule

Strings

unknown header flags set, xrefs: 00007FF738F2A4C5
header crc mismatch, xrefs: 00007FF738F2A921
, xrefs: 00007FF738F2A55B

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID:
String ID: $header crc mismatch$unknown header flags set
API String ID: 0-1127688429
Opcode ID: fcf6ea83c7a46010d3591867e81b0f53761d3f113121264a3729654d2d1b513f
Instruction ID: a797c9f0a765c428d7d67d57696994cc9d06c42735b1201da3241a208e8a0e90
Opcode Fuzzy Hash: fcf6ea83c7a46010d3591867e81b0f53761d3f113121264a3729654d2d1b513f
Instruction Fuzzy Hash: DDF1C577A083CA9BE7A5AF14C088B3AFAA9FF44744F654638DA4907390DB3DE440D754

Function 00007FF738F49728 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF738F49977
RaiseException.KERNEL32 ref: 00007FF738F49988

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: a4cc0e8a2f7e024105bf8074fef1866164229a93701b52dcf00f6f20498becf3
Instruction ID: 04f6a9d55a10d5ec1009cd8b1e95fb0d2531afd6ef4705dc992e57daca727391
Opcode Fuzzy Hash: a4cc0e8a2f7e024105bf8074fef1866164229a93701b52dcf00f6f20498becf3
Instruction Fuzzy Hash: 5EB17E73704B9A8BEB15CF29C84676CB7A0F784B48F588922DA5D837B4CB3AD451C714

Function 00007FF738F339A4 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF738F33B12
, xrefs: 00007FF738F33D54

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: e57f1980f4491aea9eb328a1e81193c2bccc9a7e68d1918bb9b7207cf9600634
Instruction ID: 2e7aaf794671ee2c87219cc8b76ae0c4e1bc347c670cada644bd235553bf3eb5
Opcode Fuzzy Hash: e57f1980f4491aea9eb328a1e81193c2bccc9a7e68d1918bb9b7207cf9600634
Instruction Fuzzy Hash: 35E1C537A08647A1EB68EE25E450139F3A0FF84B48F984135DA4E47794DF7BE851E328

Function 00007FF738F2A2DB Relevance: 2.7, Strings: 2, Instructions: 216COMMON

Download Yara Rule

Strings

invalid window size, xrefs: 00007FF738F2A442
incorrect header check, xrefs: 00007FF738F2A45B

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID:
String ID: incorrect header check$invalid window size
API String ID: 0-900081337
Opcode ID: 7e7bac63e97a7e962ac1d8bc37368dc0e110af78d4507200a91f80e7c7b94e68
Instruction ID: ef1a57daa9968c705997eceaee47c92db7e3ee06a8315fefb269e6ddd98672ac
Opcode Fuzzy Hash: 7e7bac63e97a7e962ac1d8bc37368dc0e110af78d4507200a91f80e7c7b94e68
Instruction Fuzzy Hash: 8191B877A182CB9BE7A49B14C448B7EFAA9FF44350F514239DA4A467C0CB3AE940DB14

Function 00007FF738F3DEF0 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

e+000, xrefs: 00007FF738F3DFFD
gfff, xrefs: 00007FF738F3E07A

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: c8a24eaff8c968987b4d031b15ae93849e98bcf9eddb8930961e84febef9b5bc
Instruction ID: 50365e8009ed85ef4aa7e6c09240ca082369a8a3dceac020e8c22de34d27a468
Opcode Fuzzy Hash: c8a24eaff8c968987b4d031b15ae93849e98bcf9eddb8930961e84febef9b5bc
Instruction Fuzzy Hash: FD516773B186C296E725AE35D840769FB91EB44B94F888231CB9847AD5CEBFD4048714

Function 00007FF738F3DA5C Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF738F3DD9E

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
Instruction ID: c98fbd4541d49d07b989b2aba78ae5aa091536cfabe2d26011aeba60d8fae766
Opcode Fuzzy Hash: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
Instruction Fuzzy Hash: AAA14373A0878A96EB21EF25E4007AAFB91AF50BC4F448132DE8D47785DABFD501D720

Function 00007FF738F38794 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

TMP, xrefs: 00007FF738F387B3

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: TMP
API String ID: 3215553584-3125297090
Opcode ID: 09cdd7cf7fc9e7e425d724a32e8c9d3bd5c12dba7606eca5b930980d9b4d1239
Instruction ID: e459606f83da4c73cee008795b710cbd909448d168b9c302f46f18e443609dac
Opcode Fuzzy Hash: 09cdd7cf7fc9e7e425d724a32e8c9d3bd5c12dba7606eca5b930980d9b4d1239
Instruction Fuzzy Hash: 9851C333F2970361FA64BA27D5011BAD2906F44BD4FD84135DE0E57786EEBFE441A228

Function 00007FF738F43480 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF738F43484

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 1f9e0516fd534d967cb731c121838b59470578846d262458ea046ba55ab40ebf
Instruction ID: 5896916c240379f3bd1fa39a51a73e0902cccfdd816a07e49fc5e1156a236b67
Opcode Fuzzy Hash: 1f9e0516fd534d967cb731c121838b59470578846d262458ea046ba55ab40ebf
Instruction Fuzzy Hash: DEB09231E07A03E2EA093B616C82618A2A47F88700FD80239C10C41330DE3D21E56734

Function 00007FF738F335A0 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eca4e5ff3e7205525bf20f3b63783aa462e3e7adb0228d62bb7e98ab9f5e9bb
Instruction ID: 4b38fa06bd7f2169ed23528c705c286a8ee4aed8cfa9146ea1eff3c72fd6426b
Opcode Fuzzy Hash: 5eca4e5ff3e7205525bf20f3b63783aa462e3e7adb0228d62bb7e98ab9f5e9bb
Instruction Fuzzy Hash: AFD1D673A0864395EB28EE25E10063DE790AB85B48F980235CD0D07795DFBFE945E768

Function 00007FF738F29800 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e75d751cc15dfd510e55d83c6141b0e8cb11d18cbed01e0c543b372a0114c593
Instruction ID: 2ce01308513c136e21063cd7e584032392ddd7fd00a33a1e4c1dd3e6c07351fb
Opcode Fuzzy Hash: e75d751cc15dfd510e55d83c6141b0e8cb11d18cbed01e0c543b372a0114c593
Instruction Fuzzy Hash: F1C19E772181E18BD289EB29E4694BA73D1F78930DBD5406BEF8747785C63CA414DB20

Function 00007FF738F32C10 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa73bfa000bc8cd66a05f12d530b76a597660d7bda6a6781f52cf2f49ffced0b
Instruction ID: f566f27f64fcb501867b714db6951db41af6df17ef1721eec7a42c85f423a2be
Opcode Fuzzy Hash: aa73bfa000bc8cd66a05f12d530b76a597660d7bda6a6781f52cf2f49ffced0b
Instruction Fuzzy Hash: 35B17C73A08B4695E7649F39C05023CFBA0E749B49FA44135CA4E47399CFBBD481E768

Function 00007FF738F3E570 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9611c2e0762efa78d7f6da3d8515592aa8d86601c49200b7335873453b670326
Instruction ID: 3c84c2bb43ea435406daace53546cbc814c8bca7ea0ce65b40df2ae9e010a667
Opcode Fuzzy Hash: 9611c2e0762efa78d7f6da3d8515592aa8d86601c49200b7335873453b670326
Instruction Fuzzy Hash: 8F811273A1838296EB74EB19D04036AFA91FF45798F904235DA8D43F89DE7FE5009B14

Function 00007FF738F46418 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 403f67b08c5d8b9127b9d27d37b93e2a1e0a746a19683c5483168a42cc689f1f
Instruction ID: b7664158402d9c9f4bb4f6b264aee518860f57bbc78a09a6c7cf1383545e72fe
Opcode Fuzzy Hash: 403f67b08c5d8b9127b9d27d37b93e2a1e0a746a19683c5483168a42cc689f1f
Instruction Fuzzy Hash: 6361FE33F0826366FB64A6789450A7DD580AF40760F9C423BD61E477D5EE7FE840A724

Function 00007FF738F31944 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction ID: 035e84be24d96d1a433bfe3ec99d28b2789e241b891e4ad515443c5b88c028fe
Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction Fuzzy Hash: 8C51B837A1965392EB24AB29C040238F7A0EB48F58F644131DE8D577A4CF7BE883D754

Function 00007FF738F32164 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction ID: 80913278325b05cbd08fe7a399dd61377ec66fe897ee38265cbef39fc1994845
Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction Fuzzy Hash: 1051B037A18A5292E725AB39C440238F3A0FB54B69F744131CE8C17794CBBBE843E764

Function 00007FF738F31D54 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction ID: 0edd889440ce9582654c2fe834786c94c88a2c9358c8ce1384f7d610024cd679
Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction Fuzzy Hash: 6F518437A1865796E724AB29C040238F3A0EB49B58F644131EE4D17794CFBBE8D3D764

Function 00007FF738F31B50 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction ID: 465dc484bcd0a9dd820d43b9c72c85fd1918f7970ab1d0158966fc581acb0dfc
Opcode Fuzzy Hash: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction Fuzzy Hash: E751E433A18652A2E724AF28C040278F7A4EB45B98F644131EE4C57794DFBBE893D758

Function 00007FF738F31740 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction ID: 2297a085fa4426b4c3b78a12c114f3a8e5ae498365ee49a8638f6f53c2a7c20d
Opcode Fuzzy Hash: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction Fuzzy Hash: EF51B437A1875296E724AB29C040238F7A1EB44B58FB84131DE4C17794CF7BE893D758

Function 00007FF738F31F60 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction ID: f21eb118af6157dec7f4397a2be25ac2f141b5a003980bdf06fd1918fdd34c03
Opcode Fuzzy Hash: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction Fuzzy Hash: 6751C577A1865691E724AB39C04023CF7A0EB48B58F644131DE4C177A9CFBBE893E754

Function 00007FF738F35D30 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction ID: d48135a5e0dd85c372b0cad8b8eb0ea55da7e57e29bdb0fbbb1f1597583f02e3
Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction Fuzzy Hash: 7641E6B3C0D79B15E9AB991C84086B4E7809F9A7A0DD812B4CD9D173C3CD7F6587E124

Function 00007FF738F39EA0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 1c7003d4bfacf113f63307708dabd17e5ede6cda44dccf6aa27d02a6b9ea0481
Instruction ID: 974a60ddbc590c9d5eb8444d2450a376e481b9184a2434198bf9b8014caa55e4
Opcode Fuzzy Hash: 1c7003d4bfacf113f63307708dabd17e5ede6cda44dccf6aa27d02a6b9ea0481
Instruction Fuzzy Hash: 7C41FD73714E5682EF04DF2AD914569E3A1BB48FC0F889132EE0D97B58DE3EC0429308

Function 00007FF738F380E4 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b8cddb4ee5dd57f1c7573491c8f445712dd312cb7e9e547cfd0f9c072f4c0c7
Instruction ID: f2b346adf595781c45419db18023c4dcf85f197cd8019d5429bd5671ba981752
Opcode Fuzzy Hash: 2b8cddb4ee5dd57f1c7573491c8f445712dd312cb7e9e547cfd0f9c072f4c0c7
Instruction Fuzzy Hash: 9D31E333728B4342E665BB21A44012DEAD4ABC4B90F584239EA4D53BD5DF7ED0019718

Function 00007FF738F49570 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d3ac10822f6242d2b374fc0e1218152d8e80c351f0dfcd4fab21387456caa74
Instruction ID: c640abc961d443c177cb96e5f6ef47363cf9e608e8567495f0a1c7e849bd919f
Opcode Fuzzy Hash: 5d3ac10822f6242d2b374fc0e1218152d8e80c351f0dfcd4fab21387456caa74
Instruction Fuzzy Hash: C1F06872B182979BDB989F69A403629B7E0F7483C0F90913DD58D83B14DA3DD0519F18

Function 00007FF738F2D30C Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c3909751b2697c6481bc0460501d6177e5cf72f77169ad8285d6e0cd944102a
Instruction ID: 5495a744e8b2098d5efaf9aa6647e5a865007b0a7cf9c09a63b8db668875ba91
Opcode Fuzzy Hash: 3c3909751b2697c6481bc0460501d6177e5cf72f77169ad8285d6e0cd944102a
Instruction Fuzzy Hash: 59A0013690C81FE0E645AB50E894425E220BB54300FD40032E00D521A59E3EA914A328

Function 00007FF738F25830 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF738F264CF,?,00007FF738F2336E), ref: 00007FF738F25840
GetLastError.KERNEL32(?,00007FF738F264CF,?,00007FF738F2336E), ref: 00007FF738F25852
GetProcAddress.KERNEL32(?,00007FF738F264CF,?,00007FF738F2336E), ref: 00007FF738F25889
GetLastError.KERNEL32(?,00007FF738F264CF,?,00007FF738F2336E), ref: 00007FF738F2589B
GetProcAddress.KERNEL32(?,00007FF738F264CF,?,00007FF738F2336E), ref: 00007FF738F258B4
GetLastError.KERNEL32(?,00007FF738F264CF,?,00007FF738F2336E), ref: 00007FF738F258C6
GetProcAddress.KERNEL32(?,00007FF738F264CF,?,00007FF738F2336E), ref: 00007FF738F258DF
GetLastError.KERNEL32(?,00007FF738F264CF,?,00007FF738F2336E), ref: 00007FF738F258F1
GetProcAddress.KERNEL32(?,00007FF738F264CF,?,00007FF738F2336E), ref: 00007FF738F2590D
GetLastError.KERNEL32(?,00007FF738F264CF,?,00007FF738F2336E), ref: 00007FF738F2591F
GetProcAddress.KERNEL32(?,00007FF738F264CF,?,00007FF738F2336E), ref: 00007FF738F2593B
GetLastError.KERNEL32(?,00007FF738F264CF,?,00007FF738F2336E), ref: 00007FF738F2594D
GetProcAddress.KERNEL32(?,00007FF738F264CF,?,00007FF738F2336E), ref: 00007FF738F25969
GetLastError.KERNEL32(?,00007FF738F264CF,?,00007FF738F2336E), ref: 00007FF738F2597B
GetProcAddress.KERNEL32(?,00007FF738F264CF,?,00007FF738F2336E), ref: 00007FF738F25997
GetLastError.KERNEL32(?,00007FF738F264CF,?,00007FF738F2336E), ref: 00007FF738F259A9
GetProcAddress.KERNEL32(?,00007FF738F264CF,?,00007FF738F2336E), ref: 00007FF738F259C5
GetLastError.KERNEL32(?,00007FF738F264CF,?,00007FF738F2336E), ref: 00007FF738F259D7

Strings

Py_IsInitialized, xrefs: 00007FF738F25931, 00007FF738F25953
PyConfig_InitIsolatedConfig, xrefs: 00007FF738F259BB, 00007FF738F259DD
PyImport_AddModule, xrefs: 00007FF738F25BE3, 00007FF738F25C05
PyImport_ImportModule, xrefs: 00007FF738F25C3F, 00007FF738F25C61
PyConfig_SetString, xrefs: 00007FF738F25A45, 00007FF738F25A67
PyErr_Fetch, xrefs: 00007FF738F25ACF, 00007FF738F25AF1
PyEval_EvalCode, xrefs: 00007FF738F25BB5, 00007FF738F25BD7
PyUnicode_FromFormat, xrefs: 00007FF738F25F4D, 00007FF738F25F6F
PyConfig_Read, xrefs: 00007FF738F259E9, 00007FF738F25A0B
PyMem_RawFree, xrefs: 00007FF738F25C9B, 00007FF738F25CBD
PyObject_Str, xrefs: 00007FF738F25DAF, 00007FF738F25DD1
Py_InitializeFromConfig, xrefs: 00007FF738F25903, 00007FF738F25925
Py_DecodeLocale, xrefs: 00007FF738F2587F, 00007FF738F258A1
PyErr_Clear, xrefs: 00007FF738F25AA1, 00007FF738F25AC3
PyStatus_Exception, xrefs: 00007FF738F25E39, 00007FF738F25E5B
Py_Finalize, xrefs: 00007FF738F258D5, 00007FF738F258F7
PyObject_GetAttrString, xrefs: 00007FF738F25D53, 00007FF738F25D75
PyUnicode_Replace, xrefs: 00007FF738F25FD7, 00007FF738F25FF9
Py_PreInitialize, xrefs: 00007FF738F2595F, 00007FF738F25981
PyModule_GetDict, xrefs: 00007FF738F25CC9, 00007FF738F25CEB
PyUnicode_AsUTF8, xrefs: 00007FF738F25EC3, 00007FF738F25EE5
PyUnicode_Decode, xrefs: 00007FF738F25EF1, 00007FF738F25F13
PyObject_CallFunction, xrefs: 00007FF738F25CF7, 00007FF738F25D19
PyConfig_Clear, xrefs: 00007FF738F2598D, 00007FF738F259AF
PyUnicode_FromString, xrefs: 00007FF738F25F7B, 00007FF738F25F9D
PyErr_NormalizeException, xrefs: 00007FF738F25AFD, 00007FF738F25B1F
PyConfig_SetWideStringList, xrefs: 00007FF738F25A73, 00007FF738F25A95
Py_ExitStatusException, xrefs: 00007FF738F258AA, 00007FF738F258CC
PyUnicode_DecodeFSDefault, xrefs: 00007FF738F25F1F, 00007FF738F25F41
PySys_GetObject, xrefs: 00007FF738F25E67, 00007FF738F25E89
PyObject_CallFunctionObjArgs, xrefs: 00007FF738F25D25, 00007FF738F25D47
PyConfig_SetBytesString, xrefs: 00007FF738F25A17, 00007FF738F25A39
PyErr_Restore, xrefs: 00007FF738F25B87, 00007FF738F25BA9
PyObject_SetAttrString, xrefs: 00007FF738F25D81, 00007FF738F25DA3
PyUnicode_Join, xrefs: 00007FF738F25FA9, 00007FF738F25FCB
PyImport_ExecCodeModule, xrefs: 00007FF738F25C11, 00007FF738F25C33
Failed to get address for %hs, xrefs: 00007FF738F25861
PyErr_Occurred, xrefs: 00007FF738F25B2B, 00007FF738F25B4D
PyRun_SimpleStringFlags, xrefs: 00007FF738F25E0B, 00007FF738F25E2D
PyErr_Print, xrefs: 00007FF738F25B59, 00007FF738F25B7B
PySys_SetObject, xrefs: 00007FF738F25E95, 00007FF738F25EB7
GetProcAddress, xrefs: 00007FF738F25868
Py_DecRef, xrefs: 00007FF738F25836, 00007FF738F25858
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF738F25DDD, 00007FF738F25DFF
PyMarshal_ReadObjectFromString, xrefs: 00007FF738F25C6D, 00007FF738F25C8F

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 199729137-653951865
Opcode ID: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
Instruction ID: 8f4f60d7457701c35eea4f2defb2444345709aa51401a89e87b7039cfea4b865
Opcode Fuzzy Hash: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
Instruction Fuzzy Hash: E422BE76E0DB1BB1FA54BB55A8109B4E360AF08742FD91136C45E13262FF7EB548B238

Function 00007FF738F281D0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF738F29390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF738F245F4,00000000,00007FF738F21985), ref: 00007FF738F293C9

ExpandEnvironmentStringsW.KERNEL32(?,00007FF738F286B7,?,?,00000000,00007FF738F23CBB), ref: 00007FF738F2822C

Part of subcall function 00007FF738F22810: MessageBoxW.USER32 ref: 00007FF738F228EA

Strings

LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF738F282D9
%.*s, xrefs: 00007FF738F2830C
LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF738F28373
CreateDirectory, xrefs: 00007FF738F2837C
LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF738F28240
LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF738F28203
\, xrefs: 00007FF738F28261
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF738F2829D

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: 9187bed43bf71c5340eadf58a1920dd2feb36a2730cc38c17813087cef3183ed
Instruction ID: 93a3edde6093b5d73f77dd8f8704591f698f08cb8d3444a1b49afddd58b341a3
Opcode Fuzzy Hash: 9187bed43bf71c5340eadf58a1920dd2feb36a2730cc38c17813087cef3183ed
Instruction Fuzzy Hash: B951B837B2DA8B71FB50BB24D8516BAE250AF94780FD44432D60E436D5EE3EE504A738

Function 00007FF738F22180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF738F221AB
SelectObject.GDI32 ref: 00007FF738F221F2
DrawTextW.USER32 ref: 00007FF738F22215
SelectObject.GDI32 ref: 00007FF738F2222B
ReleaseDC.USER32 ref: 00007FF738F2223B
MoveWindow.USER32 ref: 00007FF738F2228B
MoveWindow.USER32 ref: 00007FF738F222CB
MoveWindow.USER32 ref: 00007FF738F2231E
MoveWindow.USER32 ref: 00007FF738F22366

Strings

P%, xrefs: 00007FF738F221FF

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction ID: cb983d769ed58582ebefb57f38dbdeefe05320b1e435294191bc98ec7fdce0d5
Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction Fuzzy Hash: A8511636604BA286D6349F36A4181BAF7A1FB98B61F004122EBDE43795DF3DD045DB24

Function 00007FF738F280C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF738F280FF
GetWindowLongPtrW.USER32 ref: 00007FF738F2817F
ShutdownBlockReasonCreate.USER32 ref: 00007FF738F28192
GetLastError.KERNEL32 ref: 00007FF738F2819C
SetWindowLongPtrW.USER32 ref: 00007FF738F281B3

Strings

Needs to remove its temporary files., xrefs: 00007FF738F28185

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: LongWindow$BlockCreateErrorLastReasonShutdown
String ID: Needs to remove its temporary files.
API String ID: 3975851968-2863640275
Opcode ID: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
Instruction ID: 9e6484e3ed3504f90e4c267175e4a279f240cc7c59822fad40d2589b9a3f060c
Opcode Fuzzy Hash: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
Instruction Fuzzy Hash: 1221EA37B18A4791E741ABBAF844579E250FF84B90F8C4132DA1D433EADE3DD5909328

Function 00007FF738F36290 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF738F362D3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF738F366C0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF738F3695C

Strings

p, xrefs: 00007FF738F36385
-, xrefs: 00007FF738F36369
:, xrefs: 00007FF738F3648C
f, xrefs: 00007FF738F363F5
p, xrefs: 00007FF738F363FD

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction ID: b9c79bb41f50f2b3d8261864d725c7fd63b22e206212e090cf7208e05bbbf94b
Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction Fuzzy Hash: C312BF73E09243A6FBA07A14D11427AF6A1FB40750FD44135E68A476C4EFBFE590BB28

Function 00007FF738F30FC8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF738F31008
_invalid_parameter_noinfo.LIBCMT ref: 00007FF738F313D0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF738F3166F

Strings

f, xrefs: 00007FF738F310A0
f, xrefs: 00007FF738F3110A
f, xrefs: 00007FF738F31255
p, xrefs: 00007FF738F310AD
p, xrefs: 00007FF738F31112

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction ID: 16822843d2f6272f6cfbf77ab26247175c77dea6dc3da19181d7063aa54c5d06
Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction Fuzzy Hash: C2128173E0C143A6FB607A15E0546B9F6A1FB40750FD84131F69A46AC4DBBFE5C0AB28

Function 00007FF738F21050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON

Download Yara Rule

Strings

malloc, xrefs: 00007FF738F2110F
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF738F21108
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF738F211F6
fseek, xrefs: 00007FF738F210D3
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF738F210CC
Failed to extract %s: failed to open archive file!, xrefs: 00007FF738F21098
fread, xrefs: 00007FF738F211FD

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: bb53b9f83130c86f90c73192f8f8ea576b0e1637b53f6056db95b778128c6f12
Instruction ID: d1982282e2a4b1911e5dfe5c3f9bb9733d33f62c6c034950c3219aacfd5df0a1
Opcode Fuzzy Hash: bb53b9f83130c86f90c73192f8f8ea576b0e1637b53f6056db95b778128c6f12
Instruction Fuzzy Hash: 00419137A0865BA2EA00FB61E8006B9E394BF54BC4FD44432ED4C07786DE3EF541A768

Function 00007FF738F21470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON

Download Yara Rule

Strings

malloc, xrefs: 00007FF738F2151F
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF738F21518
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF738F215DF
fseek, xrefs: 00007FF738F214E5
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF738F214DE
Failed to extract %s: failed to open archive file!, xrefs: 00007FF738F2149F
fread, xrefs: 00007FF738F215E6

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 0e986b4e5c265948de3afc9e4e2e10f8185b4b3ab4291cce073a7edd1c97f69a
Instruction ID: 98993f257bf9ff6c2051739ee00b5b79428d533de85200da61b9caf6d60b6455
Opcode Fuzzy Hash: 0e986b4e5c265948de3afc9e4e2e10f8185b4b3ab4291cce073a7edd1c97f69a
Instruction Fuzzy Hash: 2B419137A0854BA6EA10FB61D4015B9E390BF54784FC44432ED4D07B9ADF7EE542A72C

Function 00007FF738F2EA08 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF738F2EA65

Part of subcall function 00007FF738F2F9BC: __GetUnwindTryBlock.LIBCMT ref: 00007FF738F2F9FF
Part of subcall function 00007FF738F2F9BC: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF738F2FA24

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF738F2EB3D
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF738F2ED8B
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF738F2EE98

Strings

csm, xrefs: 00007FF738F2EAE6
csm, xrefs: 00007FF738F2EB60
csm, xrefs: 00007FF738F2EA7F

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
Instruction ID: a9de01b39adb4acc39c68eb74cba393df63c722b34c5cc73c5d389c4a4a87d8b
Opcode Fuzzy Hash: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
Instruction Fuzzy Hash: DBD18037A08B4A96EB20EB65D4403ADF7A0FB49788FA00135DE4D57796CF3AE094D724

Function 00007FF738F22C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF738F23706,?,00007FF738F23804), ref: 00007FF738F22C9E
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF738F23706,?,00007FF738F23804), ref: 00007FF738F22D63
MessageBoxW.USER32 ref: 00007FF738F22D99

Strings

%ls: , xrefs: 00007FF738F22D22
[PYI-%d:ERROR] , xrefs: 00007FF738F22CA6
<FormatMessageW failed.>, xrefs: 00007FF738F22D70
Error, xrefs: 00007FF738F22D8C

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: Message$CurrentFormatProcess
String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
API String ID: 3940978338-251083826
Opcode ID: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
Instruction ID: 91ee23114622e8592f2f843e3e8594e12720a7e0be3467ec803014c8bf336759
Opcode Fuzzy Hash: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
Instruction Fuzzy Hash: EE311637708A5662E720BB25B8106AAE791BF887D8F800136EF4D93759EF3ED506D314

Function 00007FF738F2DCC8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF738F2DF7A,?,?,?,00007FF738F2DC6C,?,?,?,00007FF738F2D869), ref: 00007FF738F2DD4D
GetLastError.KERNEL32(?,?,?,00007FF738F2DF7A,?,?,?,00007FF738F2DC6C,?,?,?,00007FF738F2D869), ref: 00007FF738F2DD5B
LoadLibraryExW.KERNEL32(?,?,?,00007FF738F2DF7A,?,?,?,00007FF738F2DC6C,?,?,?,00007FF738F2D869), ref: 00007FF738F2DD85
FreeLibrary.KERNEL32(?,?,?,00007FF738F2DF7A,?,?,?,00007FF738F2DC6C,?,?,?,00007FF738F2D869), ref: 00007FF738F2DDF3
GetProcAddress.KERNEL32(?,?,?,00007FF738F2DF7A,?,?,?,00007FF738F2DC6C,?,?,?,00007FF738F2D869), ref: 00007FF738F2DDFF

Strings

api-ms-, xrefs: 00007FF738F2DD6D

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
Instruction ID: 14c047f5298731b398b81bbaeb935c64109f7978171cdb5671a2b0d6ff82a81c
Opcode Fuzzy Hash: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
Instruction Fuzzy Hash: C431E637B1AA0BA1EE11BB56A4005B5E394FF48BA4FC94635DD1D07385DF3EE4449328

Function 00007FF738F26360 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON

Download Yara Rule

Strings

Path of ucrtbase.dll (%s) and its name exceed buffer size (%d), xrefs: 00007FF738F26407
Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d), xrefs: 00007FF738F263C7
Failed to load Python DLL '%ls'., xrefs: 00007FF738F264A7
ucrtbase.dll, xrefs: 00007FF738F263DD
LoadLibrary, xrefs: 00007FF738F264AE
Path of Python shared library (%s) and its name (%s) exceed buffer size (%d), xrefs: 00007FF738F26456

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
API String ID: 2050909247-2434346643
Opcode ID: 2df6df0904ecf2e68063807813f252f2c523520ae69ca8fe89000ee1ae80a761
Instruction ID: 0eb944d7cd02aaca3b84ee1c01176766f5fc7e432335236e564f01b9494f22cf
Opcode Fuzzy Hash: 2df6df0904ecf2e68063807813f252f2c523520ae69ca8fe89000ee1ae80a761
Instruction Fuzzy Hash: 7E416F36A18A8BB1EA15FB24E4142E9E315FF54384FC00132DA9C43696EF3EE619D764

Function 00007FF738F22A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF738F2351A,?,00000000,00007FF738F23F23), ref: 00007FF738F22AA0

Strings

0, xrefs: 00007FF738F22B16
WARNING, xrefs: 00007FF738F22AAF
Warning [ANSI Fallback], xrefs: 00007FF738F22B0F
Warning, xrefs: 00007FF738F22B1E
[PYI-%d:%s] , xrefs: 00007FF738F22AA8

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: CurrentProcess
String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-2900015858
Opcode ID: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
Instruction ID: b10467b54f03076ab7485aabe190952762a20d3b9e8487c8bf0a0dbce2b48b93
Opcode Fuzzy Hash: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
Instruction Fuzzy Hash: 4121A333618B8662E720AB50F4817E6E394FB883C4F800132EE8C53659DF7DD2459754

Function 00007FF738F3B150 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF738F3B15F
FlsGetValue.KERNEL32 ref: 00007FF738F3B174
FlsSetValue.KERNEL32 ref: 00007FF738F3B195
FlsSetValue.KERNEL32 ref: 00007FF738F3B1C2
FlsSetValue.KERNEL32 ref: 00007FF738F3B1D3
FlsSetValue.KERNEL32 ref: 00007FF738F3B1E4
SetLastError.KERNEL32 ref: 00007FF738F3B1FF

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: a42b9cf7ed1ffe71ebcf97f5a72f2c90d2921d4b6bb9ef7954fc9d2fe8c6feaf
Instruction ID: 938e51042f2b8b42527aec84d7d9b2bc0f89fc7ab745b5dbd52c5c7ea30d2ac6
Opcode Fuzzy Hash: a42b9cf7ed1ffe71ebcf97f5a72f2c90d2921d4b6bb9ef7954fc9d2fe8c6feaf
Instruction Fuzzy Hash: CF215032B0C643A2FA667325D661139E2429F447B4FD44734D93E47AC6DDBFA440A328

Function 00007FF738F47D6C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF738F47D9D
GetLastError.KERNEL32 ref: 00007FF738F47DA9
CloseHandle.KERNEL32 ref: 00007FF738F47DC1
CreateFileW.KERNEL32 ref: 00007FF738F47DEC
WriteConsoleW.KERNEL32 ref: 00007FF738F47E0B

Strings

CONOUT$, xrefs: 00007FF738F47DCD

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
Instruction ID: 481eeffa9489be7db0920b69fc5a481bf7e5baa07ff3a8be447a22173f58b237
Opcode Fuzzy Hash: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
Instruction Fuzzy Hash: 0211D332B18A5686E750AB56F854729E3A0FB88BE4F840335EA5D877A4CF3DD910C718

Function 00007FF738F28ED0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,FFFFFFFF,00000000,00007FF738F23FB1), ref: 00007FF738F28EFD
K32EnumProcessModules.KERNEL32(?,FFFFFFFF,00000000,00007FF738F23FB1), ref: 00007FF738F28F5A

Part of subcall function 00007FF738F29390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF738F245F4,00000000,00007FF738F21985), ref: 00007FF738F293C9

K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF738F23FB1), ref: 00007FF738F28FE5
K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF738F23FB1), ref: 00007FF738F29044
FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF738F23FB1), ref: 00007FF738F29055
FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF738F23FB1), ref: 00007FF738F2906A

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: 0184f5a771bb2c28f933eba3e4018dda16e38d059dd6d010c17659477659ba58
Instruction ID: 104b50437f5e46800f32dab55af1d0a87258733b5f66ac919590d0dbe161100f
Opcode Fuzzy Hash: 0184f5a771bb2c28f933eba3e4018dda16e38d059dd6d010c17659477659ba58
Instruction Fuzzy Hash: E1419277B1968B91EA30AB22A5006BAF394FB84BD4F840135DF8D57789DE3ED500D728

Function 00007FF738F3B2C8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF738F34F11,?,?,?,?,00007FF738F3A48A,?,?,?,?,00007FF738F3718F), ref: 00007FF738F3B2D7
FlsSetValue.KERNEL32(?,?,?,00007FF738F34F11,?,?,?,?,00007FF738F3A48A,?,?,?,?,00007FF738F3718F), ref: 00007FF738F3B30D
FlsSetValue.KERNEL32(?,?,?,00007FF738F34F11,?,?,?,?,00007FF738F3A48A,?,?,?,?,00007FF738F3718F), ref: 00007FF738F3B33A
FlsSetValue.KERNEL32(?,?,?,00007FF738F34F11,?,?,?,?,00007FF738F3A48A,?,?,?,?,00007FF738F3718F), ref: 00007FF738F3B34B
FlsSetValue.KERNEL32(?,?,?,00007FF738F34F11,?,?,?,?,00007FF738F3A48A,?,?,?,?,00007FF738F3718F), ref: 00007FF738F3B35C
SetLastError.KERNEL32(?,?,?,00007FF738F34F11,?,?,?,?,00007FF738F3A48A,?,?,?,?,00007FF738F3718F), ref: 00007FF738F3B377

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 1c08c83365d44066401784e1b70b71c7670d14ff4fb682678828c33d1612b477
Instruction ID: 3ffdee22212dcdb07d456464253fd3dd3accea276861dc7ecccb4eb1a0cb6a02
Opcode Fuzzy Hash: 1c08c83365d44066401784e1b70b71c7670d14ff4fb682678828c33d1612b477
Instruction Fuzzy Hash: D8115E32A0C653A2FA54B735D66113DD1429F447B0FD44734D82E476D6DEBFA441A328

Function 00007FF738F22910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF738F21B6A), ref: 00007FF738F2295E

Strings

Error [ANSI Fallback], xrefs: 00007FF738F229FF
[PYI-%d:ERROR] , xrefs: 00007FF738F22966
%s: %s, xrefs: 00007FF738F229E8
Error, xrefs: 00007FF738F22A0E

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: CurrentProcess
String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
API String ID: 2050909247-2962405886
Opcode ID: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
Instruction ID: 8eb20a52b117cdbe4c67c7268112aacf40ef442dfb554ded237664668c31d63c
Opcode Fuzzy Hash: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
Instruction Fuzzy Hash: 5A31F637B1868662E710B765A8406E7E294BF887D4F800132FE8D83749EF7DD1469214

Function 00007FF738F22390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF738F223C8
DialogBoxIndirectParamW.USER32 ref: 00007FF738F2248E
DeleteObject.GDI32 ref: 00007FF738F224C1
DestroyIcon.USER32 ref: 00007FF738F224D3

Strings

Unhandled exception in script, xrefs: 00007FF738F223F8

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 851ce5d4a208b56cb63585478e484d0f9d6918564d04618497f061aba15d8534
Instruction ID: 123cea495e018976fc8b6c5829d7b4737e370c4fe66abced8633e99e3588bf71
Opcode Fuzzy Hash: 851ce5d4a208b56cb63585478e484d0f9d6918564d04618497f061aba15d8534
Instruction Fuzzy Hash: 2031A037619A8295EB20EF61E8552FAE360FF88784F840136EA4D4BB5ADF3ED1009714

Function 00007FF738F22B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF738F2918F,?,00007FF738F23C55), ref: 00007FF738F22BA0
MessageBoxW.USER32 ref: 00007FF738F22C2A

Strings

[PYI-%d:%ls] , xrefs: 00007FF738F22BA8
Warning, xrefs: 00007FF738F22C1D
WARNING, xrefs: 00007FF738F22BAF

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: CurrentMessageProcess
String ID: WARNING$Warning$[PYI-%d:%ls]
API String ID: 1672936522-3797743490
Opcode ID: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
Instruction ID: 69a7ccaa193c7c3f8e437508aaa332347ee73ae8bb128709c6e69961410b19df
Opcode Fuzzy Hash: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
Instruction Fuzzy Hash: D221D173708B4262E710AB64F8447EAF3A4FB88784F800136EA8D53656DE3DD245C754

Function 00007FF738F22710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF738F21B99), ref: 00007FF738F22760

Strings

ERROR, xrefs: 00007FF738F2276F
Error [ANSI Fallback], xrefs: 00007FF738F227CF
[PYI-%d:%s] , xrefs: 00007FF738F22768
Error, xrefs: 00007FF738F227DE

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: CurrentProcess
String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-1591803126
Opcode ID: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
Instruction ID: 51b4dfa704bd3326dd3fb5c5f481a91be5b5e0e3e4a5269383dd74b11876a43a
Opcode Fuzzy Hash: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
Instruction Fuzzy Hash: 0E21A333A18B8662E710EB50F4417E6E3A4FB883C4F800132EE8C53659DF7DD1459754

Function 00007FF738F39A88 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF738F39AAD
GetProcAddress.KERNEL32 ref: 00007FF738F39AC3
FreeLibrary.KERNEL32 ref: 00007FF738F39AEA

Strings

CorExitProcess, xrefs: 00007FF738F39ABC
mscoree.dll, xrefs: 00007FF738F39AA4

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
Instruction ID: d645272498f3872d3bf398cc135af358b4d0780bbb69a85bafce3bdbe78cd7ff
Opcode Fuzzy Hash: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
Instruction Fuzzy Hash: 5FF0AF72B08607A1EE10AB64E44473AE320AF89761F880336C66E462E4DF7ED144E328

Function 00007FF738F49368 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF738F49390
_set_statfp.LIBCMT ref: 00007FF738F493AB
_set_statfp.LIBCMT ref: 00007FF738F493C7
_set_statfp.LIBCMT ref: 00007FF738F49403

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: a1b0c6709dc1d1d37d5a2b1ec9b56e1f36d99f2341b2d05f144cf282444a0cbf
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: D5110833F5CA2321FA143175E091B39D044AF5A370E8C0632FA6E072FEDEBE68416128

Function 00007FF738F3B390 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF738F3A5A3,?,?,00000000,00007FF738F3A83E,?,?,?,?,?,00007FF738F3A7CA), ref: 00007FF738F3B3AF
FlsSetValue.KERNEL32(?,?,?,00007FF738F3A5A3,?,?,00000000,00007FF738F3A83E,?,?,?,?,?,00007FF738F3A7CA), ref: 00007FF738F3B3CE
FlsSetValue.KERNEL32(?,?,?,00007FF738F3A5A3,?,?,00000000,00007FF738F3A83E,?,?,?,?,?,00007FF738F3A7CA), ref: 00007FF738F3B3F6
FlsSetValue.KERNEL32(?,?,?,00007FF738F3A5A3,?,?,00000000,00007FF738F3A83E,?,?,?,?,?,00007FF738F3A7CA), ref: 00007FF738F3B407
FlsSetValue.KERNEL32(?,?,?,00007FF738F3A5A3,?,?,00000000,00007FF738F3A83E,?,?,?,?,?,00007FF738F3A7CA), ref: 00007FF738F3B418

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 44f6b3e63c936746b9124b5af5da9c753e88c88086b63197a25bc1506e4861c0
Instruction ID: 03117619063e1489d600a57cbc0406543e8069b80b31dd0937fed8b3d5f40569
Opcode Fuzzy Hash: 44f6b3e63c936746b9124b5af5da9c753e88c88086b63197a25bc1506e4861c0
Instruction Fuzzy Hash: F2117F72F0C603A2FA58B726D661179E1419F447B0FD84334E83E4A6C6DEBFA451A32C

Function 00007FF738F3B224 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF738F3B235
FlsSetValue.KERNEL32 ref: 00007FF738F3B254
FlsSetValue.KERNEL32 ref: 00007FF738F3B27C
FlsSetValue.KERNEL32 ref: 00007FF738F3B28D
FlsSetValue.KERNEL32 ref: 00007FF738F3B29E

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 92671db20a050c4f2636db97a8291f7b9cbb2c044339a59ef12305351f814945
Instruction ID: 8c4607f691796da4d2556021354b3a004c680cfeae2dec780eb146ea4c4ee1d6
Opcode Fuzzy Hash: 92671db20a050c4f2636db97a8291f7b9cbb2c044339a59ef12305351f814945
Instruction Fuzzy Hash: 6A111872E0960762F999B266C92117DD1428F45334FD44734D93E5A6C2DDBFB4406239

Function 00007FF738F35FA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF738F35FDC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF738F36106
_invalid_parameter_noinfo.LIBCMT ref: 00007FF738F361BC

Strings

verbose, xrefs: 00007FF738F35FB0

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction ID: 1718da910db622bc33c583005aebe89657e717e54cf471eaf0e43301c2c8416b
Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction Fuzzy Hash: 2A91DF33A08A4791EBA2BE64D45137DF6A1AB40B94FC44132DA5D433D6DEBFE405B328

Function 00007FF738F3FBC8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF738F3FEA7

Part of subcall function 00007FF738F37A3C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF738F37A59

Strings

ccs, xrefs: 00007FF738F3FDE2
UTF-8, xrefs: 00007FF738F3FE26
UTF-16LEUNICODE, xrefs: 00007FF738F3FE45

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
Instruction ID: 85c69acb8b6740be40ab02243888d478d90dc9734be7fcf60818c4c151f9bba2
Opcode Fuzzy Hash: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
Instruction Fuzzy Hash: A081A173E08243E7F7657E29C144279F6A0EB11B84FD54035CA0997295CBBFE941B329

Function 00007FF738F2D648 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF738F2D673
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF738F2D70A
RtlUnwindEx.KERNEL32 ref: 00007FF738F2D764

Strings

csm, xrefs: 00007FF738F2D6F1

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
Instruction ID: 3ff08356363e069f4295ccf732de1897d247061de6c4ec5db48cbcd018d2d2fe
Opcode Fuzzy Hash: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
Instruction Fuzzy Hash: 0F51B03BB1960BAADB14BB15D004A78F391EF44B88F948130DA4E47788DF3EE841D718

Function 00007FF738F2F288 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF738F2F2B0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF738F2F398

Strings

csm, xrefs: 00007FF738F2F2D2
csm, xrefs: 00007FF738F2F3EA

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
Instruction ID: c65026c513d5b783f626d06ee858fc76de86f0cb0500d05a2018cc8fc0fbc752
Opcode Fuzzy Hash: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
Instruction Fuzzy Hash: 0851C03BA1824B97EB34AB21D054268F7A0FB44B84F944136DA4D43B85CF7EE860D718

Function 00007FF738F2EED8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF738F2EF37
_CallSETranslator.LIBVCRUNTIME ref: 00007FF738F2EF83

Strings

RCC, xrefs: 00007FF738F2EF53
MOC, xrefs: 00007FF738F2EF4B

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
Instruction ID: f6ba23322a57066a7ec58c177a4894515c4f10cf1e6261a419c79a6bf92c39b5
Opcode Fuzzy Hash: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
Instruction Fuzzy Hash: 64619037918BCA96DA30EB15E4403AAF7A0FB88798F544225EB9C07B59CF7DD090CB14

Function 00007FF738F22810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FF738F228EA

Strings

[PYI-%d:%ls] , xrefs: 00007FF738F22868
ERROR, xrefs: 00007FF738F2286F
Error, xrefs: 00007FF738F228DD

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: Message
String ID: ERROR$Error$[PYI-%d:%ls]
API String ID: 2030045667-255084403
Opcode ID: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
Instruction ID: e5e23401dee39a24fa710758d41fbc3a587d5f1528ce850366fca7b36089406e
Opcode Fuzzy Hash: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
Instruction Fuzzy Hash: 8121D173B08B42A2E710AB64F4447EAF3A0FB88780F800136EE8D53656DE3DD245D754

Function 00007FF738F3C5A0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF738F3C61F
WriteFile.KERNEL32 ref: 00007FF738F3C8E7
WriteFile.KERNEL32 ref: 00007FF738F3C92D
GetLastError.KERNEL32 ref: 00007FF738F3C9E3

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
Instruction ID: 2a43af8da12a4717c578989528e2e041af48846a8bc1493a32afd729f3f8c82a
Opcode Fuzzy Hash: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
Instruction Fuzzy Hash: 46D13673B09A429AE710DF75C4402ACBBB1FB54798F844236DE4E97B89DE7AD006D318

Function 00007FF738F220C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF738F220F4
SetWindowLongPtrW.USER32 ref: 00007FF738F22116
GetWindowLongPtrW.USER32 ref: 00007FF738F22140
InvalidateRect.USER32 ref: 00007FF738F22160

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction ID: 397b0d262e2764218682171acbaeacef8817593f15a89de603eb304d4e91eca7
Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction Fuzzy Hash: 36112936B0C15B92F644EB7AE5446B9D251EB84790FC84031DF4903B9ACD3ED5D0A218

Function 00007FF738F45B1C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF738F41760: _invalid_parameter_noinfo.LIBCMT ref: 00007FF738F41793

_get_daylight.LIBCMT ref: 00007FF738F45C34
_get_daylight.LIBCMT ref: 00007FF738F45C45

Strings

?, xrefs: 00007FF738F45BC5

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 21862b7f5a6063227688de7d7fc5fbfc7fa1fb1d7946118fe9e576ba790fa6aa
Instruction ID: c4eba55e4d6a0db517769787bccde88e8ab4cdeef7a6c0c784109e958b1c110c
Opcode Fuzzy Hash: 21862b7f5a6063227688de7d7fc5fbfc7fa1fb1d7946118fe9e576ba790fa6aa
Instruction Fuzzy Hash: FC411733A086A362FB60BB25D401B7AE650EB84BA4F984236EF5C07BD5DF3ED4419714

Function 00007FF738F39014 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF738F39046

Part of subcall function 00007FF738F3A948: RtlFreeHeap.NTDLL(?,?,?,00007FF738F42D22,?,?,?,00007FF738F42D5F,?,?,00000000,00007FF738F43225,?,?,?,00007FF738F43157), ref: 00007FF738F3A95E
Part of subcall function 00007FF738F3A948: GetLastError.KERNEL32(?,?,?,00007FF738F42D22,?,?,?,00007FF738F42D5F,?,?,00000000,00007FF738F43225,?,?,?,00007FF738F43157), ref: 00007FF738F3A968

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF738F2CBA5), ref: 00007FF738F39064

Strings

C:\Users\user\Desktop\WTvNL75dCr.exe, xrefs: 00007FF738F39052

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\WTvNL75dCr.exe
API String ID: 3580290477-2065946233
Opcode ID: 136b352ca89953b7aac46d199a587659114d0cf60bae53edf27061cb20026a80
Instruction ID: 6d456b72af2227508c140fdd6355293deef033f6956620eebf034a7e33f783af
Opcode Fuzzy Hash: 136b352ca89953b7aac46d199a587659114d0cf60bae53edf27061cb20026a80
Instruction Fuzzy Hash: 0E418933A08A03A6EB15FF22D8400BCE7A5EB457D0F954035E94E53B85CE7FE481A328

Function 00007FF738F3CC38 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF738F3CD4F
GetLastError.KERNEL32 ref: 00007FF738F3CD71

Strings

U, xrefs: 00007FF738F3CCFB

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
Instruction ID: 35b416897f406fb6e0a20ffc2ff908a289eb2d1b04bf305f84313e06444a5669
Opcode Fuzzy Hash: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
Instruction Fuzzy Hash: BC41E333B18A8291DB20AF25E4443BAE7A0FB88784F844131EE4D87788EF7ED401D754

Function 00007FF738F3F5B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF738F3F5F8
GetCurrentDirectoryW.KERNEL32 ref: 00007FF738F3F64A

Strings

:, xrefs: 00007FF738F3F60E

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 9aa1b1c0966d0181e71a7442aa19fd9d8a3a06258be719e39fc35e3b215e25b0
Instruction ID: 43c289bbf594e01b348e4a5981ae05ac3bc649e31ff175f2774a00d5498fab7a
Opcode Fuzzy Hash: 9aa1b1c0966d0181e71a7442aa19fd9d8a3a06258be719e39fc35e3b215e25b0
Instruction Fuzzy Hash: DA213673A0864392EB20AB15D04426DF3A1FB84B84FC54035D68C43694DFBFD6449B64

Function 00007FF738F2FD48 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF738F2FD98
RaiseException.KERNEL32 ref: 00007FF738F2FDD9

Strings

csm, xrefs: 00007FF738F2FDC6

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
Instruction ID: 943cc15d96308b5d23216cdbef40b476799492912cf81a632092c6eb5e9eb2c4
Opcode Fuzzy Hash: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
Instruction Fuzzy Hash: BB115B37618B8692EB219F25E400269F7E4FB88B88F984231EB8D07769DF3DD5519B04

Function 00007FF738F4073C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF738F4076C
GetDriveTypeW.KERNEL32 ref: 00007FF738F407AC

Strings

:, xrefs: 00007FF738F40795

Memory Dump Source

Source File: 00000000.00000002.2527624442.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000000.00000002.2527593939.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2527662107.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528382079.00007FF738F62000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2528451022.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
Instruction ID: b126195af7bc2662332bb7ec37cd725a0ba133eb3343fdb0550e4cbec75cd114
Opcode Fuzzy Hash: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
Instruction Fuzzy Hash: 4E01D43391860392F760BF60946167EE3A0EFA4344FD80036D94D43681DE3EE544AB2D

Analysis Process: WTvNL75dCr.exePID: 7092, Parent PID: 6932COMMON

Execution Graph

Execution Coverage:	12%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1280
Total number of Limit Nodes:	41

Executed Functions

Function 00007FF738F21000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 511
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

MEI, xrefs: 00007FF738F23933
_PYI_APPLICATION_HOME_DIR not set for onefile child process!, xrefs: 00007FF738F23D35
PYINSTALLER_SUPPRESS_SPLASH_SCREEN, xrefs: 00007FF738F23E0A
VCRUNTIME140.dll, xrefs: 00007FF738F23DB1
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF738F23C61
PYINSTALLER_RESET_ENVIRONMENT, xrefs: 00007FF738F23882, 00007FF738F238AF
_PYI_APPLICATION_HOME_DIR, xrefs: 00007FF738F23A0B, 00007FF738F23CD4, 00007FF738F23F6B
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF738F23D12
pyi-python-flag, xrefs: 00007FF738F23AD6
_PYI_PARENT_PROCESS_LEVEL, xrefs: 00007FF738F23A17, 00007FF738F23A2F, 00007FF738F23A9B
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF738F23EBB
Could not create temporary directory!, xrefs: 00007FF738F23CBF
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF738F23BE8
pyi-runtime-tmpdir, xrefs: 00007FF738F23B68
pyi-contents-directory, xrefs: 00007FF738F23B8D
Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s, xrefs: 00007FF738F23B32
Failed to load splash screen resources!, xrefs: 00007FF738F23E85
pkg, xrefs: 00007FF738F239BE
pyi-disable-windowed-traceback, xrefs: 00007FF738F23BB2
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF738F239DE
Failed to remove temporary directory: %s, xrefs: 00007FF738F23FCF
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF738F23971
_PYI_ARCHIVE_FILE, xrefs: 00007FF738F238D2, 00007FF738F239FF
Failed to convert DLL search path!, xrefs: 00007FF738F23DDC
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF738F23EA6
Py_GIL_DISABLED, xrefs: 00007FF738F23AF4
_PYI_SPLASH_IPC, xrefs: 00007FF738F23A23, 00007FF738F23EF5
Failed to start splash screen!, xrefs: 00007FF738F23ED4

Memory Dump Source

Source File: 00000001.00000002.2505628041.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000001.00000002.2505603497.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505659057.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505747843.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag$pyi-runtime-tmpdir
API String ID: 2776309574-4232158417
Opcode ID: 233ec7f25ec1ed803ce179537cd482b57a2e4efc6b2dbb8e538fcab84ef42543
Instruction ID: 9e45f98571c6f26198d0d8ef12d63a7c0c67eccb922f59906332a274ac1fa62e
Opcode Fuzzy Hash: 233ec7f25ec1ed803ce179537cd482b57a2e4efc6b2dbb8e538fcab84ef42543
Instruction Fuzzy Hash: 6D329F7BA0C69B71FA15BB24D4543B9E691AF84740FC44032DA4D432E6EF3EE558E328

Function 00007FF738F46964 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF738F46698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF738F466D9
Part of subcall function 00007FF738F46698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF738F46757
Part of subcall function 00007FF738F46698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF738F467A8

CreateFileW.KERNEL32 ref: 00007FF738F46A6A
CreateFileW.KERNEL32 ref: 00007FF738F46ABA
GetLastError.KERNEL32 ref: 00007FF738F46AEA
GetFileType.KERNEL32 ref: 00007FF738F46AFF
GetLastError.KERNEL32 ref: 00007FF738F46B09
CloseHandle.KERNEL32 ref: 00007FF738F46B3C
CloseHandle.KERNEL32 ref: 00007FF738F46C9F
CreateFileW.KERNEL32 ref: 00007FF738F46CD4
GetLastError.KERNEL32 ref: 00007FF738F46CE3

Memory Dump Source

Source File: 00000001.00000002.2505628041.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000001.00000002.2505603497.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505659057.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505747843.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
Instruction ID: 922349331eae43235a3dd4efb9cc4fa0d26068352ccf433ce5660598ca27d8a2
Opcode Fuzzy Hash: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
Instruction Fuzzy Hash: ACC1DF33B28A5295EB10EFA8C4806ACB761FB49B98F850236DA1E973D5CF3ED451D314

Function 00007FF738F29280 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 00007FF738F292B3
FindClose.KERNEL32 ref: 00007FF738F292C2

Memory Dump Source

Source File: 00000001.00000002.2505628041.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000001.00000002.2505603497.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505659057.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505747843.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
Instruction ID: 15731cb5969d890675e039b319559d1d655f038426d19a47c31c91ebdb284ac7
Opcode Fuzzy Hash: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
Instruction Fuzzy Hash: F0F0C837A1874786F7609F64B489B66F350AB84368F840339D9AE03AD4DF3DE048DA18

Function 00007FF738F21950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF738F27F90: _fread_nolock.LIBCMT ref: 00007FF738F2803A

_fread_nolock.LIBCMT ref: 00007FF738F21A1B

Part of subcall function 00007FF738F22910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF738F21B6A), ref: 00007FF738F2295E

Strings

Failed to read cookie!, xrefs: 00007FF738F21A2B
Could not allocate buffer for TOC!, xrefs: 00007FF738F21B1B
MEI, xrefs: 00007FF738F21991
Could not allocate memory for archive structure!, xrefs: 00007FF738F21A61
Could not read full TOC!, xrefs: 00007FF738F21B55
fread, xrefs: 00007FF738F21A32, 00007FF738F21B5C
Failed to seek to cookie position!, xrefs: 00007FF738F219EE
Error on file., xrefs: 00007FF738F21B8D
calloc, xrefs: 00007FF738F21A68
malloc, xrefs: 00007FF738F21B22
fseek, xrefs: 00007FF738F219F5

Memory Dump Source

Source File: 00000001.00000002.2505628041.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000001.00000002.2505603497.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505659057.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505747843.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: _fread_nolock$CurrentProcess
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 2397952137-3497178890
Opcode ID: 6a04d0c4c8a0b99f23b16d6d676f1581d6c74e17851155a383b4fbd0f348e88e
Instruction ID: 07528ba61522d78cabeee0b1229039844d400db3f7af72b8c1542f3cce8a63e4
Opcode Fuzzy Hash: 6a04d0c4c8a0b99f23b16d6d676f1581d6c74e17851155a383b4fbd0f348e88e
Instruction Fuzzy Hash: 12819577A0868BA6EB20FB24D0406F9E3A0EF44744FC44432D98D47786DE7EE585A76C

Function 00007FF738F21470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to read data chunk!, xrefs: 00007FF738F215DF
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF738F21518
fread, xrefs: 00007FF738F215E6
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF738F214DE
Failed to extract %s: failed to open archive file!, xrefs: 00007FF738F2149F
malloc, xrefs: 00007FF738F2151F
fseek, xrefs: 00007FF738F214E5

Memory Dump Source

Source File: 00000001.00000002.2505628041.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000001.00000002.2505603497.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505659057.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505747843.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 60a4f7716322392174b45f0900a3bf04e5f00cb62b5f775a2b3fa26e9f7385d7
Instruction ID: 98993f257bf9ff6c2051739ee00b5b79428d533de85200da61b9caf6d60b6455
Opcode Fuzzy Hash: 60a4f7716322392174b45f0900a3bf04e5f00cb62b5f775a2b3fa26e9f7385d7
Instruction Fuzzy Hash: 2B419137A0854BA6EA10FB61D4015B9E390BF54784FC44432ED4D07B9ADF7EE542A72C

Function 00007FF738F21210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF738F212EF
1.3.1, xrefs: 00007FF738F21249
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF738F212BA
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF738F2141E
malloc, xrefs: 00007FF738F212C1, 00007FF738F212F6
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF738F21276

Memory Dump Source

Source File: 00000001.00000002.2505628041.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000001.00000002.2505603497.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505659057.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505747843.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: CurrentProcess
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2050909247-2813020118
Opcode ID: 096f828560730c5e91f8963ea1229aecabbed89a92b0e893cc7cf6d4f043b132
Instruction ID: 56c7474e29a3d9bc4e605baca1331d25a188b616b6b1e3013b7008664b980311
Opcode Fuzzy Hash: 096f828560730c5e91f8963ea1229aecabbed89a92b0e893cc7cf6d4f043b132
Instruction Fuzzy Hash: F2510637A0864BA1EA20BB21E4003BAE291FF85794FD84131ED4D477C5EE3EE541E728

Function 00007FF738F236B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF738F23804), ref: 00007FF738F236E1
GetLastError.KERNEL32(?,00007FF738F23804), ref: 00007FF738F236EB

Part of subcall function 00007FF738F22C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF738F23706,?,00007FF738F23804), ref: 00007FF738F22C9E
Part of subcall function 00007FF738F22C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF738F23706,?,00007FF738F23804), ref: 00007FF738F22D63
Part of subcall function 00007FF738F22C50: MessageBoxW.USER32 ref: 00007FF738F22D99

Strings

Failed to convert executable path to UTF-8., xrefs: 00007FF738F23790
\\?\, xrefs: 00007FF738F2375A
GetModuleFileNameW, xrefs: 00007FF738F236FA
Failed to resolve full path to executable %ls., xrefs: 00007FF738F23739
Failed to obtain executable path., xrefs: 00007FF738F236F3

Memory Dump Source

Source File: 00000001.00000002.2505628041.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000001.00000002.2505603497.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505659057.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505747843.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 3187769757-2863816727
Opcode ID: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
Instruction ID: bd2df174826c20d484526a25798eb75a2c90875519feb411b35457336b573fa8
Opcode Fuzzy Hash: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
Instruction Fuzzy Hash: A02191B7B1C64761FA20B724E8003B6E250BF88398FC04232D65D875E5EE3EE504E328

Function 00007FF738F3BA5C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF738F3BE89

Memory Dump Source

Source File: 00000001.00000002.2505628041.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000001.00000002.2505603497.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505659057.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505747843.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c3f57b6cd1f658b3a1cfdd45bc75f21d2f6c8be166295f0eb40444005b392bd6
Instruction ID: 58262f9088fdbdeffb42c0e59f77c7e96ece93bda2c71434d73852daf1ee974e
Opcode Fuzzy Hash: c3f57b6cd1f658b3a1cfdd45bc75f21d2f6c8be166295f0eb40444005b392bd6
Instruction Fuzzy Hash: 5BC1B233A0CA87A1E760AB15D4502BDFB50FB91B80FD94131EA4D43791CEBFE585A728

Function 00007FF738F26360 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d), xrefs: 00007FF738F263C7
Path of ucrtbase.dll (%s) and its name exceed buffer size (%d), xrefs: 00007FF738F26407
LoadLibrary, xrefs: 00007FF738F264AE
Path of Python shared library (%s) and its name (%s) exceed buffer size (%d), xrefs: 00007FF738F26456
ucrtbase.dll, xrefs: 00007FF738F263DD
Failed to load Python DLL '%ls'., xrefs: 00007FF738F264A7

Memory Dump Source

Source File: 00000001.00000002.2505628041.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000001.00000002.2505603497.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505659057.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505747843.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
API String ID: 2050909247-2434346643
Opcode ID: 111e0a7e53993944da2df5d9c96cd3a7cea32e86f931b773c4ccd6a62d35c348
Instruction ID: 0eb944d7cd02aaca3b84ee1c01176766f5fc7e432335236e564f01b9494f22cf
Opcode Fuzzy Hash: 111e0a7e53993944da2df5d9c96cd3a7cea32e86f931b773c4ccd6a62d35c348
Instruction Fuzzy Hash: 7E416F36A18A8BB1EA15FB24E4142E9E315FF54384FC00132DA9C43696EF3EE619D764

Function 00007FF738F35628 Relevance: 6.1, APIs: 4, Instructions: 90
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF738F35655
CreateFileW.KERNEL32 ref: 00007FF738F35694
CloseHandle.KERNEL32 ref: 00007FF738F356C9

Memory Dump Source

Source File: 00000001.00000002.2505628041.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000001.00000002.2505603497.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505659057.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505747843.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
Instruction ID: dcfb24fc1188e79118681696eb59df9a1872d4ebfaf42fd51b0f884711c04bc0
Opcode Fuzzy Hash: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
Instruction Fuzzy Hash: A1419373D1878293E711AB60D510379F260FBA83A4F508335E65D03AD2EFBEA1E09724

Function 00007FF738F2CC3C Relevance: 4.6, APIs: 3, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF738F2CE0C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF738F2CE20

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF738F2CC60
__scrt_release_startup_lock.LIBCMT ref: 00007FF738F2CCCE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF738F2CD21

Memory Dump Source

Source File: 00000001.00000002.2505628041.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000001.00000002.2505603497.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505659057.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505747843.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
Instruction ID: d71f749ddbaf8198ce70ef85a57da66230fc8d09b6933862c7d5639418a13a60
Opcode Fuzzy Hash: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
Instruction Fuzzy Hash: 5931693BE4854B61FA24BB61D4123B9D281AF42384FC44135DA0E472E3DE7FA904A33D

Function 00007FF738F3013C Relevance: 3.2, APIs: 2, Instructions: 177
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF738F30180
_invalid_parameter_noinfo.LIBCMT ref: 00007FF738F30277

Memory Dump Source

Source File: 00000001.00000002.2505628041.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000001.00000002.2505603497.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505659057.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505747843.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
Instruction ID: 88395bd8ba7a731f1a301eaad00115ce10adbeccdee895d49b30fc4f2db690bb
Opcode Fuzzy Hash: 2fd4b9cf4e2c203a215f80a0453bc9b94d2a0e119ef729a2f51343e3c0f92604
Instruction Fuzzy Hash: 1551FC33B09643A7F725B926D40067AE181AFC4BA4F984736DDAD037D5CEBFD400A628

Function 00007FF738F3C134 Relevance: 3.0, APIs: 2, Instructions: 46
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNEL32(?,?,?,?,?,00007FF738F3C2CD), ref: 00007FF738F3C180
GetLastError.KERNEL32(?,?,?,?,?,00007FF738F3C2CD), ref: 00007FF738F3C18A

Memory Dump Source

Source File: 00000001.00000002.2505628041.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000001.00000002.2505603497.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505659057.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505747843.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
Instruction ID: 711803ea283884ec88119c0f339c1b0bba4650d47107aa920eadbf010ec91a92
Opcode Fuzzy Hash: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
Instruction Fuzzy Hash: CA110133708A8291DA20AB25F800069F361AB41FF4F944331EEBD0B7E9CEBED0509704

Function 00007FF738F3AB58 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,00007FF738F3A9D5,?,?,00000000,00007FF738F3AA8A), ref: 00007FF738F3ABC6
GetLastError.KERNEL32(?,?,?,00007FF738F3A9D5,?,?,00000000,00007FF738F3AA8A), ref: 00007FF738F3ABD0

Memory Dump Source

Source File: 00000001.00000002.2505628041.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000001.00000002.2505603497.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505659057.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505747843.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
Instruction ID: 769b255ecbe459c0e14236d6c2c919449c9ac0d7c433d967da16c3ff216125d9
Opcode Fuzzy Hash: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
Instruction Fuzzy Hash: B6219233B18A8361EA94B762D49427DD6829F84790F984339D92E477D2CEFFE4416228

Function 00007FF738F3BEAC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF738F3BED4

Memory Dump Source

Source File: 00000001.00000002.2505628041.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000001.00000002.2505603497.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505659057.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505747843.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
Instruction ID: 1bc8ad72b154e176ac18673e3a25f4956179e24884866d7dea2537584989ee5b
Opcode Fuzzy Hash: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
Instruction Fuzzy Hash: F541E33390864397EA34AA69E450279F3A0EB55780F901235D6DE436D1CFBFE442EB78

Function 00007FF738F27F90 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF738F2803A

Memory Dump Source

Source File: 00000001.00000002.2505628041.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000001.00000002.2505603497.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505659057.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505747843.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: c6682db64852707600c43fb891f4de48ebc266699440c3858ac7b9af290251f5
Instruction ID: d11191be54cbad0439c7d4ccaaf9d39f980c513c2e7d4d35d42838649350fd61
Opcode Fuzzy Hash: c6682db64852707600c43fb891f4de48ebc266699440c3858ac7b9af290251f5
Instruction Fuzzy Hash: EE219136B2869766EA10FA22A9047BAD641FF45BD4FCC4431EE4C0B786DE7EE041D218

Function 00007FF738F3B93C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF738F3B9C2

Memory Dump Source

Source File: 00000001.00000002.2505628041.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000001.00000002.2505603497.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505659057.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505747843.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 0fe3e981c7cf3185d146a9a4244026f2f164e791e6f92d2a50fd94940550a020
Instruction ID: d2fa4baa749bb5bc2b0107c056e396c560131cef33c48b89d66920b0ae5bf8a2
Opcode Fuzzy Hash: 0fe3e981c7cf3185d146a9a4244026f2f164e791e6f92d2a50fd94940550a020
Instruction Fuzzy Hash: C6317E33A18A03A5E6117B65C85137CEA90AF90B94FD10235E91D073D2CEFFE581A739

Function 00007FF738F35F94 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF738F35EF9

Memory Dump Source

Source File: 00000001.00000002.2505628041.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000001.00000002.2505603497.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505659057.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505747843.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction ID: 79038e875514f9cdd536339b77c8c5271c95976f3cb4d5acb5900c8f248480e2
Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction Fuzzy Hash: D1118E33A1864392EA61BF11D40117DE260AF99B80F940531EA4C57A96CFBFD5406728

Function 00007FF738F46354 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF738F46377

Memory Dump Source

Source File: 00000001.00000002.2505628041.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000001.00000002.2505603497.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505659057.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505747843.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
Instruction ID: 38cad8023dac211abce81c593c8904694ccf4bc6694eb0e81c8bdd3860a08e36
Opcode Fuzzy Hash: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
Instruction Fuzzy Hash: 1D210433A08A8396EB60AF28D040779F2A0FB84B54FA84235E75D877D9DF3ED4109B14

Function 00007FF738F303BC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF738F30410

Memory Dump Source

Source File: 00000001.00000002.2505628041.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000001.00000002.2505603497.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505659057.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505747843.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction ID: 82df270d589525c844fc34f34cca9effe624a490f2e38a173eec6e405afd5aad
Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction Fuzzy Hash: 31018232A0874291E504AB52D901069E691BFD5FE0F884632DEAC13BD6CE7FD5216318

Function 00007FF738F28E80 Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF738F29390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF738F245F4,00000000,00007FF738F21985), ref: 00007FF738F293C9

LoadLibraryExW.KERNEL32(?,00007FF738F26476,?,00007FF738F2336E), ref: 00007FF738F28EA2

Memory Dump Source

Source File: 00000001.00000002.2505628041.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000001.00000002.2505603497.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505659057.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505747843.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: ByteCharLibraryLoadMultiWide
String ID:
API String ID: 2592636585-0
Opcode ID: 3eee33850ff877a76f59ec51b6af72cd7d073a691558276a485592abc3036afa
Instruction ID: 8959fecd6d55409a3a8539ea233d70aac059f16a676950deee188f69ac6d9e06
Opcode Fuzzy Hash: 3eee33850ff877a76f59ec51b6af72cd7d073a691558276a485592abc3036afa
Instruction Fuzzy Hash: BBD08C22B2465652EA44B77BBA46A29D251AB89BC0F888036EE4D07B4ADC3EC0514B04

Function 00007FF738F3D5FC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF738F30C90,?,?,?,00007FF738F322FA,?,?,?,?,?,00007FF738F33AE9), ref: 00007FF738F3D63A

Memory Dump Source

Source File: 00000001.00000002.2505628041.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000001.00000002.2505603497.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505659057.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505747843.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
Instruction ID: 9604fff59c656e14cc964c20ef692bd21e2e61ac591c3871c229c4c7624c8758
Opcode Fuzzy Hash: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
Instruction Fuzzy Hash: D9F05E32F0820761FE5437729801674D1A04FC47A0FC80730EC3E462C2EEBFA580A638

Non-executed Functions

Function 00007FF738F289E0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257synchronizationwindowregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF738F29390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF738F245F4,00000000,00007FF738F21985), ref: 00007FF738F293C9

SetConsoleCtrlHandler.KERNEL32(?,?,FFFFFFFF,00007FF738F23F7F), ref: 00007FF738F28A3B
GetStartupInfoW.KERNEL32(?,FFFFFFFF,00007FF738F23F7F), ref: 00007FF738F28A56

Part of subcall function 00007FF738F3A47C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF738F3A490

Part of subcall function 00007FF738F3871C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF738F38783

GetCommandLineW.KERNEL32(?,FFFFFFFF,00007FF738F23F7F), ref: 00007FF738F28AE6
CreateProcessW.KERNEL32 ref: 00007FF738F28B1E
GetLastError.KERNEL32(?,FFFFFFFF,00007FF738F23F7F), ref: 00007FF738F28B28

Part of subcall function 00007FF738F22C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF738F23706,?,00007FF738F23804), ref: 00007FF738F22C9E
Part of subcall function 00007FF738F22C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF738F23706,?,00007FF738F23804), ref: 00007FF738F22D63
Part of subcall function 00007FF738F22C50: MessageBoxW.USER32 ref: 00007FF738F22D99

RegisterClassW.USER32 ref: 00007FF738F28B80
GetLastError.KERNEL32(?,FFFFFFFF,00007FF738F23F7F), ref: 00007FF738F28B8B
CreateWindowExW.USER32 ref: 00007FF738F28BD5
GetLastError.KERNEL32(?,FFFFFFFF,00007FF738F23F7F), ref: 00007FF738F28BE7
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF738F23F7F), ref: 00007FF738F28C02
GetLastError.KERNEL32(?,FFFFFFFF,00007FF738F23F7F), ref: 00007FF738F28C15
PeekMessageW.USER32 ref: 00007FF738F28C39
TranslateMessage.USER32 ref: 00007FF738F28C47
DispatchMessageW.USER32(?,FFFFFFFF,00007FF738F23F7F), ref: 00007FF738F28C51
PeekMessageW.USER32 ref: 00007FF738F28C6C
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF738F23F7F), ref: 00007FF738F28C7E
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF738F23F7F), ref: 00007FF738F28C99
TerminateProcess.KERNEL32(?,FFFFFFFF,00007FF738F23F7F), ref: 00007FF738F28CAF
GetLastError.KERNEL32(?,FFFFFFFF,00007FF738F23F7F), ref: 00007FF738F28CB9
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF738F23F7F), ref: 00007FF738F28CC7
DestroyWindow.USER32(?,FFFFFFFF,00007FF738F23F7F), ref: 00007FF738F28E04
GetExitCodeProcess.KERNEL32 ref: 00007FF738F28E19
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF738F23F7F), ref: 00007FF738F28E22
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF738F23F7F), ref: 00007FF738F28E2F

Strings

PyInstaller Onefile Hidden Window, xrefs: 00007FF738F28B95
PyInstallerOnefileHiddenWindow, xrefs: 00007FF738F28B54
CreateProcessW, xrefs: 00007FF738F28B37
Failed to create child process!, xrefs: 00007FF738F28B30

Memory Dump Source

Source File: 00000001.00000002.2505628041.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000001.00000002.2505603497.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505659057.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505747843.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
API String ID: 3832162212-3165540532
Opcode ID: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
Instruction ID: 44288299a1d7df02f8ebae119478242b9bbc5a0218942e74f48737d1877fa20f
Opcode Fuzzy Hash: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
Instruction Fuzzy Hash: F1D1F233A08A97A6EB10AF74E8506ADF760FF84758F840236DA4E43AA5DF3DD104D718

Function 00007FF738F2D12C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF738F2D148
RtlCaptureContext.KERNEL32 ref: 00007FF738F2D175
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF738F2D18F
RtlVirtualUnwind.KERNEL32 ref: 00007FF738F2D1D0
IsDebuggerPresent.KERNEL32 ref: 00007FF738F2D224
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF738F2D241
UnhandledExceptionFilter.KERNEL32 ref: 00007FF738F2D24C

Memory Dump Source

Source File: 00000001.00000002.2505628041.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000001.00000002.2505603497.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505659057.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505747843.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
Instruction ID: 2103c09f497c455b3a4b1c348f7f3053c70119c9be4a8e9dc5951837325b91a7
Opcode Fuzzy Hash: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
Instruction Fuzzy Hash: 51315277608B8696EB60AF60E8407EDB360FB84704F84403ADA4D47B95DF3DD648D724

Function 00007FF738F281D0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF738F29390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF738F245F4,00000000,00007FF738F21985), ref: 00007FF738F293C9

ExpandEnvironmentStringsW.KERNEL32(?,00007FF738F286B7,?,?,00000000,00007FF738F23CBB), ref: 00007FF738F2822C

Part of subcall function 00007FF738F22810: MessageBoxW.USER32 ref: 00007FF738F228EA

Strings

LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF738F28203
\, xrefs: 00007FF738F28261
LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF738F28240
LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF738F28373
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF738F2829D
CreateDirectory, xrefs: 00007FF738F2837C
%.*s, xrefs: 00007FF738F2830C
LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF738F282D9

Memory Dump Source

Source File: 00000001.00000002.2505628041.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000001.00000002.2505603497.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505659057.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505747843.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: 34679b23be2e6a85bad270fe565fa16c5e09c528fb77942a9d4832d630ea4d55
Instruction ID: 93a3edde6093b5d73f77dd8f8704591f698f08cb8d3444a1b49afddd58b341a3
Opcode Fuzzy Hash: 34679b23be2e6a85bad270fe565fa16c5e09c528fb77942a9d4832d630ea4d55
Instruction Fuzzy Hash: B951B837B2DA8B71FB50BB24D8516BAE250AF94780FD44432D60E436D5EE3EE504A738

Function 00007FF738F22180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF738F221AB
SelectObject.GDI32 ref: 00007FF738F221F2
DrawTextW.USER32 ref: 00007FF738F22215
SelectObject.GDI32 ref: 00007FF738F2222B
ReleaseDC.USER32 ref: 00007FF738F2223B
MoveWindow.USER32 ref: 00007FF738F2228B
MoveWindow.USER32 ref: 00007FF738F222CB
MoveWindow.USER32 ref: 00007FF738F2231E
MoveWindow.USER32 ref: 00007FF738F22366

Strings

P%, xrefs: 00007FF738F221FF

Memory Dump Source

Source File: 00000001.00000002.2505628041.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000001.00000002.2505603497.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505659057.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505747843.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction ID: cb983d769ed58582ebefb57f38dbdeefe05320b1e435294191bc98ec7fdce0d5
Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction Fuzzy Hash: A8511636604BA286D6349F36A4181BAF7A1FB98B61F004122EBDE43795DF3DD045DB24

Function 00007FF738F36290 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF738F362D3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF738F366C0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF738F3695C

Strings

-, xrefs: 00007FF738F36369
p, xrefs: 00007FF738F363FD
:, xrefs: 00007FF738F3648C
p, xrefs: 00007FF738F36385
f, xrefs: 00007FF738F363F5

Memory Dump Source

Source File: 00000001.00000002.2505628041.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000001.00000002.2505603497.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505659057.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505747843.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction ID: b9c79bb41f50f2b3d8261864d725c7fd63b22e206212e090cf7208e05bbbf94b
Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction Fuzzy Hash: C312BF73E09243A6FBA07A14D11427AF6A1FB40750FD44135E68A476C4EFBFE590BB28

Function 00007FF738F2EA08 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF738F2EA65

Part of subcall function 00007FF738F2F9BC: __GetUnwindTryBlock.LIBCMT ref: 00007FF738F2F9FF
Part of subcall function 00007FF738F2F9BC: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF738F2FA24

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF738F2EB3D
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF738F2ED8B
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF738F2EE98

Strings

csm, xrefs: 00007FF738F2EB60
csm, xrefs: 00007FF738F2EA7F
csm, xrefs: 00007FF738F2EAE6

Memory Dump Source

Source File: 00000001.00000002.2505628041.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000001.00000002.2505603497.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505659057.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505747843.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
Instruction ID: a9de01b39adb4acc39c68eb74cba393df63c722b34c5cc73c5d389c4a4a87d8b
Opcode Fuzzy Hash: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
Instruction Fuzzy Hash: DBD18037A08B4A96EB20EB65D4403ADF7A0FB49788FA00135DE4D57796CF3AE094D724

Function 00007FF738F3ED10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF738F3F0AA,?,?,000002B82AC98EC8,00007FF738F3AD53,?,?,?,00007FF738F3AC4A,?,?,?,00007FF738F35F3E), ref: 00007FF738F3EE8C
GetProcAddress.KERNEL32(?,?,?,00007FF738F3F0AA,?,?,000002B82AC98EC8,00007FF738F3AD53,?,?,?,00007FF738F3AC4A,?,?,?,00007FF738F35F3E), ref: 00007FF738F3EE98

Strings

api-ms-, xrefs: 00007FF738F3EDD6
ext-ms-, xrefs: 00007FF738F3EDE9

Memory Dump Source

Source File: 00000001.00000002.2505628041.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000001.00000002.2505603497.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505659057.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505747843.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
Instruction ID: 8bdd2dff276b710308340de98d7aaca558b0da3bb2178a68ad3370839e4ecf24
Opcode Fuzzy Hash: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
Instruction Fuzzy Hash: 3C411233B09A13A1FE16EB16E800575E291BF48B94FC94139DC1D57B84EF7FE485A228

Function 00007FF738F22C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF738F23706,?,00007FF738F23804), ref: 00007FF738F22C9E
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF738F23706,?,00007FF738F23804), ref: 00007FF738F22D63
MessageBoxW.USER32 ref: 00007FF738F22D99

Strings

Error, xrefs: 00007FF738F22D8C
[PYI-%d:ERROR] , xrefs: 00007FF738F22CA6
%ls: , xrefs: 00007FF738F22D22
<FormatMessageW failed.>, xrefs: 00007FF738F22D70

Memory Dump Source

Source File: 00000001.00000002.2505628041.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000001.00000002.2505603497.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505659057.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505747843.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: Message$CurrentFormatProcess
String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
API String ID: 3940978338-251083826
Opcode ID: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
Instruction ID: 91ee23114622e8592f2f843e3e8594e12720a7e0be3467ec803014c8bf336759
Opcode Fuzzy Hash: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
Instruction Fuzzy Hash: EE311637708A5662E720BB25B8106AAE791BF887D8F800136EF4D93759EF3ED506D314

Function 00007FF738F2DCC8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF738F2DF7A,?,?,?,00007FF738F2DC6C,?,?,?,00007FF738F2D869), ref: 00007FF738F2DD4D
GetLastError.KERNEL32(?,?,?,00007FF738F2DF7A,?,?,?,00007FF738F2DC6C,?,?,?,00007FF738F2D869), ref: 00007FF738F2DD5B
LoadLibraryExW.KERNEL32(?,?,?,00007FF738F2DF7A,?,?,?,00007FF738F2DC6C,?,?,?,00007FF738F2D869), ref: 00007FF738F2DD85
FreeLibrary.KERNEL32(?,?,?,00007FF738F2DF7A,?,?,?,00007FF738F2DC6C,?,?,?,00007FF738F2D869), ref: 00007FF738F2DDF3
GetProcAddress.KERNEL32(?,?,?,00007FF738F2DF7A,?,?,?,00007FF738F2DC6C,?,?,?,00007FF738F2D869), ref: 00007FF738F2DDFF

Strings

api-ms-, xrefs: 00007FF738F2DD6D

Memory Dump Source

Source File: 00000001.00000002.2505628041.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000001.00000002.2505603497.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505659057.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505747843.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
Instruction ID: 14c047f5298731b398b81bbaeb935c64109f7978171cdb5671a2b0d6ff82a81c
Opcode Fuzzy Hash: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
Instruction Fuzzy Hash: C431E637B1AA0BA1EE11BB56A4005B5E394FF48BA4FC94635DD1D07385DF3EE4449328

Function 00007FF738F22A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF738F2351A,?,00000000,00007FF738F23F23), ref: 00007FF738F22AA0

Strings

[PYI-%d:%s] , xrefs: 00007FF738F22AA8
0, xrefs: 00007FF738F22B16
WARNING, xrefs: 00007FF738F22AAF
Warning, xrefs: 00007FF738F22B1E
Warning [ANSI Fallback], xrefs: 00007FF738F22B0F

Memory Dump Source

Source File: 00000001.00000002.2505628041.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000001.00000002.2505603497.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505659057.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505747843.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: CurrentProcess
String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-2900015858
Opcode ID: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
Instruction ID: b10467b54f03076ab7485aabe190952762a20d3b9e8487c8bf0a0dbce2b48b93
Opcode Fuzzy Hash: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
Instruction Fuzzy Hash: 4121A333618B8662E720AB50F4817E6E394FB883C4F800132EE8C53659DF7DD2459754

Function 00007FF738F3B150 Relevance: 10.6, APIs: 7, Instructions: 62COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF738F3B15F
FlsGetValue.KERNEL32 ref: 00007FF738F3B174
FlsSetValue.KERNEL32 ref: 00007FF738F3B195
FlsSetValue.KERNEL32 ref: 00007FF738F3B1C2
FlsSetValue.KERNEL32 ref: 00007FF738F3B1D3
FlsSetValue.KERNEL32 ref: 00007FF738F3B1E4
SetLastError.KERNEL32 ref: 00007FF738F3B1FF

Memory Dump Source

Source File: 00000001.00000002.2505628041.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000001.00000002.2505603497.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505659057.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505747843.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: bd40692f84e3da01acd5c9e715af8932c2ff4b5b564443a413d720313231dc09
Instruction ID: 938e51042f2b8b42527aec84d7d9b2bc0f89fc7ab745b5dbd52c5c7ea30d2ac6
Opcode Fuzzy Hash: bd40692f84e3da01acd5c9e715af8932c2ff4b5b564443a413d720313231dc09
Instruction Fuzzy Hash: CF215032B0C643A2FA667325D661139E2429F447B4FD44734D93E47AC6DDBFA440A328

Function 00007FF738F3B2C8 Relevance: 9.1, APIs: 6, Instructions: 57COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF738F34F11,?,?,?,?,00007FF738F3A48A,?,?,?,?,00007FF738F3718F), ref: 00007FF738F3B2D7
FlsSetValue.KERNEL32(?,?,?,00007FF738F34F11,?,?,?,?,00007FF738F3A48A,?,?,?,?,00007FF738F3718F), ref: 00007FF738F3B30D
FlsSetValue.KERNEL32(?,?,?,00007FF738F34F11,?,?,?,?,00007FF738F3A48A,?,?,?,?,00007FF738F3718F), ref: 00007FF738F3B33A
FlsSetValue.KERNEL32(?,?,?,00007FF738F34F11,?,?,?,?,00007FF738F3A48A,?,?,?,?,00007FF738F3718F), ref: 00007FF738F3B34B
FlsSetValue.KERNEL32(?,?,?,00007FF738F34F11,?,?,?,?,00007FF738F3A48A,?,?,?,?,00007FF738F3718F), ref: 00007FF738F3B35C
SetLastError.KERNEL32(?,?,?,00007FF738F34F11,?,?,?,?,00007FF738F3A48A,?,?,?,?,00007FF738F3718F), ref: 00007FF738F3B377

Memory Dump Source

Source File: 00000001.00000002.2505628041.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000001.00000002.2505603497.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505659057.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505747843.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 511c86220214880ca4b01c77dd55d0a7de68e458561f726588d357ec3f22002e
Instruction ID: 3ffdee22212dcdb07d456464253fd3dd3accea276861dc7ecccb4eb1a0cb6a02
Opcode Fuzzy Hash: 511c86220214880ca4b01c77dd55d0a7de68e458561f726588d357ec3f22002e
Instruction Fuzzy Hash: D8115E32A0C653A2FA54B735D66113DD1429F447B0FD44734D82E476D6DEBFA441A328

Function 00007FF738F39A88 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF738F39AAD
GetProcAddress.KERNEL32 ref: 00007FF738F39AC3
FreeLibrary.KERNEL32 ref: 00007FF738F39AEA

Strings

mscoree.dll, xrefs: 00007FF738F39AA4
CorExitProcess, xrefs: 00007FF738F39ABC

Memory Dump Source

Source File: 00000001.00000002.2505628041.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000001.00000002.2505603497.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505659057.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505747843.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
Instruction ID: d645272498f3872d3bf398cc135af358b4d0780bbb69a85bafce3bdbe78cd7ff
Opcode Fuzzy Hash: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
Instruction Fuzzy Hash: 5FF0AF72B08607A1EE10AB64E44473AE320AF89761F880336C66E462E4DF7ED144E328

Function 00007FF738F3B224 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF738F3B235
FlsSetValue.KERNEL32 ref: 00007FF738F3B254
FlsSetValue.KERNEL32 ref: 00007FF738F3B27C
FlsSetValue.KERNEL32 ref: 00007FF738F3B28D
FlsSetValue.KERNEL32 ref: 00007FF738F3B29E

Memory Dump Source

Source File: 00000001.00000002.2505628041.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000001.00000002.2505603497.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505659057.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505747843.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: cf61fb6c00b1796c5bed08ecf7b6551a73a14dc995a044f45feadad5ae41d3ad
Instruction ID: 8c4607f691796da4d2556021354b3a004c680cfeae2dec780eb146ea4c4ee1d6
Opcode Fuzzy Hash: cf61fb6c00b1796c5bed08ecf7b6551a73a14dc995a044f45feadad5ae41d3ad
Instruction Fuzzy Hash: 6A111872E0960762F999B266C92117DD1428F45334FD44734D93E5A6C2DDBFB4406239

Function 00007FF738F2F288 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF738F2F2B0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF738F2F398

Strings

csm, xrefs: 00007FF738F2F2D2
csm, xrefs: 00007FF738F2F3EA

Memory Dump Source

Source File: 00000001.00000002.2505628041.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000001.00000002.2505603497.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505659057.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505747843.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
Instruction ID: c65026c513d5b783f626d06ee858fc76de86f0cb0500d05a2018cc8fc0fbc752
Opcode Fuzzy Hash: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
Instruction Fuzzy Hash: 0851C03BA1824B97EB34AB21D054268F7A0FB44B84F944136DA4D43B85CF7EE860D718

Function 00007FF738F3F98C Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF738F3FA7C
_get_daylight.LIBCMT ref: 00007FF738F3FA8D
_get_daylight.LIBCMT ref: 00007FF738F3FA9E
_isindst.LIBCMT ref: 00007FF738F3FB69

Memory Dump Source

Source File: 00000001.00000002.2505628041.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000001.00000002.2505603497.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505659057.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505747843.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
Instruction ID: 869c8f3e0f42a4c788def9c2c32fcf80846c62ac4e22d9a70d52b78e01a304bd
Opcode Fuzzy Hash: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
Instruction Fuzzy Hash: A85111B3F04213ABEB14EF64C9516BCE7A1EF44368F900235DD1E52AE4DF3EA4069614

Function 00007FFDFA50C9AC Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFDFA50C9D8
GetCurrentThreadId.KERNEL32 ref: 00007FFDFA50C9E6
GetCurrentProcessId.KERNEL32 ref: 00007FFDFA50C9F2
QueryPerformanceCounter.KERNEL32 ref: 00007FFDFA50CA02

Memory Dump Source

Source File: 00000001.00000002.2508622643.00007FFDFA241000.00000020.00000001.01000000.0000001C.sdmp, Offset: 00007FFDFA240000, based on PE: true

Associated: 00000001.00000002.2508597050.00007FFDFA240000.00000002.00000001.01000000.0000001C.sdmpDownload File
Associated: 00000001.00000002.2508863875.00007FFDFA50E000.00000002.00000001.01000000.0000001C.sdmpDownload File
Associated: 00000001.00000002.2508974668.00007FFDFA65B000.00000008.00000001.01000000.0000001C.sdmpDownload File
Associated: 00000001.00000002.2509010957.00007FFDFA66B000.00000004.00000001.01000000.0000001C.sdmpDownload File
Associated: 00000001.00000002.2509042696.00007FFDFA671000.00000008.00000001.01000000.0000001C.sdmpDownload File
Associated: 00000001.00000002.2509067125.00007FFDFA676000.00000004.00000001.01000000.0000001C.sdmpDownload File
Associated: 00000001.00000002.2509099828.00007FFDFA685000.00000008.00000001.01000000.0000001C.sdmpDownload File
Associated: 00000001.00000002.2509137374.00007FFDFA68C000.00000004.00000001.01000000.0000001C.sdmpDownload File
Associated: 00000001.00000002.2509179531.00007FFDFA68D000.00000008.00000001.01000000.0000001C.sdmpDownload File
Associated: 00000001.00000002.2509209635.00007FFDFA68E000.00000004.00000001.01000000.0000001C.sdmpDownload File
Associated: 00000001.00000002.2509232991.00007FFDFA68F000.00000008.00000001.01000000.0000001C.sdmpDownload File
Associated: 00000001.00000002.2509269319.00007FFDFA6A8000.00000004.00000001.01000000.0000001C.sdmpDownload File
Associated: 00000001.00000002.2509293877.00007FFDFA6B7000.00000008.00000001.01000000.0000001C.sdmpDownload File
Associated: 00000001.00000002.2509322771.00007FFDFA6C7000.00000004.00000001.01000000.0000001C.sdmpDownload File
Associated: 00000001.00000002.2509347083.00007FFDFA6C8000.00000008.00000001.01000000.0000001C.sdmpDownload File
Associated: 00000001.00000002.2509373933.00007FFDFA6C9000.00000004.00000001.01000000.0000001C.sdmpDownload File
Associated: 00000001.00000002.2509399277.00007FFDFA6CA000.00000008.00000001.01000000.0000001C.sdmpDownload File
Associated: 00000001.00000002.2509425744.00007FFDFA6CD000.00000004.00000001.01000000.0000001C.sdmpDownload File
Associated: 00000001.00000002.2509449522.00007FFDFA6CF000.00000002.00000001.01000000.0000001C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ffdfa240000_WTvNL75dCr.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 19a014122a8329d598b8a719417dcd6d526a9fad5fd2adc0fdb65de44e15e28a
Instruction ID: 16ec32ed8b79f6cd3393edfa2521823e15d06ecab58c091025188f9799ddeb97
Opcode Fuzzy Hash: 19a014122a8329d598b8a719417dcd6d526a9fad5fd2adc0fdb65de44e15e28a
Instruction Fuzzy Hash: 1D115A26B15F128AEB04DF60E8646B833A4FB59B58F080E31EE2D427A8DF3CD1588340

Function 00007FF738F45B1C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF738F41760: _invalid_parameter_noinfo.LIBCMT ref: 00007FF738F41793

_get_daylight.LIBCMT ref: 00007FF738F45C34
_get_daylight.LIBCMT ref: 00007FF738F45C45

Strings

?, xrefs: 00007FF738F45BC5

Memory Dump Source

Source File: 00000001.00000002.2505628041.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000001.00000002.2505603497.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505659057.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505747843.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 34aa9ba053483d92f686c00bb3d23c2ed0895a5cb55bf09a4ef316522e0c30cf
Instruction ID: c4eba55e4d6a0db517769787bccde88e8ab4cdeef7a6c0c784109e958b1c110c
Opcode Fuzzy Hash: 34aa9ba053483d92f686c00bb3d23c2ed0895a5cb55bf09a4ef316522e0c30cf
Instruction Fuzzy Hash: FC411733A086A362FB60BB25D401B7AE650EB84BA4F984236EF5C07BD5DF3ED4419714

Function 00007FF738F3CC38 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF738F3CD4F
GetLastError.KERNEL32 ref: 00007FF738F3CD71

Strings

U, xrefs: 00007FF738F3CCFB

Memory Dump Source

Source File: 00000001.00000002.2505628041.00007FF738F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF738F20000, based on PE: true

Associated: 00000001.00000002.2505603497.00007FF738F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505659057.00007FF738F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505694281.00007FF738F61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2505747843.00007FF738F64000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff738f20000_WTvNL75dCr.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
Instruction ID: 35b416897f406fb6e0a20ffc2ff908a289eb2d1b04bf305f84313e06444a5669
Opcode Fuzzy Hash: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
Instruction Fuzzy Hash: BC41E333B18A8291DB20AF25E4443BAE7A0FB88784F844131EE4D87788EF7ED401D754

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report WTvNL75dCr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_WTvNL75dCr.exe_9e582b949571b490dfc358bda39d6d65633a8_e366b6b7_e1cddcb4-52e3-4ff0-9757-9cc16e5c6c23\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER96D8.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER97B3.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER97F3.tmp.xml

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\MSVCP140.dll

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\MSVCP140_1.dll

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5Core.dll

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5DBus.dll

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5Gui.dll

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5Network.dll

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5Qml.dll

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5QmlModels.dll

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5Quick.dll

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5Svg.dll

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5WebSockets.dll

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\Qt5Widgets.dll

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\VCRUNTIME140.dll

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\VCRUNTIME140_1.dll

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\d3dcompiler_47.dll

C:\Users\user\AppData\Local\Temp\_MEI69322\PyQt5\Qt5\bin\libEGL.dll

Windows Analysis Report
WTvNL75dCr.exe