Edit tour

Windows Analysis Report
wp-s2.exe

Overview

General Information

Sample name:	wp-s2.exe
Analysis ID:	1578736
MD5:	62370a84134040d803eae9a4bd34342c
SHA1:	207f73ffdcdfa2cb5d713e13385a8c65bb19adf7
SHA256:	e84a1edd3826ccb96eadc6d62410361e7820f3c5bc8b7ba308278f33aa2266e4
Tags:	exeuser-smica83
Infos:

Detection

Python BackDoor

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Python BackDoor

AI detected suspicious sample

Opens network shares

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Binary contains a suspicious time stamp

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

IP address seen in connection with other malware

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Classification

Process Tree

System is w10x64

wp-s2.exe (PID: 6524 cmdline: "C:\Users\user\Desktop\wp-s2.exe" MD5: 62370A84134040D803EAE9A4BD34342C)

wp-s2.exe (PID: 6752 cmdline: "C:\Users\user\Desktop\wp-s2.exe" MD5: 62370A84134040D803EAE9A4BD34342C)

systeminfo.exe (PID: 6944 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)

conhost.exe (PID: 6996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 4144 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

cmd.exe (PID: 2688 cmdline: C:\Windows\system32\cmd.exe /c "wmic computersystem get manufacturer" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 5676 cmdline: wmic computersystem get manufacturer MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

WerFault.exe (PID: 6632 cmdline: C:\Windows\system32\WerFault.exe -u -p 6752 -s 940 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.2082080905.000001B81E841000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PythonBackDoor_1	Yara detected Python BackDoor	Joe Security
00000001.00000003.1755036913.000001B81EABA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PythonBackDoor_1	Yara detected Python BackDoor	Joe Security
00000001.00000003.1755225796.000001B81E7F6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PythonBackDoor_1	Yara detected Python BackDoor	Joe Security
00000001.00000003.1758008751.000001B81E7F6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PythonBackDoor_1	Yara detected Python BackDoor	Joe Security
00000001.00000003.1755864798.000001B81EABD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PythonBackDoor_1	Yara detected Python BackDoor	Joe Security
00000001.00000003.1757583955.000001B81E7F6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PythonBackDoor_1	Yara detected Python BackDoor	Joe Security
00000001.00000003.1756150289.000001B81E7F6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PythonBackDoor_1	Yara detected Python BackDoor	Joe Security
00000001.00000002.2082516614.000001B81EAA1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PythonBackDoor_1	Yara detected Python BackDoor	Joe Security
00000001.00000003.1757204060.000001B81E7F6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PythonBackDoor_1	Yara detected Python BackDoor	Joe Security
Process Memory Space: wp-s2.exe PID: 6752	JoeSecurity_PythonBackDoor_1	Yara detected Python BackDoor	Joe Security
Click to see the 5 entries

Code function: 0_2_00007FF6D09E76C0 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,

0_2_00007FF6D09E76C0

Source: C:\Users\user\Desktop\wp-s2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter

Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\imageformats\qico.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\opengl32sw.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5Qml.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\sip.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\iconengines\qsvgicon.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\charset_normalizer\md.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\platforms\qoffscreen.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5WebSockets.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\imageformats\qjpeg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\QtGui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\charset_normalizer\md__mypyc.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\generic\qtuiotouchplugin.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\styles\qwindowsvistastyle.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\QtWidgets.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\QtCore.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\imageformats\qtiff.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\platforms\qwebgl.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\imageformats\qwebp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\libEGL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\imageformats\qgif.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5DBus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5QmlModels.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5Network.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5Quick.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\imageformats\qtga.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\platforms\qwindows.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\imageformats\qwbmp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\platformthemes\qxdgdesktopportal.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\imageformats\qsvg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\python313.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\imageformats\qicns.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\platforms\qminimal.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5Svg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI65242\unicodedata.pyd	Jump to dropped file

Source: C:\Users\user\Desktop\wp-s2.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_1-3648

Source: C:\Users\user\Desktop\wp-s2.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-17415

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Manufacturer FROM Win32_ComputerSystem

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 0_2_00007FF6D09E9280 FindFirstFileExW,FindClose,	0_2_00007FF6D09E9280
Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 0_2_00007FF6D09E83C0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00007FF6D09E83C0
Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 0_2_00007FF6D0A01874 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00007FF6D0A01874
Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 1_2_00007FF6D09E9280 FindFirstFileExW,FindClose,	1_2_00007FF6D09E9280

Source: C:\Windows\System32\WerFault.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\	Jump to behavior

Source: wp-s2.exe, 00000000.00000003.1741579600.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: j2aTPs+9xYa9+bG3tD60B8jzljHz7aRP+KNOjSkVWLjVb3/ubCK1sK9IRQq9qEmU
Source: wp-s2.exe, 00000001.00000003.1755036913.000001B81EABA000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1755864798.000001B81EABD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: QEMUr
Source: wp-s2.exe, 00000001.00000003.1757204060.000001B81E73F000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1758008751.000001B81E73F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wp-s2.exe, 00000001.00000002.2082080905.000001B81E650000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: wp-s2.exe, 00000001.00000002.2087212203.00007FFDF9C98000.00000008.00000001.01000000.0000001E.sdmp	Binary or memory string: .?AVQEmulationPaintEngine@@
Source: wp-s2.exe, 00000001.00000002.2082426797.000001B81E950000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: bfQEMU

Source: C:\Users\user\Desktop\wp-s2.exe

API call chain: ExitProcess graph end node

graph_1-3657

Source: C:\Users\user\Desktop\wp-s2.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\wp-s2.exe

Code function: 0_2_00007FF6D09FA614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF6D09FA614

Source: C:\Users\user\Desktop\wp-s2.exe

Code function: 0_2_00007FF6D0A03480 GetProcessHeap,

0_2_00007FF6D0A03480

Source: C:\Users\user\Desktop\wp-s2.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 0_2_00007FF6D09ED30C SetUnhandledExceptionFilter,	0_2_00007FF6D09ED30C
Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 0_2_00007FF6D09FA614 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6D09FA614
Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 0_2_00007FF6D09ED12C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6D09ED12C
Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 0_2_00007FF6D09EC8A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF6D09EC8A0

Source: C:\Users\user\Desktop\wp-s2.exe	Process created: C:\Users\user\Desktop\wp-s2.exe "C:\Users\user\Desktop\wp-s2.exe"	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get manufacturer"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get manufacturer	Jump to behavior

Source: C:\Users\user\Desktop\wp-s2.exe

Code function: 0_2_00007FF6D0A09570 cpuid

0_2_00007FF6D0A09570

Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\imageformats VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\imageformats VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\imageformats VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\platforms VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\certifi VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\QtCore.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\sip.cp313-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\_hashlib.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\charset_normalizer\md__mypyc.cp313-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\certifi VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\psutil VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\psutil VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\psutil VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\psutil\_psutil_windows.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\QtWidgets.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\QtGui.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\platforms\qminimal.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\platforms\qoffscreen.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\platforms\qwebgl.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\platformthemes\qxdgdesktopportal.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\styles\qwindowsvistastyle.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\Desktop\wp-s2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI65242 VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\wp-s2.exe

Code function: 0_2_00007FF6D09ED010 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF6D09ED010

Source: C:\Users\user\Desktop\wp-s2.exe

Code function: 0_2_00007FF6D0A05C00 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF6D0A05C00

Stealing of Sensitive Information

Yara detected Python BackDoor

Source: Yara match	File source: 00000001.00000002.2082080905.000001B81E841000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1755036913.000001B81EABA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1755225796.000001B81E7F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1758008751.000001B81E7F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1755864798.000001B81EABD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1757583955.000001B81E7F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1756150289.000001B81E7F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2082516614.000001B81EAA1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1757204060.000001B81E7F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wp-s2.exe PID: 6752, type: MEMORYSTR

Opens network shares

Source: C:\Users\user\Desktop\wp-s2.exe

File opened: \\Mac\shared\projects\loader\src\dropper\src\tmp\_main.py

Jump to behavior

Remote Access Functionality

Yara detected Python BackDoor

Source: Yara match	File source: 00000001.00000002.2082080905.000001B81E841000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1755036913.000001B81EABA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1755225796.000001B81E7F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1758008751.000001B81E7F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1755864798.000001B81EABD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1757583955.000001B81E7F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1756150289.000001B81E7F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2082516614.000001B81EAA1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1757204060.000001B81E7F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wp-s2.exe PID: 6752, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	131 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	12 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Network Share Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Process Injection	LSASS Memory	2 System Time Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Native API	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	141 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	12 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	44 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
wp-s2.exe	8%	Virustotal		Browse
wp-s2.exe	5%	ReversingLabs	Win64.Trojan.Generic

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\MSVCP140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\MSVCP140_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5Core.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5DBus.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5Gui.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5Network.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5Qml.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5QmlModels.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5Quick.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5Svg.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5WebSockets.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5Widgets.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\VCRUNTIME140_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\d3dcompiler_47.dll	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\libEGL.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\libGLESv2.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\opengl32sw.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\generic\qtuiotouchplugin.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\iconengines\qsvgicon.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\imageformats\qgif.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\imageformats\qicns.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\imageformats\qico.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\imageformats\qjpeg.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\imageformats\qsvg.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\imageformats\qtga.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\imageformats\qtiff.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\imageformats\qwbmp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\imageformats\qwebp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\platforms\qminimal.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\platforms\qoffscreen.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\platforms\qwebgl.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\platforms\qwindows.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\platformthemes\qxdgdesktopportal.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\styles\qwindowsvistastyle.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\QtCore.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\QtGui.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\QtWidgets.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\sip.cp313-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\VCRUNTIME140_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\_wmi.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\charset_normalizer\md.cp313-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\charset_normalizer\md__mypyc.cp313-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\libcrypto-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\libffi-8.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\libssl-3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\psutil\_psutil_windows.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\python3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\python313.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI65242\select.pyd	0%	ReversingLabs

Name	IP	Active	Malicious	Antivirus Detection	Reputation
nodejs.org	104.20.22.46	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://github.com/giampaolo/psutil/issues/875.	wp-s2.exe, 00000001.00000002.2084943619.000001B81FBF4000.00000004.00001000.00020000.00000000.sdmp	false	high
https://nodejs.org/dist/v22.11.0/node-v22.11.0-win-x64.zip	wp-s2.exe, 00000001.00000002.2082426797.000001B81E950000.00000004.00001000.00020000.00000000.sdmp	false	high
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	wp-s2.exe, 00000001.00000002.2081888920.000001B81E310000.00000004.00000020.00020000.00000000.sdmp	false	high
https://packaging.python.org/en/latest/specifications/recording-installed-packages/#the-record-file	wp-s2.exe, 00000001.00000002.2082080905.000001B81E782000.00000004.00000020.00020000.00000000.sdmp	false	high
http://goo.gl/zeJZl.	wp-s2.exe, 00000001.00000002.2083815498.000001B81F3B0000.00000004.00001000.00020000.00000000.sdmp	false	high
https://tools.ietf.org/html/rfc2388#section-4.4	wp-s2.exe, 00000001.00000003.1762017406.000001B81EBA5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1759396614.000001B81EBA5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EBA5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1781570040.000001B81EBA5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64	wp-s2.exe, 00000001.00000002.2081888920.000001B81E310000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1760549875.000001B81E3D2000.00000004.00000020.00020000.00000000.sdmp	false	high
https://packaging.python.org/en/latest/specifications/entry-points/#file-format	wp-s2.exe, 00000001.00000002.2082080905.000001B81E782000.00000004.00000020.00020000.00000000.sdmp	false	high
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	wp-s2.exe, 00000001.00000002.2082516614.000001B81EBFC000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1781570040.000001B81EBFC000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1760937335.000001B81EC02000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2083312157.000001B81EE70000.00000004.00001000.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1759396614.000001B81EC02000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1765860509.000001B81EBFC000.00000004.00000020.00020000.00000000.sdmp	false	high
http://cacerts.digi	wp-s2.exe, 00000000.00000003.1747633937.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1740872836.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://peps.python.org/pep-0205/	wp-s2.exe, 00000001.00000002.2082321401.000001B81E850000.00000004.00001000.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1756150289.000001B81E7BC000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1750070545.000001B81E311000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1757204060.000001B81E78C000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1755225796.000001B81E7BC000.00000004.00000020.00020000.00000000.sdmp	false	high
http://crl.dhimyotis.com/certignarootca.crl	wp-s2.exe, 00000001.00000003.1781570040.000001B81EE1D000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EE1B000.00000004.00000020.00020000.00000000.sdmp	false	high
http://curl.haxx.se/rfc/cookie_spec.html	wp-s2.exe, 00000001.00000003.1759279653.000001B81ECE8000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2083678251.000001B81F1C0000.00000004.00001000.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1759279653.000001B81ED43000.00000004.00000020.00020000.00000000.sdmp	false	high
http://ocsp.accv.es	wp-s2.exe, 00000001.00000002.2082516614.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1786232962.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp	false	high
http://repository.swisssign.com/Y	wp-s2.exe, 00000001.00000003.1781570040.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://www.cert.fnmt.es/dpcs/K$	wp-s2.exe, 00000001.00000003.1781570040.000001B81EE1D000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EE1B000.00000004.00000020.00020000.00000000.sdmp	false	high
https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename	wp-s2.exe, 00000001.00000002.2081660537.000001B81E110000.00000004.00001000.00020000.00000000.sdmp	false	high
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	wp-s2.exe, 00000001.00000002.2083478692.000001B81EF90000.00000004.00001000.00020000.00000000.sdmp	false	high
https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688	wp-s2.exe, 00000001.00000002.2081660537.000001B81E194000.00000004.00001000.00020000.00000000.sdmp	false	high
https://httpbin.org/get	wp-s2.exe, 00000001.00000002.2083678251.000001B81F1C0000.00000004.00001000.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp	false	high
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code	wp-s2.exe, 00000001.00000002.2081660537.000001B81E110000.00000004.00001000.00020000.00000000.sdmp	false	high
https://wwww.certigna.fr/autorites/0m	wp-s2.exe, 00000001.00000003.1781570040.000001B81EE1D000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EE1B000.00000004.00000020.00020000.00000000.sdmp	false	high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	wp-s2.exe, 00000001.00000002.2081888920.000001B81E310000.00000004.00000020.00020000.00000000.sdmp	false	high
https://github.com/python/cpython/issues/86361.	wp-s2.exe, 00000001.00000003.1754622319.000001B81E803000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1754674201.000001B81E7FC000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1756150289.000001B81E7BC000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1758008751.000001B81E78C000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082080905.000001B81E782000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1757204060.000001B81E78C000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1755225796.000001B81E7BC000.00000004.00000020.00020000.00000000.sdmp	false	high
http://mail.python.org/pipermail/python-dev/2012-June/120787.html.	wp-s2.exe, 00000001.00000002.2083678251.000001B81F1C0000.00000004.00001000.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp	false	high
https://httpbin.org/	wp-s2.exe, 00000001.00000002.2082516614.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp	false	high
https://wwww.certigna.fr/autorites/	wp-s2.exe, 00000001.00000003.1781570040.000001B81EE1D000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EE1B000.00000004.00000020.00020000.00000000.sdmp	false	high
https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module	wp-s2.exe, 00000001.00000002.2081660537.000001B81E110000.00000004.00001000.00020000.00000000.sdmp	false	high
https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches	wp-s2.exe, 00000001.00000002.2081660537.000001B81E110000.00000004.00001000.00020000.00000000.sdmp	false	high
http://www.color.org)	wp-s2.exe, 00000001.00000002.2087013621.00007FFDF9A2A000.00000002.00000001.01000000.0000001E.sdmp	false	high
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	wp-s2.exe, 00000001.00000002.2082516614.000001B81EBFC000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1781570040.000001B81EBFC000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1760937335.000001B81EC02000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1759396614.000001B81EC02000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EAA1000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1765860509.000001B81EBFC000.00000004.00000020.00020000.00000000.sdmp	false	high
https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy	wp-s2.exe, 00000001.00000002.2081888920.000001B81E310000.00000004.00000020.00020000.00000000.sdmp	false	high
https://packaging.python.org/en/latest/specifications/core-metadata/#core-metadata	wp-s2.exe, 00000001.00000002.2083573190.000001B81F090000.00000004.00001000.00020000.00000000.sdmp	false	high
http://crl.securetrust.com/STCA.crl	wp-s2.exe, 00000001.00000002.2082516614.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1786232962.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp	false	high
http://wwwsearch.sf.net/):	wp-s2.exe, 00000001.00000003.1760937335.000001B81ECC7000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1759279653.000001B81ECE8000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1783712261.000001B81ECB6000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1759396614.000001B81ECC7000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81ECB6000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1765860509.000001B81ECB6000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1759279653.000001B81ED43000.00000004.00000020.00020000.00000000.sdmp	false	high
https://github.com/python/importlib_metadata/wiki/Development-Methodology	wp-s2.exe, 00000001.00000002.2082426797.000001B81E950000.00000004.00001000.00020000.00000000.sdmp	false	high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	wp-s2.exe, 00000001.00000002.2082516614.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1781570040.000001B81EE1D000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1786232962.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EE1B000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.accv.es/legislacion_c.htm	wp-s2.exe, 00000001.00000002.2082516614.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1786232962.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp	false	high
http://tools.ietf.org/html/rfc6125#section-6.4.3	wp-s2.exe, 00000001.00000002.2083573190.000001B81F090000.00000004.00001000.00020000.00000000.sdmp	false	high
http://crl.xrampsecurity.com/XGCA.crl0	wp-s2.exe, 00000001.00000003.1781570040.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.cert.fnmt.es/dpcs/	wp-s2.exe, 00000001.00000003.1781570040.000001B81EE1D000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2081888920.000001B81E310000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EE1B000.00000004.00000020.00020000.00000000.sdmp	false	high
https://google.com/mail	wp-s2.exe, 00000001.00000003.1760589925.000001B81EC7C000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1765860509.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082080905.000001B81E650000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1781570040.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1762017406.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1760937335.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp	false	high
https://packaging.python.org/specifications/entry-points/	wp-s2.exe, 00000001.00000002.2083478692.000001B81EF90000.00000004.00001000.00020000.00000000.sdmp	false	high
http://www.accv.es00	wp-s2.exe, 00000001.00000002.2082516614.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1781570040.000001B81EE1D000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1786232962.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EE1B000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.python.org/psf/license/)	wp-s2.exe, 00000001.00000002.2091458277.00007FFDFB888000.00000002.00000001.01000000.00000004.sdmp	false	high
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py	wp-s2.exe, 00000001.00000002.2081888920.000001B81E310000.00000004.00000020.00020000.00000000.sdmp	false	high
https://foss.heptapod.net/pypy/pypy/-/issues/3539	wp-s2.exe, 00000001.00000002.2083312157.000001B81EE70000.00000004.00001000.00020000.00000000.sdmp	false	high
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	wp-s2.exe, 00000001.00000003.1760589925.000001B81EC7C000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1761764389.000001B81ECA7000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1781570040.000001B81EB46000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EB46000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1760937335.000001B81EB46000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1760937335.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp	false	high
http://google.com/	wp-s2.exe, 00000001.00000002.2082080905.000001B81E782000.00000004.00000020.00020000.00000000.sdmp	false	high
https://mahler:8092/site-updates.py	wp-s2.exe, 00000001.00000003.1762895106.000001B81ED79000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1783712261.000001B81ED6D000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1760839874.000001B81ED58000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1760907838.000001B81ED5D000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81ED68000.00000004.00000020.00020000.00000000.sdmp	false	high
http://crl.securetrust.com/SGCA.crl	wp-s2.exe, 00000001.00000002.2082516614.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1786232962.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp	false	high
http://.../back.jpeg	wp-s2.exe, 00000001.00000002.2083678251.000001B81F1C0000.00000004.00001000.00020000.00000000.sdmp	false	high
https://tools.ietf.org/html/rfc7231#section-4.3.6)	wp-s2.exe, 00000001.00000002.2082080905.000001B81E650000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1757135082.000001B81EB76000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1757135082.000001B81EB97000.00000004.00000020.00020000.00000000.sdmp	false	high
https://httpbin.org/post	wp-s2.exe, 00000001.00000003.1756636619.000001B81E6CE000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1757583955.000001B81E754000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1756150289.000001B81E754000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1758008751.000001B81E754000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082080905.000001B81E73E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source	wp-s2.exe, 00000001.00000002.2081660537.000001B81E194000.00000004.00001000.00020000.00000000.sdmp	false	high
https://github.com/Ousret/charset_normalizer	wp-s2.exe, 00000001.00000003.1760589925.000001B81EC7C000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1765860509.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1781570040.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1762017406.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1760937335.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.firmaprofesional.com/cps0	wp-s2.exe, 00000001.00000003.1781570040.000001B81EE1D000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1781570040.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EE1B000.00000004.00000020.00020000.00000000.sdmp	false	high
https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec	wp-s2.exe, 00000001.00000002.2081660537.000001B81E110000.00000004.00001000.00020000.00000000.sdmp	false	high
https://github.com/urllib3/urllib3/issues/2920	wp-s2.exe, 00000001.00000002.2083573190.000001B81F090000.00000004.00001000.00020000.00000000.sdmp	false	high
http://crl.securetrust.com/SGCA.crl0	wp-s2.exe, 00000001.00000002.2082516614.000001B81EBA5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1781570040.000001B81EBA5000.00000004.00000020.00020000.00000000.sdmp	false	high
https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data	wp-s2.exe, 00000001.00000002.2081888920.000001B81E310000.00000004.00000020.00020000.00000000.sdmp	false	high
https://yahoo.com/	wp-s2.exe, 00000001.00000003.1760589925.000001B81EC7C000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1765860509.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082080905.000001B81E650000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1781570040.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1762017406.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1760937335.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp	false	high
http://crl.securetrust.com/STCA.crl0	wp-s2.exe, 00000001.00000002.2082516614.000001B81EBA5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1781570040.000001B81EBA5000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6	wp-s2.exe, 00000001.00000002.2082080905.000001B81E650000.00000004.00000020.00020000.00000000.sdmp	false	high
https://html.spec.whatwg.org/multipage/	wp-s2.exe, 00000001.00000003.1760589925.000001B81EC7C000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1765860509.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1781570040.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1762017406.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1760937335.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.quovadisglobal.com/cps0	wp-s2.exe, 00000001.00000002.2082516614.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1786232962.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl	wp-s2.exe, 00000001.00000002.2082516614.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1786232962.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp	false	high
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings	wp-s2.exe, 00000001.00000002.2083478692.000001B81EF90000.00000004.00001000.00020000.00000000.sdmp	false	high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0	wp-s2.exe, 00000001.00000003.1781570040.000001B81EE1D000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EE1B000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.rfc-editor.org/rfc/rfc8259#section-8.1	wp-s2.exe, 00000001.00000003.1760589925.000001B81EC7C000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1765860509.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082080905.000001B81E650000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1781570040.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1762017406.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1760937335.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp	false	high
https://requests.readthedocs.io	wp-s2.exe, 00000001.00000002.2083815498.000001B81F344000.00000004.00001000.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1756636619.000001B81E6CE000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1757583955.000001B81E754000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1756150289.000001B81E754000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1758008751.000001B81E754000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082080905.000001B81E73E000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.quovadisglobal.com/cpsJ	wp-s2.exe, 00000001.00000002.2082516614.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1786232962.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp	false	high
http://repository.swisssign.com/	wp-s2.exe, 00000001.00000002.2082080905.000001B81E782000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp	false	high
http://crl.xrampsecurity.com/XGCA.crl	wp-s2.exe, 00000001.00000002.2082516614.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1786232962.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.python.org	wp-s2.exe, 00000001.00000003.1756636619.000001B81E6CE000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1757583955.000001B81E754000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1756150289.000001B81E754000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1758008751.000001B81E754000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082080905.000001B81E73E000.00000004.00000020.00020000.00000000.sdmp	false	high
http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/	wp-s2.exe, 00000001.00000003.1760589925.000001B81EC7C000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1765860509.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1781570040.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1762017406.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1760937335.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.accv.es/legislacion_c.htm0U	wp-s2.exe, 00000001.00000003.1781570040.000001B81EE1D000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EE1B000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.aiim.org/pdfa/ns/id/	wp-s2.exe, 00000001.00000002.2087013621.00007FFDF9A2A000.00000002.00000001.01000000.0000001E.sdmp	false	high
http://ocsp.accv.es0	wp-s2.exe, 00000001.00000003.1781570040.000001B81EE1D000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EE1B000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.python.org/	wp-s2.exe, 00000001.00000003.1762895106.000001B81ED79000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1783712261.000001B81ED6D000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1760839874.000001B81ED58000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1760907838.000001B81ED5D000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81ED68000.00000004.00000020.00020000.00000000.sdmp	false	high
https://json.org	wp-s2.exe, 00000001.00000002.2082516614.000001B81EAA1000.00000004.00000020.00020000.00000000.sdmp	false	high
https://docs.python.org/3/howto/mro.html.	wp-s2.exe, 00000001.00000002.2081983260.000001B81E550000.00000004.00001000.00020000.00000000.sdmp	false	high
https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package	wp-s2.exe, 00000001.00000002.2081660537.000001B81E110000.00000004.00001000.00020000.00000000.sdmp	false	high
https://twitter.com/	wp-s2.exe, 00000001.00000003.1760589925.000001B81EC7C000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1765860509.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1781570040.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1762017406.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1760937335.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp	false	high
https://stackoverflow.com/questions/4457745#4457745.	wp-s2.exe, 00000001.00000002.2084943619.000001B81FBF4000.00000004.00001000.00020000.00000000.sdmp	false	high
http://www.quovadisglobal.com/cps	wp-s2.exe, 00000001.00000002.2082516614.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1786232962.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp	false	high
https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module	wp-s2.exe, 00000001.00000002.2081660537.000001B81E194000.00000004.00001000.00020000.00000000.sdmp	false	high
https://google.com/	wp-s2.exe, 00000001.00000002.2082516614.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp	false	high
https://google.com/mail/	wp-s2.exe, 00000001.00000003.1760937335.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp	false	high
http://google.com/mail/	wp-s2.exe, 00000001.00000002.2081888920.000001B81E310000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1760549875.000001B81E3D2000.00000004.00000020.00020000.00000000.sdmp	false	high
https://github.com/urllib3/urllib3/issues/3290	wp-s2.exe, 00000001.00000002.2083573190.000001B81F090000.00000004.00001000.00020000.00000000.sdmp	false	high
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crlsj	wp-s2.exe, 00000001.00000002.2082516614.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1786232962.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.openssl.org/H	wp-s2.exe, 00000000.00000003.1744214545.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2089805565.00007FFDFAC24000.00000002.00000001.01000000.00000014.sdmp, wp-s2.exe, 00000001.00000002.2093031370.00007FFE013D0000.00000002.00000001.01000000.00000015.sdmp	false	high
http://crl.certigna.fr/certignarootca.crl01	wp-s2.exe, 00000001.00000003.1781570040.000001B81EE1D000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EE1B000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.cert.fnmt.es/dpcs/0	wp-s2.exe, 00000001.00000002.2081888920.000001B81E310000.00000004.00000020.00020000.00000000.sdmp	false	high
https://peps.python.org/pep-0263/	wp-s2.exe, 00000001.00000002.2091458277.00007FFDFB888000.00000002.00000001.01000000.00000004.sdmp	false	high
https://github.com/psf/requests/pull/6710	wp-s2.exe, 00000001.00000002.2083815498.000001B81F344000.00000004.00001000.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.20.22.46	nodejs.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578736
Start date and time:	2024-12-20 09:54:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	wp-s2.exe
Detection:	MAL
Classification:	mal68.troj.spyw.evad.winEXE@13/142@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 77% Number of executed functions: 62 Number of non-executed functions: 78
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.22, 20.109.210.53, 20.190.177.21, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:55:11	API Interceptor	1x Sleep call for process: wp-s2.exe modified
03:55:12	API Interceptor	1x Sleep call for process: WMIC.exe modified
03:55:40	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.20.22.46	wp-cent.exe	Get hash	malicious	Python BackDoor	Browse
	wp-cent.exe	Get hash	malicious	Python BackDoor	Browse
	WTvNL75dCr.exe	Get hash	malicious	Python BackDoor	Browse
	WTvNL75dCr.exe	Get hash	malicious	Python BackDoor	Browse
	wmdqEYgW2i.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	Bootstrapper.exe	Get hash	malicious	Unknown	Browse
	download.ps1	Get hash	malicious	Python BackDoor	Browse
	y3x8pjQ1Ci.exe	Get hash	malicious	Unknown	Browse
	download.ps1	Get hash	malicious	Unknown	Browse
	download.ps1	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
nodejs.org	wp-cent.exe	Get hash	malicious	Python BackDoor	Browse	104.20.22.46
	wp-cent.exe	Get hash	malicious	Python BackDoor	Browse	104.20.22.46
	WTvNL75dCr.exe	Get hash	malicious	Python BackDoor	Browse	104.20.22.46
	WTvNL75dCr.exe	Get hash	malicious	Python BackDoor	Browse	104.20.22.46
	wmdqEYgW2i.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.20.22.46
	Bootstrapper.exe	Get hash	malicious	Unknown	Browse	104.20.22.46
	https://f29cc861.solaraweb-alj.pages.dev/download/static/files/Bootstrapper.exe	Get hash	malicious	HTMLPhisher	Browse	104.20.23.46
	download.ps1	Get hash	malicious	Python BackDoor	Browse	104.20.22.46
	y3x8pjQ1Ci.exe	Get hash	malicious	Unknown	Browse	104.20.22.46

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	104.21.67.146
	https://u46509964.ct.sendgrid.net/ls/click?upn=u001.16O0hg1-2FLz1kpPxGHUZbqTUnkidniSFIXbuQ0K27NKGR5E4qQP4y3-2BK2LCxUfHTmD8VAoWu9fqrv96heRY-2BDaw-3D-3DTW9l_kcz-2FW2m7wWBC5iX2nmYizXpnEWoSr8Rc5lqOd2Tm8BrX2ha7XCwhAEdfUnTDQdcFlDoClQCenTHrYqYGrvROsmQGK19xExQ3O8UU0JUBZANb3FsycXG0lXfAeU6Ge3kEKNmMydUTpk2mvytxKM8NWM4-2BCe9md9gsZjY-2FmreGd712h4QJlOUlhQy19VQuOzLTR0hg5YGbygTAwGERJ0n3IsJQDuwHOGcAqA18p5ElbhIowXEJo1-2FUNhaAkl3hll56dS6aJMfJ2Cg7jctNhsypZwMqKm18nIQwqxy0HjDjPtDlRcWFBii-2BIabVdhAMwhtvbY-2BhH45kGHgqL1VbALLhTExLjDfFJ4Mdg1hbx5shtVSm69xnT8S0os3NwgUPcP6MZcGvFpVYjCIpNJRmEhnpApXmFzR0GdBotdIKDeKv3ZVh61As-2FSNo3vfT6a-2F1G6CSiTaxzhsqh2H-2BbaxKc9CNbAVT-2BT7dLfv3mwuz99sF3ZWYAQVhK-2FC3sPsTl5X4hdzGiFwatwFf8YUFBISMNX22jwRHFRxLR66dQgVtYo7IumZ-2FOZfPJ2G3u57Las-2FXsx3SO8XE1W1y4QspPQeH1YjVMsZnAeeR8w-2FvWRwY1A7qeifyIBD1fUq-2B4bmZYMnqZ3q5oEXMCBqA-2Fhiv6OawVXsyA5vOFgFJ9F0GjgBX8N-2FlVTcBHanqEGbxSYzxEvDD4r3DBgXj6FxUKNaXGPhd18AzzCXeX88LcJxWAPd-2Fv7JiB88FpQ5kwb7TyWiLLfMzbetfGykMOctbu8W3BbDsIyadCguknOKT9sBLCEKiPAam3h8kh-2BsXXxkR2EvqCeFfErZ3PwKa1SVHAEbQojZZV7jqlLyJR8KYd7Ob5ZMYMENFHn0kgSi7eB-2FawHwHTrEhLDYX-2BOWrkMOQimBc4NTUUy5DbdiVfhlyh7bL6srP-2ByInzpsE8pygdal5s3pCDu8-2F94-2B1f3C1MQ9-2FkWFJVilN3Xiglg-3D-3D	Get hash	malicious	Unknown	Browse	104.18.142.119
	ktyihkdfesf.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	pjthjsdjgjrtavv.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	Captcha.hta	Get hash	malicious	LummaC, Cobalt Strike, HTMLPhisher, LummaC Stealer	Browse	172.67.197.170
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer	Browse	172.67.180.113
	8ZVMneG.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	https://us-east-2.protection.sophos.com/?d=purogosouls.github.io&u=aHR0cHM6Ly9wdXJvZ29zb3Vscy5naXRodWIuaW8vNjRkczZmNHM5ZDRmODlzZDRzZjQ2c2Q0ZjYv&i=NWQ0M2E1N2M3M2U5MzQxMGM1NjBhNmQ1&t=dEtlN04wQWZmZ0hqZlpiZEYwVXZ4NHFvc2NQNGtsUWl4Unlndk5helZOaz0=&h=356f16f6a39049efa5b305c7477e094a&s=AVNPUEhUT0NFTkNSWVBUSVZaHP6eDnex344kFPbGkNGwPXEfGJHtcvdIV0gRc1_JzA%20us-east-2.protection.sophos.com	Get hash	malicious	HTMLPhisher	Browse	104.21.49.70
	Laurier Partners Proposal.eml	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	Dec 2024_12192924_Image.pdf	Get hash	malicious	HTMLPhisher	Browse	104.21.49.70

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\MSVCP140.dll	wp-cent.exe	Get hash	malicious	Python BackDoor	Browse
	wp-cent.exe	Get hash	malicious	Python BackDoor	Browse
	WTvNL75dCr.exe	Get hash	malicious	Python BackDoor	Browse
	WTvNL75dCr.exe	Get hash	malicious	Python BackDoor	Browse
	FileScanner.exe	Get hash	malicious	Unknown	Browse
	MacAttack.exe	Get hash	malicious	Unknown	Browse
	download.ps1	Get hash	malicious	Python BackDoor	Browse
	y3x8pjQ1Ci.exe	Get hash	malicious	Unknown	Browse
	y3x8pjQ1Ci.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_wp-s2.exe_2b6876b9d34de520d6e735f39948ec398686c89_c328f930_b0376b47-ba39-491c-9596-7ac4d71d83ae\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.349222188555734
Encrypted:	false
SSDEEP:	192:uaIsFgF0pgzHjoR7uZ54nuoYv6KjBw9PNU4dLaJ1oTLwnCQML4LgV8gv1SnYzuiR:NBgmpgzHj0vwnVoRzuiFyY4lO8Y
MD5:	7A6B5A1978708A116A670B663A7DD2D0
SHA1:	4DEBE5048C4338B70376799B5B6A3D267E06682D
SHA-256:	63BB11795D18BF14FDA5499BE7C8AF6DFABD544FC8A23AF0D10F36D37CB725B8
SHA-512:	22FC6C6CF89D2C442AED026981B8CDB683D446CE84CF53EEEA9A0AFFD7223EE2486FD9D65C5FA6B67C4985AF46F08C790115B49D8AD878EA8929342868C65406
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.1.5.8.5.1.7.5.9.7.6.8.8.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.1.5.8.5.1.8.5.8.2.0.6.7.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.0.3.7.6.b.4.7.-.b.a.3.9.-.4.9.1.c.-.9.5.9.6.-.7.a.c.4.d.7.1.d.8.3.a.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.8.e.f.3.7.5.3.-.9.3.f.0.-.4.6.2.8.-.b.1.b.d.-.0.a.9.6.a.7.d.8.4.7.6.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.w.p.-.s.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.6.0.-.0.0.0.1.-.0.0.1.4.-.b.e.8.5.-.6.5.d.e.b.c.5.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.4.7.4.a.d.6.1.0.0.0.a.e.e.2.d.c.d.d.5.d.b.0.c.b.0.e.5.e.8.a.f.0.0.0.0.f.f.f.f.!.0.0.0.0.8.7.c.e.8.6.a.7.6.9.e.f.3.9.e.f.b.4.d.c.f.c.1.7.6.1.8.7.7.d.8.3.7.c.5.2.f.b.a.c.!.w.p.-.s.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.2././.1.6.:.1.2.:.3.1.:.5.9.!.2.4.f.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD2C0.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Dec 20 08:55:18 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	144436
Entropy (8bit):	1.9421565353130301
Encrypted:	false
SSDEEP:	768:bcLTurEZ4GBOVF97394bATvFqdpwfDPz1MA7gvTX30:0Z7yT73m0TIdpwfDPZMA7gvTn0
MD5:	6B9F899158566F33A092C1F5B69F3932
SHA1:	7931429D35AB3AED0ADC3596D911D31BAF21B327
SHA-256:	FF807F9A38753788E0E582DED3B1BF896B1C9BB4E3BCB98155D582545F792302
SHA-512:	21EFF5EE8F719C1DEF29E86A7D90BFF9594898F2F8C682479B63E7AE54359FAC40314DB18F5C39DF7F0480A255616ABA0C8FBE50D7C71DBF363773D576D54616
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........0eg............T............%..h.......$....-......D....a..........`.......8...........T............%..T........................0..............................................................................eJ.......0......Lw......................T.......`....0eg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD5DE.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	9594
Entropy (8bit):	3.7056229869654995
Encrypted:	false
SSDEEP:	192:R6l7wVeJUj5bY6YfN1lXgmf7lpDG89beT1ffKm:R6lXJu5bY6YF1lXgmf7/eBfj
MD5:	C1A67317E75B7C1AE5985B0BF8843354
SHA1:	AB459C5C388CAA19489867579D8DDC45276429AC
SHA-256:	5D4D42F89F005D078B8B23E541D4047A1EAF3945A97FE210DA6993D7E0D0BD1D
SHA-512:	9C3CF92584F3050D8B6900801AC848B53750E76F74DE87C1430FEF351D347F3341A26AEB1C6F3087229A081B8471E58A9061DBFE40CFCC0EF58778D754283E30
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.5.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD60D.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4735
Entropy (8bit):	4.429004525698766
Encrypted:	false
SSDEEP:	48:cvIwWl8zs0qJg771I9D4WpW8VYtYm8M4JzWDFwEyq8vVWanGR88zL+d:uIjf7I78x7VFJaqEWUanGR88zL+d
MD5:	BE2F2A3FF5CD0B4BA6C13629FE5DC5F4
SHA1:	FEC1661D3ABDAD2679EC9E32C07E1E5C2E177402
SHA-256:	ADA20F0A7A8D5A2C0B04A078941717488F72D7D82935721B54705E79350EE1E7
SHA-512:	43FA91F6453213B803811C42ED7C28CC9464D3D95F2B3E8E74E1FC129E647BED2B4D950FBC8AFF8BF55C7FA30527EB6FEF50C1F5E869CC07A8FA32E29FF07604
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="639357" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\MSVCP140.dll

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	590112
Entropy (8bit):	6.461874649448891
Encrypted:	false
SSDEEP:	12288:xI88L4Wu4+oJ+xc39ax5Ms4ETs3rxSvYcRkdQEKZm+jWodEEVh51:xD89rxZfQEKZm+jWodEEP5
MD5:	01B946A2EDC5CC166DE018DBB754B69C
SHA1:	DBE09B7B9AB2D1A61EF63395111D2EB9B04F0A46
SHA-256:	88F55D86B50B0A7E55E71AD2D8F7552146BA26E927230DAF2E26AD3A971973C5
SHA-512:	65DC3F32FAF30E62DFDECB72775DF870AF4C3A32A0BF576ED1AAAE4B16AC6897B62B19E01DC2BF46F46FBE3F475C061F79CBE987EDA583FEE1817070779860E5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: wp-cent.exe, Detection: malicious, Browse Filename: wp-cent.exe, Detection: malicious, Browse Filename: WTvNL75dCr.exe, Detection: malicious, Browse Filename: WTvNL75dCr.exe, Detection: malicious, Browse Filename: FileScanner.exe, Detection: malicious, Browse Filename: MacAttack.exe, Detection: malicious, Browse Filename: download.ps1, Detection: malicious, Browse Filename: y3x8pjQ1Ci.exe, Detection: malicious, Browse Filename: y3x8pjQ1Ci.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........LS..-=..-=..-=.....-=..U...-=..-<.k-=.gB<..-=.gB9..-=.gB>..-=.gB8.=-=.gB=..-=.gB..-=.gB?..-=.Rich.-=.........PE..d.....t^.........." .....@..........."...............................................z....`A.........................................j..h....D..,...............L;...... A......(...@...8...............................0............P.......f..@....................text...,>.......@.................. ..`.rdata..r....P.......D..............@..@.data....:...`..."...N..............@....pdata..L;.......<...p..............@..@.didat..h...........................@....rsrc...............................@..@.reloc..(...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\MSVCP140_1.dll

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	31728
Entropy (8bit):	6.499754548353504
Encrypted:	false
SSDEEP:	384:rOY/H1SbuIqnX8ndnWc95gW3C8c+pBj0HRN7bULkcyHRN7rxTO6iuQl9xiv:yYIBqnMdxxWd4urv
MD5:	0FE6D52EB94C848FE258DC0EC9FF4C11
SHA1:	95CC74C64AB80785F3893D61A73B8A958D24DA29
SHA-256:	446C48C1224C289BD3080087FE15D6759416D64F4136ADDF30086ABD5415D83F
SHA-512:	C39A134210E314627B0F2072F4FFC9B2CE060D44D3365D11D8C1FE908B3B9403EBDD6F33E67D556BD052338D0ED3D5F16B54D628E8290FD3A155F55D36019A86
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>.{.zl..zl..zl......xl..s...~l.....}l.....xl..zl..Ql......l.....il.....{l.....{l.....{l..Richzl..................PE..d.....t^.........." .........$......p.....................................................`A........................................p>..L....?..x....p.......`..X....:...A......p...P3..8............................3..0............0..@............................text............................... ..`.rdata.......0......................@..@.data........P.......,..............@....pdata..X....`.......0..............@..@.rsrc........p.......4..............@..@.reloc..p............8..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5Core.dll

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6023664
Entropy (8bit):	6.768988071491288
Encrypted:	false
SSDEEP:	98304:hcirJylHYab/6bMJsv6tWKFdu9CLiZxqfg8gwf:+irJylHFb/QMJsv6tWKFdu9CL4xqfg8x
MD5:	817520432A42EFA345B2D97F5C24510E
SHA1:	FEA7B9C61569D7E76AF5EFFD726B7FF6147961E5
SHA-256:	8D2FF4CE9096DDCCC4F4CD62C2E41FC854CFD1B0D6E8D296645A7F5FD4AE565A
SHA-512:	8673B26EC5421FCE8E23ADF720DE5690673BB4CE6116CB44EBCC61BBBEF12C0AD286DFD675EDBED5D8D000EFD7609C81AAE4533180CF4EC9CD5316E7028F7441
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......D.............................UJ......................................................W.....,..................r....................Rich............PE..d...;._.........." ..........-.......-......................................`\.....x.\...`...........................................L..O....T...... \.......U.. ....[......0\..%..,.H.T.....................H.(.....H.0............./.H............................text............................... ..`.rdata..F7%.../..8%.................@..@.data...x....PT..\...6T.............@....pdata... ....U.."....T.............@..@.qtmimed.....0W.......V.............@..P.rsrc........ \.......[.............@..@.reloc...%...0\..&....[.............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5DBus.dll

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	436720
Entropy (8bit):	6.392610185061176
Encrypted:	false
SSDEEP:	6144:ZLvnUJ17UTGOkWHUe/W9TgYMDu96ixMZQ8IlXbKgp8aIDeN:KP7cGOGegTwu96ixMZQtlrPN
MD5:	0E8FF02D971B61B5D2DD1AC4DF01AE4A
SHA1:	638F0B46730884FA036900649F69F3021557E2FE
SHA-256:	1AA70B106A10C86946E23CAA9FC752DC16E29FBE803BBA1F1AB30D1C63EE852A
SHA-512:	7BA616EDE66B16D9F8B2A56C3117DB49A74D59D0D32EAA6958DE57EAC78F14B1C7F2DBBA9EAE4D77937399CF14D44535531BAF6F9DB16F357F8712DFAAE4346A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D..............+...../............).....+...O.+....+....O./...O....O..........O.(...Rich..........................PE..d...]._.........." .....\...<.......\..............................................K.....`..........................................h..to...................`...Q..............4.......T.......................(...`...0............p...............................text...yZ.......\.................. ..`.rdata..0....p.......`..............@..@.data...X....@......."..............@....pdata...Q...`...R...2..............@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5Gui.dll

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	7008240
Entropy (8bit):	6.674290383197779
Encrypted:	false
SSDEEP:	49152:9VPhJZWVvpg+za3cFlc61j2VjBW77I4iNlmLPycNRncuUx24LLsXZFC6FOCfDt2/:BJZzI1ZR3U9Cxc22aDACInVc4Z
MD5:	47307A1E2E9987AB422F09771D590FF1
SHA1:	0DFC3A947E56C749A75F921F4A850A3DCBF04248
SHA-256:	5E7D2D41B8B92A880E83B8CC0CA173F5DA61218604186196787EE1600956BE1E
SHA-512:	21B1C133334C7CA7BBBE4F00A689C580FF80005749DA1AA453CCEB293F1AD99F459CA954F54E93B249D406AEA038AD3D44D667899B73014F884AFDBD9C461C14
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......QH^~.)0-.)0-.)0-.Q.-.)0-...-.)0-.F4,.)0-.F3,.)0-.F5,.)0-.F1,.)0-.Y1,.)0-.B5,.)0-.B1,.)0-.)1-m,0-.Y4,.)0-.Y5,\|(0-.Y0,.)0-.Y.-.)0-.).-.)0-.Y2,.)0-Rich.)0-................PE..d....._.........." ......?...+.....X.?.......................................k.....R.k...`.........................................pKK.....d.e.\|....`k.......g.......j......pk..6....F.T................... .F.(.....F.0.............?.p+...........................text...2.?.......?................. ..`.rdata...z&...?..\|&...?.............@..@.data....o... f.......f.............@....pdata........g.......f.............@..@.rsrc........`k.......j.............@..@.reloc...6...pk..8....j.............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5Network.dll

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1340400
Entropy (8bit):	6.41486755163134
Encrypted:	false
SSDEEP:	24576:eXPn73RXox1U9M0m+1ffSDY565RzHUY1iaRy95hdGehEM:+7hXU1U95m4ff9A5RviaRy9NGI
MD5:	3569693D5BAE82854DE1D88F86C33184
SHA1:	1A6084ACFD2AA4D32CEDFB7D9023F60EB14E1771
SHA-256:	4EF341AE9302E793878020F0740B09B0F31CB380408A697F75C69FDBD20FC7A1
SHA-512:	E5EFF4A79E1BDAE28A6CA0DA116245A9919023560750FC4A087CDCD0AB969C2F0EEEC63BBEC2CD5222D6824A01DD27D2A8E6684A48202EA733F9BB2FAB048B32
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........Yt..7'..7'..7'...'..7'..3&..7'}.3&..7'}.4&..7'}.2&..7'}.6&..7'..6&..7'0.6&..7'..6'c.7'0.2&2.7'0.7&..7'0..'..7'...'..7'0.5&..7'Rich..7'........................PE..d....._.........." .................................................................c....`......................................... ....n..,...h....................X..........,.......T...................p...(...@...0............................................text...C........................... ..`.rdata...g.......h..................@..@.data...XN...@...2... ..............@....pdata...............R..............@..@.rsrc................>..............@..@.reloc..,............D..............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5Qml.dll

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3591664
Entropy (8bit):	6.333693598000157
Encrypted:	false
SSDEEP:	98304:iPnt09+kVh2NrSdSG779LLLS/o/L4YqoY0Xba+mRRH2T:iPnt2ZVhT
MD5:	D055566B5168D7B1D4E307C41CE47C4B
SHA1:	043C0056E9951DA79EC94A66A784972532DC18EF
SHA-256:	30035484C81590976627F8FACE9507CAA8581A7DC7630CCCF6A8D6DE65CAB707
SHA-512:	4F12D17AA8A3008CAA3DDD0E41D3ED713A24F9B5A465EE93B2E4BECCF876D5BDF0259AA0D2DD77AD61BB59DC871F78937FFBE4D0F60638014E8EA8A27CAF228D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.4...Z...Z...Z......Z..^...Z..Y...Z.._...Z..[...Z...[...Z...[...Z...[...Z..._...Z...Z...Z.......Z......Z...X...Z.Rich..Z.........PE..d......_.........." .....^$..........O$.......................................7.....}.7...`...........................................,......2.......6.......4. .....6.......6..J....).T.....................).(...p.).0............p$..%...........................text....\$......^$................. ..`.rdata......p$......b$.............@..@.data.........3..n....2.............@....pdata.. .....4......l4.............@..@.rsrc.........6......`6.............@..@.reloc...J....6..L...f6.............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5QmlModels.dll

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	438768
Entropy (8bit):	6.312090336793804
Encrypted:	false
SSDEEP:	6144:k1tE6lq982HdyuEZ5gw+VHDZjZ0yOWm7Vdcm4GyasLCZCu6vdQp:k1tEuq9Hdyuo5gwguyOtVIup
MD5:	2030C4177B499E6118BE5B9E5761FCE1
SHA1:	050D0E67C4AA890C80F46CF615431004F2F4F8FC
SHA-256:	51E4E5A5E91F78774C44F69B599FAE4735277EF2918F7061778615CB5C4F6E81
SHA-512:	488F7D5D9D8DEEE9BBB9D63DAE346E46EFEB62456279F388B323777999B597C2D5AEA0EE379BDF94C9CBCFD3367D344FB6B5E90AC40BE2CE95EFA5BBDD363BCC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x..<...<...<...5.H.4...(...>.......*.......4.......8.......8......9...<...g....../......=....$.=...<.L.=......=...Rich<...................PE..d...M.._.........." .....(...r......d+..............................................MF....`.........................................0E...^..0................`.. F..................H...T.......................(.......0............@...............................text...N&.......(.................. ..`.rdata.......@.......,..............@..@.data...x/...0...(..................@....pdata.. F...`...H...>..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5Quick.dll

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4148720
Entropy (8bit):	6.462183686222023
Encrypted:	false
SSDEEP:	49152:EcDwCQsvkBD+ClI3IAVLA7Tr15SokomoqxQhT2bAssCFEUGX5ig:E7CKPsA3p0Z/QV/sS3Ag
MD5:	65F59CFC0C1C060CE20D3B9CEFFBAF46
SHA1:	CFD56D77506CD8C0671CA559D659DAB39E4AD3C2
SHA-256:	C81AD3C1111544064B1830C6F1AEF3C1FD13B401546AB3B852D697C0F4D854B3
SHA-512:	D6F6DC19F1A0495026CBA765B5A2414B6AF0DBFC37B5ACEED1CD0AE37B3B0F574B759A176D75B01EDD74C6CE9A3642D3D29A3FD7F166B53A41C8978F562B4B50
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!Fvge'.4e'.4e'.4l_.4i'.4.H.5m'.4.H.5a'.4.H.5\|'.4.H.5c'.4.W.5o'.4qL.5`'.4e'.4.,.4.W.5.'.4.W.5d'.4.W.4d'.4e'.4d'.4.W.5d'.4Riche'.4........................PE..d......_.........." ......%..B......L.$.......................................?.......?...`.........................................0)2.P.....8.T.....>.......<..^...2?.......?.py......T.......................(.......0............ %..\...........................text.....%.......%................. ..`.rdata....... %.......%.............@..@.data....I...@;..2... ;.............@....pdata...^....<..`...R<.............@..@.rsrc.........>.......>.............@..@.reloc..py....?..z....>.............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5Svg.dll

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	330736
Entropy (8bit):	6.381828869454302
Encrypted:	false
SSDEEP:	6144:6qLZcTC3wR/0JNZ+csBkBv0L0hq+SvcO8MsvwbIeblsjTR:6qNcCwqHE2fYlsPR
MD5:	03761F923E52A7269A6E3A7452F6BE93
SHA1:	2CE53C424336BCC8047E10FA79CE9BCE14059C50
SHA-256:	7348CFC6444438B8845FB3F59381227325D40CA2187D463E82FC7B8E93E38DB5
SHA-512:	DE0FF8EBFFC62AF279E239722E6EEDD0B46BC213E21D0A687572BFB92AE1A1E4219322233224CA8B7211FFEF52D26CB9FE171D175D2390E3B3E6710BBDA010CB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............_._._..*_._,.^._..^._,.^._,.^._,.^._a.^._._=.._a.^._a.^._a.F_._.._._a.^._Rich._................PE..d......_.........." .........................................................@.......^....`.................................................((....... ...........0...........0..H...xL..T....................N..(....L..0............................................text............................... ..`.rdata..p...........................@..@.data...8...........................@....pdata...0.......2..................@..@.rsrc........ ......................@..@.reloc..H....0......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5WebSockets.dll

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	149488
Entropy (8bit):	6.116105454277536
Encrypted:	false
SSDEEP:	3072:4sSkET6pEXb3loojg1Q2sorWvZXF2sorrLA7cG27Qhvvc:4sSd6pwzloDbsnX0sCrc7ct7QVc
MD5:	A016545F963548E0F37885E07EF945C7
SHA1:	CBE499E53AB0BD2DA21018F4E2092E33560C846F
SHA-256:	6B56F77DA6F17880A42D2F9D2EC8B426248F7AB2196A0F55D37ADE39E3878BC6
SHA-512:	47A3C965593B97392F8995C7B80394E5368D735D4C77F610AFD61367FFE7658A0E83A0DBD19962C4FA864D94F245A9185A915010AFA23467F999C833982654C2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'`.CF.KCF.KCF.KJ>.KGF.K.).JAF.KW-.JAF.K.).JVF.K.).JKF.K.).J@F.K.6.JFF.KCF.K.G.K.6.JPF.K.6.JBF.K.6.KBF.KCF.KBF.K.6.JBF.KRichCF.K........................PE..d......_.........." .....$..........t(.......................................p.......5....`............................................."..l........P.......0.......,.......`..L...hw..T....................x..(....w..0............@...............................text....".......$.................. ..`.rdata..z....@.......(..............@..@.data...x...........................@....pdata.......0......................@..@.rsrc........P......."..............@..@.reloc..L....`.......(..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5Widgets.dll

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5498352
Entropy (8bit):	6.619117060971844
Encrypted:	false
SSDEEP:	49152:KO+LIFYAPZtMym9RRQ7/KKIXSewIa/2Xqq1sfeOoKGOh6EwNmiHYYwBrK8KMlH0p:IGoKZdRqJD10rK8KMlH0gi5GX0oKZ
MD5:	4CD1F8FDCD617932DB131C3688845EA8
SHA1:	B090ED884B07D2D98747141AEFD25590B8B254F9
SHA-256:	3788C669D4B645E5A576DE9FC77FCA776BF516D43C89143DC2CA28291BA14358
SHA-512:	7D47D2661BF8FAC937F0D168036652B7CFE0D749B571D9773A5446C512C58EE6BB081FEC817181A90F4543EBC2367C7F8881FF7F80908AA48A7F6BB261F1D199
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........x..................I.......I.......I.......I...........................................9.................................Rich............PE..d....._.........." ......3..P .......3.......................................T......MT...`.........................................0.D.P^....L.h....pS......0P..8....S.......S.d.....?.T...................`.?.(...0.?.0.............3.._...........................text.....3.......3................. ..`.rdata..8.....3.......3.............@..@.data.........O......dO.............@....pdata...8...0P..:....O.............@..@.rsrc........pS......4S.............@..@.reloc..d.....S......:S.............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	101872
Entropy (8bit):	6.5661918084228725
Encrypted:	false
SSDEEP:	1536:RCKWZGuEK0mOLSTxoPl9GIcuZrxi4hXX9oix8H+NCIecbGShwZul:RFWY1WxgGStJ8H2CIecbG36
MD5:	971DBBE854FC6AB78C095607DFAD7B5C
SHA1:	1731FB947CD85F9017A95FDA1DC5E3B0F6B42CA2
SHA-256:	5E197A086B6A7711BAA09AFE4EA7C68F0E777B2FF33F1DF25A21F375B7D9693A
SHA-512:	B966AAB9C0D9459FADA3E5E96998292D6874A7078924EA2C171F0A1A50B0784C24CC408D00852BEC48D6A01E67E41D017684631176D3E90151EC692161F1814D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........w.............t:..............................................................Rich....................PE..d.....t^.........." .........^.......................................................e....`A.........................................0..4....9.......p.......P.......L...A..............8........................... ...0............................................text...2........................... ..`.rdata...?.......@..................@..@.data...0....@.......4..............@....pdata.......P.......8..............@..@_RDATA.......`.......D..............@..@.rsrc........p.......F..............@..@.reloc...............J..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\VCRUNTIME140_1.dll

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	44528
Entropy (8bit):	6.627837381503075
Encrypted:	false
SSDEEP:	384:Aim/NRETi8kykt25HwviU5fJUiP2551xWmbTqOA7SXf+Ny85xM8ATJWr3KWoC8cS:0Ie8kySL2iPQxdvjAevcMESW5lxJG
MD5:	6BC084255A5E9EB8DF2BCD75B4CD0777
SHA1:	CF071AD4E512CD934028F005CABE06384A3954B6
SHA-256:	1F0F5F2CE671E0F68CF96176721DF0E5E6F527C8CA9CFA98AA875B5A3816D460
SHA-512:	B822538494D13BDA947655AF791FED4DAA811F20C4B63A45246C8F3BEFA3EC37FF1AA79246C89174FE35D76FFB636FA228AFA4BDA0BD6D2C41D01228B151FD89
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ .S.A...A...A..0.m..A..O....A...9...A...A...A..O....A..O....A..O....A..O....A..O.}..A..O....A..Rich.A..................PE..d.....t^.........." .....:...4......pA...............................................Z....`A.........................................j......\|k..x....................l...A......8....b..8...........................@b..0............P..X............................text....9.......:.................. ..`.rdata... ...P..."...>..............@..@.data................`..............@....pdata...............b..............@..@.rsrc................f..............@..@.reloc..8............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\d3dcompiler_47.dll

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4173928
Entropy (8bit):	6.329102290474506
Encrypted:	false
SSDEEP:	49152:8BfmqCtLI4erBYysLjG/A8McPyCD6hw16JVTW7B3EgvVlQ3LAYmyNOvGJse+aWyb:8eZevVKACOvWYQF
MD5:	B0AE3AA9DD1EBD60BDF51CB94834CD04
SHA1:	EE2F5726AC140FB42D17ABA033D678AFAF8C39C1
SHA-256:	E994847E01A6F1E4CBDC5A864616AC262F67EE4F14DB194984661A8D927AB7F4
SHA-512:	756EBF4FA49029D4343D1BDB86EA71B2D49E20ADA6370FD7582515455635C73D37AD0DBDEEF456A10AB353A12412BA827CA4D70080743C86C3B42FA0A3152AA3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G..(.a.{.a.{.a.{..m{5a.{..l{.a.{.m{.a.{.o{.a.{.a.{.a.{.i{.a.{.l{.a.{.h{.a.{.q{.a.{.k{.a.{.n{.a.{Rich.a.{........................PE..d......R.........." ......;.........`.8......................................@@......a@...`...........................................;.u...P.>.d.....?.@.....=......t?.h<... ?..{..................................@a................>.P............................text.....;.......;................. ..`.data...h.....;.......;.............@....pdata........=......n<.............@..@.idata..@.....>......B>.............@..@.rsrc...@.....?......\>.............@..@.reloc....... ?......b>.............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\libEGL.dll

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	25072
Entropy (8bit):	5.961464514165753
Encrypted:	false
SSDEEP:	384:KEyYvsyDQrjwgut4Maw+XZndDGg7Dgf2hU:RvszjwgocwOhdDGEUf2hU
MD5:	BB00EF1DD81296AF10FDFA673B4D1397
SHA1:	773FFCF4A231B963BAAC36CBEF68079C09B62837
SHA-256:	32092DE077FD57B6EF355705EC46C6D21F6D72FBE3D3A5DD628F2A29185A96FA
SHA-512:	C87C0868C04852B63A7399AFE4E568CD9A65B7B7D5FD63030ABEA649AAC5E9F2293AB5BE2B2CE56A57F2B4B1992AE730150A293ADA53637FC5CD7BE0A727CBD4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9...Xv@.Xv@.Xv@. .@.Xv@.7wA.Xv@.3wA.Xv@.7sA.Xv@.7rA.Xv@.7uA.Xv@W(wA.Xv@.Xw@.Xv@W(sA.Xv@W(vA.Xv@W(.@.Xv@.X.@.Xv@W(tA.Xv@Rich.Xv@........PE..d...#._.........." .........0......................................................Z.....`.........................................`9.......B..d.......H....p.......F.......... ....3..T............................4..0............0...............................text............................... ..`.rdata..r#...0...$..................@..@.data........`.......:..............@....pdata.......p.......<..............@..@.rsrc...H............>..............@..@.reloc.. ............D..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\libGLESv2.dll

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3385328
Entropy (8bit):	6.382356347494905
Encrypted:	false
SSDEEP:	49152:sU0O89Onk/cNTgO/WSLqfTPnK+9eaOiY95ZEQryD1pPG3L:MaHUKt3L
MD5:	2247EE4356666335DF7D72129AF8D600
SHA1:	F0131C1A67FC17C0E8DCC4A4CA38C9F1780E7182
SHA-256:	50FAD5605B3D57627848B3B84A744DFB6A045609B8236B04124F2234676758D8
SHA-512:	67F2A7BF169C7B9A516689CF1B16446CA50E57F099B9B742CCB1ABB2DCDE8867F8F6305AD8842CD96194687FC314715AE04C1942B0E0A4F51B592B028C5B16D3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............t..t..t....t.A.p..t.A.w..t.A.q..t.A.u..t.u..t..u..t...q..t...t..t......t.....t...v..t.Rich..t.........PE..d....._.........." ......&.........L.&.......................................3.......3...`..........................................0..]....0.......3.P.....1.L.....3.......3..;...},.T...................P.,.(... ~,.0.............'..............................text...o.&.......&................. ..`.rdata........'.......&.............@..@.data.........1.......0.............@....pdata..L.....1.......1.............@..@.rsrc...P.....3......J3.............@..@.reloc...;....3..<...P3.............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\opengl32sw.dll

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20923392
Entropy (8bit):	6.255903817217008
Encrypted:	false
SSDEEP:	393216:LIckHor5uLnn83wAP5hxOZEa7/LzRuDFqILn5LgcKyZyQXt+8M:yEZbv
MD5:	7DBC97BFEE0C7AC89DA8D0C770C977B6
SHA1:	A064C8D8967AAA4ADA29BD9FEFBE40405360412C
SHA-256:	963641A718F9CAE2705D5299EAE9B7444E84E72AB3BEF96A691510DD05FA1DA4
SHA-512:	286997501E1F5CE236C041DCB1A225B4E01C0F7C523C18E9835507A15C0AC53C4D50F74F94822125A7851FE2CB2FB72F84311A2259A5A50DCE6F56BA05D1D7E8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[.@..............'.......'.......'..[...........\|.-.....\|.+....\|..<....'......../.....q.*.....q.+....q.&.^...q.......q.,.....Rich............PE..d....._W.........." .....(....b.....\|&....................................... E...........`.........................................0.1.t.....1...............9.`n............C..k.. . .T..................... .(..... ..............@...............................text...T&.......(.................. ..`.rdata..XvO..@...xO..,..............@..@.data....;....1.......1.............@....pdata..`n....9..p...D3.............@..@.gfids.......pC.......=.............@..@.tls..........C.......=.............@..._RDATA........C.......=.............@..@.reloc...k....C..l....=.............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\generic\qtuiotouchplugin.dll

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	68080
Entropy (8bit):	6.207162014262433
Encrypted:	false
SSDEEP:	1536:mQ4IT53ign4CbtlO705xWL3frA5rlhgQJ7tapgUff:mLIT53Hbtk70OLs3hg0Cz
MD5:	750A31DE7840B5EED8BA14C1BD84D348
SHA1:	D345D13B0C303B7094D1C438E49F0046791DE7F6
SHA-256:	A9BFFB0F3CD69CD775C328C916E46440FE80D99119FAEBC350C7EC51E3E57C41
SHA-512:	5C0A68ED27A9F1BBFF104942152E475C94BB64B03CE252EAAC1A6770E24DC4156CE4ADE99EBCD92662801262DED892C33F84C605AD84472B45A83C4883D5E767
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............h..h..h...s.h..]...h.....h..]...h..]...h..]...h......h..h..&h......h......h......h......h..Rich.h..................PE..d...X._.........." .........b......$........................................@......{v....`......................................... ................ ..X....................0......H...T......................(.......0............................................text............................... ..`.rdata...E.......F..................@..@.data...............................@....pdata..............................@..@.qtmetadi...........................@..P.rsrc...X.... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\iconengines\qsvgicon.dll

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	41968
Entropy (8bit):	6.0993566622860635
Encrypted:	false
SSDEEP:	768:VPs5g31JfDgej5JZmA0ZsEEC6lmn+4FdDGimUf2hr:VkC31ee7ZmA+sEEC6lmn+4FOUfc
MD5:	313F89994F3FEA8F67A48EE13359F4BA
SHA1:	8C7D4509A0CAA1164CC9415F44735B885A2F3270
SHA-256:	42DDE60BEFCF1D9F96B8366A9988626B97D7D0D829EBEA32F756D6ECD9EA99A8
SHA-512:	06E5026F5DB929F242104A503F0D501A9C1DC92973DD0E91D2DAF5B277D190082DE8D37ACE7EDF643C70AA98BB3D670DEFE04CE89B483DA4F34E629F8ED5FECF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n.:..i..i..i#.Ei...i...h(..i>..h(..i...h8..i...h-..i...h(..i...h-..i..i...i...h(..i...h+..i..)i+..i...h+..iRich*..i........................PE..d......_.........." .....@...F.......F..............................................C.....`..........................................g..x...hh..........H...........................xX..T....................Z..(....X..0............P...............................text....>.......@.................. ..`.rdata...3...P...4...D..............@..@.data................x..............@....pdata...............z..............@..@.qtmetadj...........................@..P.rsrc...H...........................@..@.reloc..............................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\imageformats\qgif.dll

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	39408
Entropy (8bit):	6.0316011626259405
Encrypted:	false
SSDEEP:	768:ygk2hM0GskFtvPCjEIxh8eDzFyPddeeGvnhotdDGPUf2he:yN2a05kfPOEMaeDzFkddeFnhotOUfh
MD5:	52FD90E34FE8DED8E197B532BD622EF7
SHA1:	834E280E00BAE48A9E509A7DC909BEA3169BDCE2
SHA-256:	36174DD4C5F37C5F065C7A26E0AC65C4C3A41FDC0416882AF856A23A5D03BB9D
SHA-512:	EF3FB3770808B3690C11A18316B0C1C56C80198C1B1910E8AA198DF8281BA4E13DC9A6179BB93A379AD849304F6BB934F23E6BBD3D258B274CC31856DE0FC12B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R...3..3..3..KA.3..o\..3..X..3..o\..3..o\..3..o\..3.."C..3..3...3.."C..3.."C..3.."C-.3.."C..3..Rich.3..........PE..d...H._.........." .....@...B.......E...............................................^....`..........................................f..t....f..........@............~..............HW..T....................X..(....W..0............P...............................text...k?.......@.................. ..`.rdata..&)...P...*...D..............@..@.data...(............n..............@....pdata...............p..............@..@.qtmetads............v..............@..P.rsrc...@............x..............@..@.reloc...............\|..............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\imageformats\qicns.dll

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	45040
Entropy (8bit):	6.016125225197622
Encrypted:	false
SSDEEP:	768:vEip0IlhxTDxut3dnm8IyAmQQ3ydJouEAkNypTAO0tfC3apmsdDG9Uf2hU:vxvXxgVIyA23ydJlEATpTAO0tfCKpms/
MD5:	AD84AF4D585643FF94BFA6DE672B3284
SHA1:	5D2DF51028FBEB7F6B52C02ADD702BC3FA781E08
SHA-256:	F4A229A082D16F80016F366156A2B951550F1E9DF6D4177323BBEDD92A429909
SHA-512:	B68D83A4A1928EB3390DEB9340CB27B8A3EB221C2E0BE86211EF318B4DD34B37531CA347C73CCE79A640C5B06FBD325E10F8C37E0CEE2581F22ABFBFF5CC0D55
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................a....Q........Q......Q......Q......................................Rich...........PE..d......_.........." .....B...N.......G...............................................&....`.............................................t...$...........@...........................xp..T....................r..(....p..0............`...............................text....@.......B.................. ..`.rdata...9...`...:...F..............@..@.data...............................@....pdata..............................@..@.qtmetadx...........................@..P.rsrc...@...........................@..@.reloc..............................@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\imageformats\qico.dll

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	38384
Entropy (8bit):	5.957072398645384
Encrypted:	false
SSDEEP:	768:zBXBEfQiAzC9Oh5AS7a3Z5OGrTDeV9mp7nnsWdDGgYUf2hi/:8JAzuOhy3zOGrTDeV9mp7nnsWjYUfz
MD5:	A9ABD4329CA364D4F430EDDCB471BE59
SHA1:	C00A629419509929507A05AEBB706562C837E337
SHA-256:	1982A635DB9652304131C9C6FF9A693E70241600D2EF22B354962AA37997DE0B
SHA-512:	004EA8AE07C1A18B0B461A069409E4061D90401C8555DD23DBF164A08E96732F7126305134BFAF8B65B0406315F218E05B5F0F00BEDB840FB993D648CE996756
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u.G...G...G...N...C......E...S...E......R......O......D.......B...G...........D.......F.......F.......F...RichG...................PE..d...H._.........." .....4...H.......9....................................................`..........................................h..t...th..........@............z..............(X..T....................Y..(....X..0............P..8............................text....2.......4.................. ..`.rdata..B/...P...0...8..............@..@.data...h............h..............@....pdata...............l..............@..@.qtmetad.............r..............@..P.rsrc...@............t..............@..@.reloc...............x..............@..B................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\imageformats\qjpeg.dll

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	421360
Entropy (8bit):	5.7491063936821405
Encrypted:	false
SSDEEP:	6144:USgOWz1eW38u9tyh6fpGUasBKTrsXWwMmH1l3JM5hn0uEfB4:USPQTnastBRB4
MD5:	16ABCCEB70BA20E73858E8F1912C05CD
SHA1:	4B3A32B166AB5BBBEE229790FDAE9CBC84F936BA
SHA-256:	FB4E980CB5FAFA8A4CD4239329AED93F7C32ED939C94B61FB2DF657F3C6AD158
SHA-512:	3E5C83967BF31C9B7F1720059DD51AA4338E518B076B0461541C781B076135E9CB9CBCEB13A8EC9217104517FBCC356BDD3FFACA7956D1C939E43988151F6273
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Iv"...L...L...L..o....L..xM...L..\|M...L.......L..xI...L..xH...L..xO...L..gM...L...M...L..gH.?.L..gI...L..gL...L..g....L..gN...L.Rich..L.........PE..d...o._.........." .....b...........i...............................................g....`.............................................t...............@....`.......R..............h...T.......................(.......0...............@............................text....`.......b.................. ..`.rdata..J............f..............@..@.data...8....P.......(..............@....pdata.......`... ...*..............@..@.qtmetad.............J..............@..P.rsrc...@............L..............@..@.reloc...............P..............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\imageformats\qsvg.dll

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	32240
Entropy (8bit):	5.978149408776758
Encrypted:	false
SSDEEP:	768:uOVKDlJJVlTuLiMtsKVG7TSdDG9Uf2h4e:hVgJVlTuL/tsKVG7TSQUfre
MD5:	C0DE135782FA0235A0EA8E97898EAF2A
SHA1:	FCF5FD99239BF4E0B17B128B0EBEC144C7A17DE2
SHA-256:	B3498F0A10AC4CB42CF7213DB4944A34594FF36C78C50A0F249C9085D1B1FF39
SHA-512:	7BD5F90CCAB3CF50C55EAF14F7EF21E05D3C893FA7AC9846C6CA98D6E6D177263AC5EB8A85A34501BCFCA0DA7F0B6C39769726F4090FCA2231EE64869B81CF0B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x>...P...P...P..a...P.&vQ...P..rQ...P.&vU...P.&vT...P.&vS...P.kiQ...P...Q.n.P.kiU...P.kiP...P.ki....P.kiR...P.Rich..P.........PE..d......_.........." .....$...B......D)....................................................`.........................................PU..t....U..........@............b...............G..T....................I..(...PH..0............@..(............................text....".......$.................. ..`.rdata...+...@...,...(..............@..@.data...8....p.......T..............@....pdata...............V..............@..@.qtmetad.............Z..............@..P.rsrc...@............\..............@..@.reloc...............`..............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\imageformats\qtga.dll

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	31728
Entropy (8bit):	5.865766652452823
Encrypted:	false
SSDEEP:	768:1lGALluUEAQATWQ79Z2Y8Ar+dDG2vUf2hF:TZl/EH8WQ794Y8Ar+hvUfm
MD5:	A913276FA25D2E6FD999940454C23093
SHA1:	785B7BC7110218EC0E659C0E5ACE9520AA451615
SHA-256:	5B641DEC81AEC1CF7AC0CCE9FC067BB642FBD32DA138A36E3BDAC3BB5B36C37A
SHA-512:	CEBE48E6E6C5CDF8FC339560751813B8DE11D2471A3DAB7D648DF5B313D85735889D4E704E8EEC0AD1084AB43BE0EBDFBACD038AEAC46D7A951EFB3A7CE838EB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F ._'N._'N._'N.V_.Y'N..HO.]'N.KLO.]'N..HK.M'N..HJ.W'N..HM.\'N..WO.Z'N._'O.4'N..WK.\'N..WN.^'N..W..^'N..WL.^'N.Rich_'N.........................PE..d......_.........." ....."...@.......'..............................................7.....`..........................................W..t...dX..........@.......`....`..............(I..T....................J..(....I..0............@..h............................text...[!.......".................. ..`.rdata...)...@...*...&..............@..@.data........p.......P..............@....pdata..`............T..............@..@.qtmetadu............X..............@..P.rsrc...@............Z..............@..@.reloc...............^..............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\imageformats\qtiff.dll

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	390128
Entropy (8bit):	5.724665470266677
Encrypted:	false
SSDEEP:	6144:V0jqHiFBaRe0GPAKwP15e7xrEEEEEEN024Rx/3tkYiHUASQbs/l7OanYoOgyV:0qqwP15bx/q7/yyV
MD5:	9C0ACF12D3D25384868DCD81C787F382
SHA1:	C6E877ABA3FB3D2F21D86BE300E753E23BB0B74E
SHA-256:	825174429CED6B3DAB18115DBC6C9DA07BF5248C86EC1BD5C0DCAECA93B4C22D
SHA-512:	45594FA3C5D7C4F26325927BB8D51B0B88E162E3F5E7B7F39A5D72437606383E9FDC8F83A77F814E45AFF254914514AE52C1D840A6C7B98767F362ED3F4FC5BD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................E....q............q......q......q......<.............<......<......<......<.)....<......Rich....................PE..d......_.........." .....(..........D-.......................................0............`.............................................t...4...........@........%........... ..(....d..T................... f..(....d..0............@..0............................text....&.......(.................. ..`.rdata...v...@...x...,..............@..@.data...(...........................@....pdata...%.......&..................@..@.qtmetad............................@..P.rsrc...@...........................@..@.reloc..(.... ......................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\imageformats\qwbmp.dll

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30192
Entropy (8bit):	5.938644231596902
Encrypted:	false
SSDEEP:	768:EfEM3S46JE2X/xBZ76pC5J6GdDGZUf2h4:63S3JE2PHZ76pC5J6GEUfn
MD5:	68919381E3C64E956D05863339F5C68C
SHA1:	CE0A2AD1F1A46B61CB298CEC5AA0B25FF2C12992
SHA-256:	0F05969FB926A62A338782B32446EA3E28E4BFBFFC0DBD25ED303FAB3404ABAC
SHA-512:	6222A3818157F6BCD793291A6C0380EF8C6B93ECEA2E0C9A767D9D9163461B541AFAF8C6B21C5A020F01C95C6EE9B2B74B358BA18DA120F520E87E24B20836AA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]...<.I.<.I.<.I.D%I.<.I.S.H.<.I.W.H.<.I.S.H.<.I.S.H.<.I.S.H.<.IYL.H.<.I.<.I.<.IYL.H.<.IYL.H.<.IYLII.<.IYL.H.<.IRich.<.I........PE..d......_.........." ..... ...8.......'....................................................`......................................... D..t....D..........@....p..T....Z...............6..T...................p8..(...@7..0............0..p............................text............ .................. ..`.rdata..d&...0...(...$..............@..@.data........`.......L..............@....pdata..T....p.......N..............@..@.qtmetad~............R..............@..P.rsrc...@............T..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\imageformats\qwebp.dll

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	510448
Entropy (8bit):	6.605517748735854
Encrypted:	false
SSDEEP:	12288:bPTjgdqdsvh+LrLrLrL5/y4DVHAsqx3hXS+oPZQqRaYG:jT5sMLrLrLrL5q4dAsaOFo
MD5:	308E4565C3C5646F9ABD77885B07358E
SHA1:	71CB8047A9EF0CDB3EE27428726CACD063BB95B7
SHA-256:	6E37ACD0D357871F92B7FDE7206C904C734CAA02F94544DF646957DF8C4987AF
SHA-512:	FFAEECFAE097D5E9D1186522BD8D29C95CE48B87583624EB6D0D52BD19E36DB2860A557E19F0A05847458605A9A540C2A9899D53D36A6B7FD5BF0AD86AF88124
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................a....s........s......s......s....>.........>......>.....>....>......>....Rich...................PE..d......_.........." .....B..........tH.......................................0......`q....`..........................................W..t....W..........@.......0H........... ......h...T.......................(.......0............`...............................text...[@.......B.................. ..`.rdata..J....`.......F..............@..@.data....'...........X..............@....pdata..0H.......J...\..............@..@.qtmetadv...........................@..P.rsrc...@...........................@..@.reloc....... ......................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\platforms\qminimal.dll

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	844784
Entropy (8bit):	6.625808732261156
Encrypted:	false
SSDEEP:	12288:y6MhioHKQ1ra8HT+bkMY8zKI4kwU7dFOTTYfEWmTxbwTlWc:BMhioHKQp+bkjAjwGdFSZtbwBd
MD5:	2F6D88F8EC3047DEAF174002228219AB
SHA1:	EB7242BB0FE74EA78A17D39C76310A7CDD1603A8
SHA-256:	05D1E7364DD2A672DF3CA44DD6FD85BED3D3DC239DCFE29BFB464F10B4DAA628
SHA-512:	0A895BA11C81AF14B5BD1A04A450D6DCCA531063307C9EF076E9C47BD15F4438837C5D425CAEE2150F3259691F971D6EE61154748D06D29E4E77DA3110053B54
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#\..B2..B2..B2..:...B2..-3..B2.F....B2..-7..B2..-6..B2..-1..B2..)6..B2.^23..B2..)3..B2..B3.@2.^26..B2.^27..B2.^22..B2.^2...B2.^20..B2.Rich.B2.........PE..d...N._.........." ......................................................... ............`......................................... ...x.......@.......H....`..H.......................T.......................(.......0...............(............................text...;........................... ..`.rdata...C.......D..................@..@.data...H....@......."..............@....pdata..H....`.......0..............@..@.qtmetad............................@..P.rsrc...H...........................@..@.reloc..............................@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\platforms\qoffscreen.dll

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	754672
Entropy (8bit):	6.6323155845799695
Encrypted:	false
SSDEEP:	12288:/HpBmyVIRZ3Tck83vEgex5aebusGMIlhLfEWmpCJkl:/HpB63TckUcLaHMITAZmW
MD5:	6407499918557594916C6AB1FFEF1E99
SHA1:	5A57C6B3FFD51FC5688D5A28436AD2C2E70D3976
SHA-256:	54097626FAAE718A4BC8E436C85B4DED8F8FB7051B2B9563A29AEE4ED5C32B7B
SHA-512:	8E8ABB563A508E7E75241B9720A0E7AE9C1A59DD23788C74E4ED32A028721F56546792D6CCA326F3D6AA0A62FDEDC63BF41B8B74187215CD3B26439F40233F4D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m..T..KT..KT..K]t7K@..K.c.JV..K@g.JV..K.cKU..K.c.JA..K.c.J\..K.c.JP..K.\|.JQ..KT..K...K.\|.Js..K.\|.JS..K.\|.JU..K.\|[KU..K.\|.JU..KRichT..K........PE..d...R._.........." ................L.....................................................`.............................................x...8...........H....... s...h..........p.......T................... ...(.......0...............@............................text............................... ..`.rdata..............................@..@.data...............................@....pdata.. s.......t..................@..@.qtmetad.............T..............@..P.rsrc...H............V..............@..@.reloc..p............Z..............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\platforms\qwebgl.dll

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	482288
Entropy (8bit):	6.152380961313931
Encrypted:	false
SSDEEP:	6144:WO/vyK+DtyaHlIMDhg5WEOvAwKB2VaaHeqRw/yVfYu4UnCA6DEjeYchcD+1Zy2:bKtHOWg5OvAwK0NYu4AShcD+1U2
MD5:	1EDCB08C16D30516483A4CBB7D81E062
SHA1:	4760915F1B90194760100304B8469A3B2E97E2BC
SHA-256:	9C3B2FA2383EEED92BB5810BDCF893AE30FA654A30B453AB2E49A95E1CCF1631
SHA-512:	0A923495210B2DC6EB1ACEDAF76D57B07D72D56108FD718BD0368D2C2E78AE7AC848B90D90C8393320A3D800A38E87796965AFD84DA8C1DF6C6B244D533F0F39
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........gM..#...#...#..~....#.ei&...#.ei'...#.ei ...#..m'...#.ei"...#.(v"...#..m"...#..."...#.(v&...#.(v#...#.(v...#.(v!...#.Rich..#.................PE..d......_.........." .....R...........;....................................................`..........................................m..t...Dn..T.......@....@...=...@..............0...T.......................(.......0............p..(............................text...{Q.......R.................. ..`.rdata..:....p.......V..............@..@.data...H....0......................@....pdata...=...@...>..................@..@.qtmetadz............2..............@..P.rsrc...@............4..............@..@.reloc...............8..............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\platforms\qwindows.dll

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1477104
Entropy (8bit):	6.575113537540671
Encrypted:	false
SSDEEP:	24576:4mCSPJrAbXEEuV9Hw2SoYFo3HdxjEgqJkLdLu5qpmZuhg/A2b:nPlIEEuV9Hw2SFFWHdWZsdmqja/A2b
MD5:	4931FCD0E86C4D4F83128DC74E01EAAD
SHA1:	AC1D0242D36896D4DDA53B95812F11692E87D8DF
SHA-256:	3333BA244C97264E3BD19DB5953EFA80A6E47AACED9D337AC3287EC718162B85
SHA-512:	0396BCCDA43856950AFE4E7B16E0F95D4D48B87473DC90CF029E6DDFD0777E1192C307CFE424EAE6FB61C1B479F0BA1EF1E4269A69C843311A37252CF817D84D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......i...-...-...-...$.%.9.....q.,......8......%......)......+...9......9..,......)..........9..8...-..........d......,.....I.,......,...Rich-...........PE..d....._.........." .....,...h......4+..............................................n.....`.............................................x...(...........H............n..........X....r..T...................Pt..(... s..0............@...5...........................text..._+.......,.................. ..`.rdata.......@.......0..............@..@.data....m...@...D...(..............@....pdata...............l..............@..@.qtmetad.............J..............@..P.rsrc...H............L..............@..@.reloc..X............P..............@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\platformthemes\qxdgdesktopportal.dll

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	68592
Entropy (8bit):	6.125954940500008
Encrypted:	false
SSDEEP:	1536:Nt4B1RLj3S6TtH2sweUH+Hz6/4+D6VFsfvUfO:AB1RHFdoeUs6/4O6VFSZ
MD5:	F66F6E9EDA956F72E3BB113407035E61
SHA1:	97328524DA8E82F5F92878F1C0421B38ECEC1E6C
SHA-256:	E23FBC1BEC6CEEDFA9FD305606A460D9CAC5D43A66D19C0DE36E27632FDDD952
SHA-512:	7FF76E83C8D82016AB6BD349F10405F30DEEBE97E8347C6762EB71A40009F9A2978A0D8D0C054CF7A3D2D377563F6A21B97DDEFD50A9AC932D43CC124D7C4918
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+...o...o...o...f...k......m...{..m......~......h......m......h...o..........k......n.....~.n......n...Richo...........................PE..d...V._.........." .....z...t......T........................................@.......b....`......................................... ................ ..X....................0..4.......T.......................(...p...0...............x............................text....y.......z.................. ..`.rdata...Z.......\...~..............@..@.data...............................@....pdata..............................@..@.qtmetad............................@..P.rsrc...X.... ......................@..@.reloc..4....0......................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\styles\qwindowsvistastyle.dll

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	144368
Entropy (8bit):	6.294675868932723
Encrypted:	false
SSDEEP:	3072:rrjwZ43rCOtrBk7wcR0l7wBlaL6BtIEt51T0Nhkqg8FoQY:7hZu9R0l7wFBtIEt51T0Nuqg8JY
MD5:	53A85F51054B7D58D8AD7C36975ACB96
SHA1:	893A757CA01472A96FB913D436AA9F8CFB2A297F
SHA-256:	D9B21182952682FE7BA63AF1DF24E23ACE592C35B3F31ECEEF9F0EABEB5881B9
SHA-512:	35957964213B41F1F21B860B03458404FBF11DAF03D102FBEA8C2B2F249050CEFBB348EDC3F22D8ECC3CB8ABFDC44215C2DC9DA029B4F93A7F40197BD0C16960
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......R._...1]..1]..1]..]..1]..0\..1]..5\..1]..2\..1]..4\..1]..0\..1]..0\..1]..0]..1]..4\..1]..1\..1]...]..1]..3\..1]Rich..1]........................PE..d...`._.........." .....\...........`.......................................`......wJ....`................................................. ........@..X.... ...............P.........T...................`...(...0...0............p...............................text....Z.......\.................. ..`.rdata......p.......`..............@..@.data...............................@....pdata....... ......................@..@.qtmetadm....0......................@..P.rsrc...X....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_ar.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	130
Entropy (8bit):	4.024232093209084
Encrypted:	false
SSDEEP:	3:j2wZC4C/2/vlAlHekW3/S1MUe3/CLlI+rwtbWlMrNtYs8ar/u:Cwm+/PtUePCRIRt6Ygs8y/u
MD5:	8FF05B56C0995F90A80B7064AA6E915C
SHA1:	D5AEB09AE557CEEFB758972EC4AC624CDDC9E6A7
SHA-256:	A8A1B0D6F958E7366D1C856BE61000106D3E7FC993FB931675369892B9002D0B
SHA-512:	5374E0F1D3F5A6A456B00732DE8005787B17ECEF9C8A2B2C1228966A6A8DE211700334D8FD789DAD269F52D0AEED3F5160010CA60909861E270C253B3EA881A4
Malicious:	false
Preview:	<.d....!..`.......ar....R.....q.t.b.a.s.e._.a.r.....q.t.s.c.r.i.p.t._.a.r.....q.t.m.u.l.t.i.m.e.d.i.a._.a.r..............$...*.

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_bg.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153
Entropy (8bit):	3.6813848812976975
Encrypted:	false
SSDEEP:	3:j2wZC4C/6lLlAlHekVYtzlY1MUdI7lULlI+rwtbWlMoIFl8IPldkO4t/z:CwDC+7tJjUWhURIRt68f8oiP1z
MD5:	466EED6C184D2055488D4C5EA9AE5F20
SHA1:	8599AB9B731BFC84F6EEC7A0129F396FB8FEC4EA
SHA-256:	9E1CE4D91852352043D9191F1A992838F919CBA7E2F2D9BB1161E494E8BF5F5E
SHA-512:	D2462951EC7DCE3D0851AE9C4ED644FFE0D2A5BDD15B4AE1A4295C187B4295BC854D6A5038DAC0564D165463419D615EB6CE7A9760CEFAD71AB673FB2109C349
Malicious:	false
Preview:	<.d....!..`.......bg....v.....q.t.b.a.s.e._.b.g.....q.t.s.c.r.i.p.t._.b.g.....q.t.m.u.l.t.i.m.e.d.i.a._.b.g... .q.t.x.m.l.p.a.t.t.e.r.n.s._.b.g.......

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_ca.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153
Entropy (8bit):	3.631479835393124
Encrypted:	false
SSDEEP:	3:j2wZC4C/NVl/lAlHekUOplY1MUce/hlAlI+rwtbWlMpOflUlIPldkOHlz:CwO4+94jUcerAIRt6a6Uloi8
MD5:	6FBA66FE449866B478A2EBA66A724A02
SHA1:	EBEF6ED8460218CE8DF735659A8CBCD693600AC6
SHA-256:	171C7424B24D8502AB53CB3784FF34D8FCFAE26557CF8AF4DFDDEC6485ACC2FE
SHA-512:	2D2438738C6D10D8A53B46DE5A94BBF993818D080F344D9F1B94FC83D60335D9A5E8EFCC297D593FFF1D427972F9F9502FC31C332CAEA579FC7A88487390457E
Malicious:	false
Preview:	<.d....!..`.......ca....v.....q.t.b.a.s.e._.c.a.....q.t.s.c.r.i.p.t._.c.a.....q.t.m.u.l.t.i.m.e.d.i.a._.c.a... .q.t.x.m.l.p.a.t.t.e.r.n.s._.c.a.......

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_cs.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	157
Entropy (8bit):	3.7483537099309427
Encrypted:	false
SSDEEP:	3:j2wZC4C/fVFlAlHekUsplY1MUcM/hlULlI+rwtbWlMpsfl8IPldkO1lPchn:CwY4+9ujUcMrURIRt6aE8oinh
MD5:	D033053C03C3ECFA2AA926E0E674F67F
SHA1:	B4E95F8278121E2549F8BB6B5DAF1496F1738A7D
SHA-256:	3C0CBFD19490D67D1B3B9E944C3A4D9A9E7F87D7AE35E88D5D5A0077349B5B21
SHA-512:	2C7E9E9DBE0B25FBA94A52FE4BCCB1D9FED2A7BD2877DB91F82546C3BC8606280949594227BA0FC1C74C31010E1F573B3A82852BE746EAA4F397140485789136
Malicious:	false
Preview:	<.d....!..`.......cs....v.....q.t.b.a.s.e._.c.s.....q.t.s.c.r.i.p.t._.c.s.....q.t.m.u.l.t.i.m.e.d.i.a._.c.s... .q.t.x.m.l.p.a.t.t.e.r.n.s._.c.s...........

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_da.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153
Entropy (8bit):	3.6174817344122334
Encrypted:	false
SSDEEP:	3:j2wZC4C/4Jlr/lAlHekT6hY1MUb6JAlI+rwtbWlMuel3UlIPldkOQtt:Cw7rC+3jUkAIRt6EVUloi9
MD5:	E6A683F4A0883B5B0C7D30B847EF208C
SHA1:	FF2440DBBFE04AD86C6F285426AAFD49A895B128
SHA-256:	B5036161CE808C728E5FDA985F792DB565831FD01CF00B282547790C037353A2
SHA-512:	D73B794A71DFD3A3C06BF43ED109F635B4960F9A3904FB728873AB5251BDF6A791DDFDEBA884A2703A35461E18BA902804095AC4B92A2C9361526469B6D35FFA
Malicious:	false
Preview:	<.d....!..`.......da....v.....q.t.b.a.s.e._.d.a.....q.t.s.c.r.i.p.t._.d.a.....q.t.m.u.l.t.i.m.e.d.i.a._.d.a... .q.t.x.m.l.p.a.t.t.e.r.n.s._.d.a.......

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_de.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153
Entropy (8bit):	3.6174817344122334
Encrypted:	false
SSDEEP:	3:j2wZC4C/8rJFlAlHekTul01MUbul4LlI+rwtbWlMuallyIPldkOknt:Cw/rJ4+XU5RIRt6Aaoi7t
MD5:	06168E1261BF72F49F94927723B2E1EB
SHA1:	DEAF1B53C3FEE6CB28840418D0060AFA4D59D3FC
SHA-256:	5805B8FF3747849794E2D70661D737C69C15F1AE763C38E17084B1E5A81E9153
SHA-512:	AA3915C029C74DC270514C7F50E8BEC06C825F278E0DE0477AD8ED3187700BBD7711382A6E47C3AC76AC756CEFF9FA8CDD4E9B9DAC817475BC122F78B02C7D7D
Malicious:	false
Preview:	<.d....!..`.......de....v.....q.t.b.a.s.e._.d.e.....q.t.s.c.r.i.p.t._.d.e.....q.t.m.u.l.t.i.m.e.d.i.a._.d.e... .q.t.x.m.l.p.a.t.t.e.r.n.s._.d.e.......

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_en.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	16
Entropy (8bit):	4.0
Encrypted:	false
SSDEEP:	3:j2wZC4n:CwZ
MD5:	BCEBCF42735C6849BDECBB77451021DD
SHA1:	4884FD9AF6890647B7AF1AEFA57F38CCA49AD899
SHA-256:	9959B510B15D18937848AD13007E30459D2E993C67E564BADBFC18F935695C85
SHA-512:	F951B511FFB1A6B94B1BCAE9DF26B41B2FF829560583D7C83E70279D1B5304BDE299B3679D863CAD6BB79D0BEDA524FC195B7F054ECF11D2090037526B451B78
Malicious:	false
Preview:	<.d....!..`...

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_es.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153
Entropy (8bit):	3.6070658648473097
Encrypted:	false
SSDEEP:	3:j2wZC4C/7lJFlAlHekSMthULlI+rwtbWlMvEJY1MUaEf8IPldkOzvt:CwElJ4+7MrURIRt6cujUaE8oi0F
MD5:	EE47DFADBA4414FDC051C5CFBE71DDC1
SHA1:	DE650E96A9C130D35F8A498202773EF7FC875D27
SHA-256:	E25E43F046F61022FFE871A2F73C6A12EDFC5C3EFD958C0E019A721860A053B0
SHA-512:	8C1D8901D2F66CCBF947B831858E08B703517470B2B813B241E00162A275AC9103FF5B9251AD39BD53551E0A4FB45EE74187B218A1EF7C6CF6C5FA9F9219AE04
Malicious:	false
Preview:	<.d....!..`.......es....v.....q.t.b.a.s.e._.e.s.....q.t.m.u.l.t.i.m.e.d.i.a._.e.s.....q.t.s.c.r.i.p.t._.e.s... .q.t.x.m.l.p.a.t.t.e.r.n.s._.e.s.......

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_fa.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	293121
Entropy (8bit):	5.272179385890926
Encrypted:	false
SSDEEP:	3072:gEo2cQbzaVmvGQYkHkMRKkNeGr+0BhaRsLAChY21rpnLqL9ytnvC58gypn4l4qF:gEZbza0HjeGrxBhaCLFC
MD5:	F9C3624197ACB30A9E6CC799BB65BED6
SHA1:	D715EAE24387DE15588F68C92991A93FAFB5EEAB
SHA-256:	B292AFB0763B8C7C30A5AF7372BFC12D8A0D00BF3DD4A000715D9F576D9C1A39
SHA-512:	199C107AE7EAFCF2A5EEC149CAFEE7ED09B938E204B56AD3AAC9568D27166F61EC8E2225A11AF26F7E1F035FB5CAD98621A01E8A9942D18C273F43B90201162A
Malicious:	false
Preview:	<.d....!..`.......faB..I....*...u...+...............@.......A...J...B.......C...X...D.......E.......F...%...G.......H...0...I.......P...v...Q.......R.......S.......T..."...U.......V...h...W.......X...s...Y.......]..e....t...................-.......W.......\|.......i...;..Eu...;..Z....;...]...;..c....;.......;..0]...M..f....O.......O..2.......#....}..f=...m..fg.........(5......+;..1a..+;...V..+;...!..+O..17..+O...(..1.......E@......F....u..H4......HY...Y..H....S..I....5..I@.....IA......IC......J...1...J.......J.......J...\|...K...6...LD......L.......PS......R....Z..T.......Zr.. ...[`...O..[`......\...%@..\...2..._...&l.._...38..1........E..........2u..........1.......1...........@......4G...........................$...L...$..xY...[.......,...u...y...y...y..z.......F.......<.......g.......5W...........9...........f...E...U...E../....E..................0-...%..6....%.........................3......f..........5...?...0..EK...0......0..L ...0..c....0.......0...Z...5...........Y.. D

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_fi.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	117
Entropy (8bit):	3.739162292019161
Encrypted:	false
SSDEEP:	3:j2wZC4C/4HlAlHekRgOp1MUZWJKlI+rwtbWlMsIkk:Cwxe++IUocIRt6Qkk
MD5:	72882942B07B8AAC98034016E752B1A0
SHA1:	BF23B4C136B863B10E770019A2DF62FC988859DF
SHA-256:	048CA42DCE4FAF5FC21D843576E3C6FD963146ECC78554E7E5F34D07F64FB213
SHA-512:	403E7F4E9A0E44F2118804F0781A18EB1852797825498751E3AFA02D9558D90293ABDB570786CED80F7EFF800BEF6D9444A72E6A640D331DA46B2A0EA43C8E96
Malicious:	false
Preview:	<.d....!..`.......fi....R.....q.t.b.a.s.e._.f.i.....q.t.s.c.r.i.p.t._.f.i.....q.t.m.u.l.t.i.m.e.d.i.a._.f.i.......

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_fr.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153
Entropy (8bit):	3.680458675741643
Encrypted:	false
SSDEEP:	3:j2wZC4C/FjlAlHekRL21MUZNJOLlI+rwtbWlMs9KIPldkORT:Cw3+SU0RIRt6koio
MD5:	3C45C665CFE036A7474CB4DCBB13CF40
SHA1:	62312DFF3C4CD38BAE8456C981601D0D89600F63
SHA-256:	8624033D849E670B12C9532337FCBF260F20848E044FEE7787CFE2AC92BE28DB
SHA-512:	21659AA452BC2493D915F0BE94F90CDD57759B1F1306AAA2836058D41E80DED24742EBD74E19420021514A6AB4150CA0B447574E96B9D3BF0BC5A8C78DAAF7AC
Malicious:	false
Preview:	<.d....!..`.......fr....v.....q.t.b.a.s.e._.f.r.....q.t.s.c.r.i.p.t._.f.r.....q.t.m.u.l.t.i.m.e.d.i.a._.f.r... .q.t.x.m.l.p.a.t.t.e.r.n.s._.f.r.......

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_gd.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	70
Entropy (8bit):	4.463523104731333
Encrypted:	false
SSDEEP:	3:j2wZC4C/EXlAlHekQrEuknbJB:CwjO+5JY
MD5:	A8D55457C0413893F746D40B637F9C93
SHA1:	25123615482947772176E055E4A74043B2FBCAA0
SHA-256:	49DF855A004A17950338AF3146466F6DF4D5852410BD0B58EA80E0D0203A9D24
SHA-512:	99718B948D94B292BDEDF6B247A5856BC7AC78408FCC41C980F264C2C8565125786F0289F5F993DCF11B8CDA3AFB2A1D8634B1D0BC9B34992F538F8E4086EC00
Malicious:	false
Preview:	<.d....!..`.......gd..........q.t.b.a.s.e._.g.d....................

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_gl.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	323590
Entropy (8bit):	4.568068046062524
Encrypted:	false
SSDEEP:	3072:OYSG8zxWSDjq73Pf6FT1f4uh50QGrRfFD54YyUY0Ou4/tnra3Z0uYhB5YHfHRRn2:O39WSD3TMQGrxFD5EUVQ
MD5:	0661FFABFBC50187F3BA38876B721946
SHA1:	EB5E7205355CFC6BCB4DF27E224079842C97B296
SHA-256:	204A01AC7DEB6B5BAE193AFECBD1E50D18C73BF7D94BADEB2BBFDF6123C4ED93
SHA-512:	65AB66CC54D65E7678FA731A5C5F2CC9D6FC217B91AD47D538440811E09A23E49CD95CE62A79E3E8C275E250AC1A0B54BD289F6DD067573876DA7AFF54381D02
Malicious:	false
Preview:	<.d....!..`.......gl_ESB..I...........+..&............@.......A...z...B.......C...p...D.......E......F...!...G......H.......I......P...@...Q.......R......S...5...T......U...+...V.......W...a...X.......Y...N...]..o....t..,................F.......p..............4....;..LI...;..bD...;.......;.......;.......;..cJ...M..o1...O..G....O..e.......U....}..oY...m..o........D..(5...X..+;..6/..+;...~..+;......+O..6...+O...N..1......E@...?..F.......H4..'...HY......H...3`..I......I@......IA......IC..0...J...P...J...1...J...0...J.......K...:...LD..2...L...3...PS..:A..R... d..T.......Zr..Rd..[`......[`.....\...WK..\...RR.._...X..._...f...1........E...{......7M..........1.......1....q......O.......9......................)....$... ...$.......[..,=...,..-....y..0X...y...~......Mx......]0.......H......:A......0....9...............E...o...E..b....E.........1.......c....%..;....%...;......3.......^......S................5..4Z...0..L....0.......0..n....0.......0..7....0.......5..9D......!g.

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_he.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	83
Entropy (8bit):	3.880645689209568
Encrypted:	false
SSDEEP:	3:j2wZC4C/YJ/dQlHekfaB21MUXmlvt:CwT0+D/UUt
MD5:	DD5C2C6B148F2DB3E666B859776AE129
SHA1:	8368F32039CC0776A1B95C9DED5FE6C9EA0D93FD
SHA-256:	C113D14E218D5402B616DABEA27969C6F83852676468C5EF051DDDEFB3EE0235
SHA-512:	2EAE33C8707407E083F6B8B05EA2C5B987646DF1553888C16D6508C5A33B2F758DDED73323622CD50324C96F51D61B7CE822F393551A30B211ABD3CC1367249F
Malicious:	false
Preview:	<.d....!..`.......he....0.....q.t.b.a.s.e._.h.e.....q.t.s.c.r.i.p.t._.h.e.......

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_help_ar.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	8743
Entropy (8bit):	5.189558605179696
Encrypted:	false
SSDEEP:	192:YUM7gBwnG4Vxj4nyn9aAMOJckrL6esm/0sQ5HeK1nvEB:YBkKnZxkyn9aAMWPsm/0sQsGvEB
MD5:	CCD39A7C8139AD041E31B3E5D40968B4
SHA1:	5751BE96817BB6AE7C9DA9F1FBA7F42F31CFCC5D
SHA-256:	222088C9752D1CC3BAB985EF2DC77E5AE78578DCE18A61EC15B39F02E588163D
SHA-512:	9844C0EC65EE1C76DBA021EAC6D476A85E6C8F5BBAF4150C1EA80C0A95BEDE67B5E8F981360EF8599FCECDFCBCB83BC0B8AC44DDEFDCD85F914318030E346967
Malicious:	false
Preview:	<.d....!..`.......arB.....(.....d.0T.....5w......Uj....!.`.....M.a[............n..t..............39....&................B<s...V..M^...e......4.O5^...r..)^......o>...........?...t.....D ......k.N.....k.N...C...n...T...I...R..........2>.................\|..G.......w....T.......l..........,................^............$a......6.>...........x..K......W.b....._Xn......GN...m..~......!.....J.K.H.............pN.............P.~.....o.....W..(.......~......s.>......%c.....o.....R.z.q..........................n.h................e.....i..........:.J.1. .E.3.E.Q.I..........Untitled.....QHelp.....8..9.0.Q.1. .F.3... .E.D.A.Q. .'.D..Q.,.E.J.9.).:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler........9.0.Q.1. .%.F.4.'.!. .'.D./.Q.D.J.D.:. .%.1..........Cannot create directory: %1.....QHelpCollectionHandler.....>..9.0.Q.1. .%.F.4.'.!. .,./.'.H.D. .A.J. .'.D.E.D.A.Q. .%.1........... Cannot create tables in file %1......QHelpCollectionHandler.....L..9.0.Q.1. .*.

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_help_bg.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10599
Entropy (8bit):	5.192287379770591
Encrypted:	false
SSDEEP:	192:jhYkcd7CYBdmfIOeX3byuJRoZXlBYnEpUYR+BJqO5X9pA2NNrxC0zwRK2nMY762A:a71DQIrLuVCnEtR+DquhN5xC0zwKPYHA
MD5:	5538049DA3A1D1D724AB6E11D2E2EDBE
SHA1:	7256BE390B88A053C0252488C443BE42F6F2D92A
SHA-256:	CBCDD1E0BBAE332D80DDB0A286056F17C824FA28D353D7FDF12FC97D9F6FE054
SHA-512:	DD98CAF3A016968EEDC9106C1839DDECC2D109E9E354708BD74B35E766C6A098C1680C0B867EAD9FCE2E2A6D683BE673B8E5DF1A1B2F1AAFDB31910FF833370F
Malicious:	false
Preview:	<.d....!..`.......bgB...(.(.......0T......5w... S.Uj......`.......a[....(..........t..............39..........&..........B<s...4..M^..........q...J..%..O5^...O..)^...I..o>...I...J..%.......#....t...A.8dz..$..D ....Z.k.N...<.k.N.......n.......I..............2>...p................G..."...w....................7..,................^............$a....<.6.>..........#...K...........$1.W.b....._Xn......GN...*..~....-..TH.."..!.....5.K.H..#R.........pN..."......&..P.~...@.o.....v..(.........."8..~......s.>.....o.... ..z.q..........................O.h....!t..........e....mi..'.....\|.(...@.8.G.8.=.0.B.0. .<.>.6.5. .4.0. .5.,. .G.5. .4.>.:.C.<.5.=.B.0.F.8.O.B.0. .2.A.5. .>.I.5. .A.5. .8.=.4.5.:.A.8.@.0...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.........0.1.5.;.5.6.:.0.:..........Note:.....QCLuceneResultWidget.....,. .5.7.C.;.B.0.B.8. .>.B. .B.J.@.A.5.=.5.B.>..........Search Results.....QCLuceneResultWidget....... .

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_help_ca.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	7444
Entropy (8bit):	4.580794980254807
Encrypted:	false
SSDEEP:	192:G8oS34B7n303D37Bn3Jso37cfp3Mg3H373R58noct36R9RFu:GQU7ETrxZvqTXLSoct36Pzu
MD5:	66722ED97BCBFD3DAE3C8264413859AB
SHA1:	400A93B213FCF9BBC9785881EA82ADB9F444CD6C
SHA-256:	ECD4283A660F2CF72849B323810D7EADD063120B6F561E05AA1243A5B280946A
SHA-512:	B898BAC9652D7532384ED5CC53FA62DB55D516421D13F815A3E6D5E80AD4C69555F1A7E6C51F8B0A234614824EEE01D6731458F90D40A585990F84A58B9ABE44
Malicious:	false
Preview:	<.d....!..`.......caB............%.......0T......K:^.....Uj......`.....P..YJ...V.E.4...*...........>...7........B<s.....B\>...6........+.s.....zq.......9.......vR......@.......@.......:....;.8Z....!.g.N......F................t.....D ....z.k.N.......I......^......`#.......2.......G........N...7......N......{..................K...............GN......NO...5.........K.H...@.........pN......V............q..................>...N.........~.....5..%c...:.z.q....i...4....".A.f.e.g.e.i.x. .u.n. .f.i.l.t.r.e..........Add Filter.....FilterNameDialogClass.......N.o.m. .d.e.l. .f.i.l.t.r.e.:..........Filter Name:.....FilterNameDialogClass.......S.e.n.s.e. .t...t.o.l..........Untitled.....QHelp.....`.N.o. .s.'.h.a. .p.o.g.u.t. .c.o.p.i.a.r. .e.l. .f.i.t.x.e.r. .d.e. .c.o.l...l.e.c.c.i...:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler.....H.N.o. .s.'.h.a. .p.o.g.u.t. .c.r.e.a.r. .e.l. .d.i.r.e.c.t.o.r.i.:. .%.1..........Cannot create directory: %1.....QHelpCollect

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_help_cs.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	15297
Entropy (8bit):	4.708378368926237
Encrypted:	false
SSDEEP:	384:hmv1gdEYEiNrVhTBvAn1ca1f5lwHoJr0vwuxqsP/5jxA:o1gdEvgbloCof9ixqspW
MD5:	ED228F0F60AE9AEC28AB9171D5AE9590
SHA1:	7F061CF0C699D125A5531E3480C21964452F45EA
SHA-256:	4AC56FC63E400943BAB13F1D4C418502138908E1D488C24AEE6131D3D17552AA
SHA-512:	794CC671C08BFC50980820A6389B9D0D3514619AD0A8F18EFD5554CBBF2482192DF00B9D3B05FEE45F42276E63E2375FB28E193930D426245035B4B0E3E14ED8
Malicious:	false
Preview:	<.d....!..`.......cs_CZB...H.(.......(.......0T......0T......5w...0..Uj......`.......a[......a[....$.......p..........t.......t...........!..1"....T.39....T.39.......s...0......(......7/.................B<s...L..MQ......M^../q..........J..6@.0....B.O5Q..'..O5^..(A..)Q...X..)^......o>..........+....J..6.......4....t.....8dz..5..D ....R.D ......k.A.....k.A.....k.N.....k.N.......n.."....I..........................2...21......2>..........d.............T..G...4...w...!N......&O......&....!..".......#E..,...,.......)....Q..$/...^..$................$a......6.>.. t......5...K.......K....)......5E.W.b..-.._Xa..%a._Xn..%...GA......GN...?......,9..~.......TH..3..!......K.H..4h.........pA...J..pN..........7..P.~.. ..o.....0..(....*..(..........3V..~....T.s.1.....s.>..._.o....0..o....1p.z.q..........'9.....#........^.........h....2................Z..e... .i..8J......(.D.o.v.o.d.e.m. .p.r.o. .t.o. .b.y. .m.o.h.l.o. .b...t.,. .~.e. .d.o.k.u.m.e.n.t.a.c.e. .j.e. .s.t...l.e. .j.e.a.t...

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_help_da.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	4795
Entropy (8bit):	4.530246422531362
Encrypted:	false
SSDEEP:	96:X82wNlnKfN1LMFy7LsF3ZqBFZjWo0koBLqBXXjGL0qU7UqB7zoElmP5MUu4DZIHU:XM01f7eOnoB8X2s7Vfg5Mi4beXiOUu
MD5:	1D09BEE1FB55A173F7EB39B9A662A170
SHA1:	C77F0A148262A91679F19689E4790B754D45D5D5
SHA-256:	6BB092552A398687119F6D52145F04BF8373977446D8F00C0DCBD56B96829F0F
SHA-512:	BE5A31A6135E8DB024A8B0EB20C4D8EECBF76861F83FF83B4CA97327DB74AD94BB5D77B4E0A59A33B697C32A4EACD61B8C878951F2C545385C74D99FCE56FEE1
Malicious:	false
Preview:	<.d....!..`.......daB.....%.....m.0T......Uj....V.`....................k.B<s.....B\>..........6.+.s...............t.....D ....\|.k.N...9...I...O..2.......G....B...N...O..............!..K...._..........GN...........@.K.H.............pN..............>.....~.....m..%c.....z.q....i..........U.n.a.v.n.g.i.v.e.t..........Untitled.....QHelp.....D.K.a.n. .i.k.k.e. .k.o.p.i.e.r.e. .s.a.m.l.i.n.g.s.f.i.l.e.n.:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler.....6.K.a.n. .i.k.k.e. .o.p.r.e.t.t.e. .m.a.p.p.e.n.:. .%.1..........Cannot create directory: %1.....QHelpCollectionHandler.....V.K.a.n. .i.k.k.e. .o.p.r.e.t.t.e. .i.n.d.e.k.s.t.a.b.e.l.l.e.r. .i. .f.i.l.e.n. .%.1...........&Cannot create index tables in file %1......QHelpCollectionHandler.....J.K.a.n. .i.k.k.e. .o.p.r.e.t.t.e. .t.a.b.e.l.l.e.r. .i. .f.i.l.e.n. .%.1........... Cannot create tables in file %1......QHelpCollectionHandler.....P.K.a.n. .i.k.k.e. .i.n.d.l...s.e. .s.q.l.i.t.e.-.d.a.t.a.b.a.s.e.-.d.r

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_help_de.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	7570
Entropy (8bit):	4.550982634910665
Encrypted:	false
SSDEEP:	96:8y/gPmmhL/7LlSivP6kBL7jb0RNUzzpld4UGG3Ik18fLP0L7fGc0OeVP8a8hiAwj:1OD7hx/Bv3oNuFX4iqgv34fZsu
MD5:	3B070D169E3381E2FB081172934AAD00
SHA1:	70886EB7EF566B296D0814BD4C2440AC176699D6
SHA-256:	9962523FBAE9F1E4C3B5C3C16860D059291CB30DC5EBE5A5EDA4C836A03FED1E
SHA-512:	271B730B5A7358E923BBBC6FA074A72DA52FA47E3B7726779EF7034200EDA09BF0E1AE4E7B11B59F76805F48DC285F6EFC245EB9C7F4A748BE82B25CEE1DDCAE
Malicious:	false
Preview:	<.d....!..`.......deB..........B.%.....5.0T......K:^.....Uj....?.`.....f..YJ...V.E.4...............>............B<s...z.B\>...\........+.s...Q.zq....C..9....4..vR...B..@.......@.......:......8Z......g.N......F....>...........t.....D ......k.N.......I......^....\|.`#....I..2....<..G....^...N.........................;..........K....y..........GN......NO...........,.K.H.............pN......V...................."..........>.............~........%c.....z.q....i........".F.i.l.t.e.r. .h.i.n.z.u.f...g.e.n..........Add Filter.....FilterNameDialogClass.....".N.a.m.e. .d.e.s. .F.i.l.t.e.r.s.:..........Filter Name:.....FilterNameDialogClass.......O.h.n.e. .T.i.t.e.l..........Untitled.....QHelp.....\.D.i.e. .K.a.t.a.l.o.g.d.a.t.e.i. .k.a.n.n. .n.i.c.h.t. .k.o.p.i.e.r.t. .w.e.r.d.e.n.:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler.....\.D.a.s. .V.e.r.z.e.i.c.h.n.i.s. .k.a.n.n. .n.i.c.h.t. .a.n.g.e.l.e.g.t. .w.e.r.d.e.n.:. .%.1..........Cannot create directory: %

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_help_en.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	16
Entropy (8bit):	4.0
Encrypted:	false
SSDEEP:	3:j2wZC4n:CwZ
MD5:	BCEBCF42735C6849BDECBB77451021DD
SHA1:	4884FD9AF6890647B7AF1AEFA57F38CCA49AD899
SHA-256:	9959B510B15D18937848AD13007E30459D2E993C67E564BADBFC18F935695C85
SHA-512:	F951B511FFB1A6B94B1BCAE9DF26B41B2FF829560583D7C83E70279D1B5304BDE299B3679D863CAD6BB79D0BEDA524FC195B7F054ECF11D2090037526B451B78
Malicious:	false
Preview:	<.d....!..`...

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_help_es.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10704
Entropy (8bit):	4.481291573289571
Encrypted:	false
SSDEEP:	192:q9J9j7e4BQhD0h61nnKz+DJF/45ojDU9V1Wa/rmtIBMH:Wp64ShDnnKz+FhjQpWa/ytoMH
MD5:	9EDF433AB9EE5FC7CF7782370150B26A
SHA1:	A918AE15A0DF187C7789BE8599A80E279F039964
SHA-256:	FD16B279F8CF69077F75E94D90C9C07A2AFFF3948A579E3789F5FFB5E5F4202D
SHA-512:	88245F6FBAAF603A03D7EA2341411AE040791D47C9FF110C6D6CDD8165F0A8BA7A4A0DA5CD543BBE95A4E93FE3A81E95B3664E00C11791FBCB4923E3A80ABC60
Malicious:	false
Preview:	<.d....!..`.......es_ESB...(.(.....7.0T..../.5w... C.Uj......`.......a[....0..........t..............39..........&e.........B<s...D..M^..............J..%p.O5^...I..)^...1..o>.......J..%.......#....t.....8dz..$..D ......k.N.....k.N.......n.......I..............2>....................G...#...w............!.......%..,................^............$a......6.>..........#...K...........$C.W.b....._Xn......GN...\|..~.......TH.."..!.....5.K.H..#f.........pN...j......'..P.~... .o........(....>....."<..~....c.s.>.....o.... ..z.q..........................u.h....!p.......*..e....Qi..'}......(.L.a. .r.a.z...n. .d.e. .e.s.t.o. .p.u.e.d.e. .s.e.r. .q.u.e. .l.a. .d.o.c.u.m.e.n.t.a.c.i...n. .a...n. .e.s.t... .s.i.e.n.d.o. .i.n.d.e.x.a.d.a...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.......N.o.t.a.:..........Note:.....QCLuceneResultWidget.....2.R.e.s.u.l.t.a.d.o.s. .d.e. .l.a. .B...s.q.u.e.d.a..........Search Results.....QCLu

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_help_fr.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10922
Entropy (8bit):	4.459946393010639
Encrypted:	false
SSDEEP:	192:w4BIn67/WsmoB3r6M/eYlSbyE7DnvE7pcn9nPJZe7nOFovzcNn7Uhmio+2/p53I/:w4N19fq3n2c9Bucuhmi52/X3Qpam
MD5:	D520C7F85CC06C66715A2B6622BF0687
SHA1:	47292D068172FBC9DC0D9BE2F479E890A37CE138
SHA-256:	687E351C062F688AAFF6CF05218D6017B80B1A1B4238D1D30250A55EE41C5FED
SHA-512:	736B50BB64751B127300BCAFE88888A9D9A2081CBF934EDCFFEF6CEF0575505AFDF714273A97671ABB598AE3D23C8E55F7DCD632FB0AA219ED5F763768576E04
Malicious:	false
Preview:	<.d....!..`.......fr_FRB...(.(.....y.0T....K.5w...!1.Uj....*.`.......a[............5..t..............39....m.....'W.......S.B<s...d..M^.. ...........J..&`.O5^...+..)^......o>.......J..&.......$....t.....8dz..%..D ......k.N.....k.N...D...n.......I...........c..2>..........M.........G...$...w....K..................,................^............$a......6.>...c......$...K....'......%M.W.b....._Xn...j..GN......~.......TH..#..!.......K.H..$Z......,..pN..........'..P.~.....o........(....h.....#4..~......s.>...M.o....!..z.q...........p......L.........h...."^.......b..e.....i..(W......(.I.l. .e.s.t. .p.o.s.s.i.b.l.e. .q.u.e. .c.e.l.a. .s.o.i.t. .d... .a.u. .f.a.i.t. .q.u.e. .l.a. .d.o.c.u.m.e.n.t.a.t.i.o.n. .e.s.t. .e.n. .c.o.u.r.s. .d.'.i.n.d.e.x.a.t.i.o.n...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.......N.o.t.e. .:..........Note:.....QCLuceneResultWidget.....2.R...s.u.l.t.a.t.s. .d.e. .l.a. .r.e.c.h.e.r.c.h.e.

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_help_gl.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10891
Entropy (8bit):	4.5087667371046205
Encrypted:	false
SSDEEP:	192:Im7gBZHx4hCTNarW6EJDvoIR765f40wqNcMi/8F/Ihon:v0fHccarW6Eh61wqNcMi/Q/won
MD5:	B62C74793741FC386332A59113E8D412
SHA1:	589CE099F2C1D92581B5CF0E17BE49A2BF0014D4
SHA-256:	7399A248609974773F60866C87B78EA7DFBC4F750313D692F7886CD763883C9F
SHA-512:	D8E1A3B3732662BA572A1387651F2625742710834BEDB41809DA47B5D23020AA1B558B64A00C10C605D1844F0544483163F4A6227CAFFA5ECDABF3BBF4E12D9B
Malicious:	false
Preview:	<.d....!..`.......gl_ESB...8.(.......0T......Uj......`.....`.a[....F..........t..............1"... S.39.......s...!.............'F.........B<s...8..MQ.. ...........J..&S.0.....x.O5Q......)Q...O..o>...{.......#...J..&.......$....t.....8dz..%..D ......k.A.....k.A.......n.......I.................."...21....................G...#...w............[...!...?...........Q...?........$a....v.6.>..........$...K...........%0._Xa......GA...n..........~.......TH..#..K.H..$M.........pA...Z......'..P.~...B.o........(..........#+..~......s.1.....o....!..z.q...e.............................. ..e....wi..((......(.A. .r.a.z...n. .d.i.s.t.o. .p.o.d.e. .s.e.r. .q.u.e. .a. .d.o.c.u.m.e.n.t.a.c.i...n. .a...n.d.a. .e.s.t.e.a. .a. .i.n.d.e.x.a.r.s.e...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.......N.o.t.a.:..........Note:.....QCLuceneResultWidget.....*.R.e.s.u.l.t.a.d.o.s. .d.a. .p.r.o.c.u.r.a..........Search Results.....QCLucene

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_help_hu.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10284
Entropy (8bit):	4.674501432335502
Encrypted:	false
SSDEEP:	192:RNY+rCG3e7LBqYqYseBb/FEWBgSn62TdJgDO9esYGY3DtgGh621XlZ/8kWvIMK:4+rheHYYZdBb/pgSn62T/FeVD3DGGh62
MD5:	5A56E9E2ED6ECE3F249D1C2A7EB3B172
SHA1:	D6F079F40FBB813B0293C1D2210BAE7084092FEC
SHA-256:	70F33B569C2942F41C6D634EA6A61CB8D80EB2C7011BAD48EF6DBAE9677960D5
SHA-512:	28947128FC51791CFDBFD3958FAF9B33979DB52C90AE0159EDB01FE6032284EB37BC05187162983A0435560BCEA864B008F499CDB4CE662792599FE20A37972A
Malicious:	false
Preview:	<.d....!..`.......hu_HUB...(.(.......0T......5w......Uj......`.....4.a[....N..........t....".........39..........%..........B<s...8..M^...8..........J..$..O5^......)^...]..o>.......J..$......."N...t.....8dz..#g.D ......k.N...>.k.N.......n.......I..............2>..........a.........G...!...w.......................,................^............$a......6.>.........."...K....m......"..W.b...l._Xn...~..GN......~.......TH..!F.!.......K.H..!..........pN..........%..P.~...<.o........(.......... ...~......s.>...{.o.....c.z.q...K.......v......l.........h.... ........t..e....mi..%.....~.(.E.z. .a.m.i.a.t.t. .l.e.h.e.t.,. .h.o.g.y. .a. .d.o.k.u.m.e.n.t...c.i... .m...g. .i.n.d.e.x.e.l...s. .a.l.a.t.t. .v.a.n...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.......M.e.g.j.e.g.y.z...s.:..........Note:.....QCLuceneResultWidget.....&.K.e.r.e.s...s.i. .e.r.e.d.m...n.y.e.k..........Search Results.....QCLuceneResultWidget.......A

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_help_it.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10612
Entropy (8bit):	4.458970627057882
Encrypted:	false
SSDEEP:	192:nRxcfy71b+myBN16cbc+w45rtlTnzo7uHp3JQJ9cVu4BJ1G82g33vOVrNL/7nEF1:RR4R/fJn9JizTgnqrNL/b0hH2K
MD5:	3639B57B463987F6DB07629253ACD8BF
SHA1:	65935A67C73F19FCF6023FB95030A5ACAF9DA21C
SHA-256:	316FE8D0815E2B4B396895BEB38EF1A40431915B5E054DF80F4C0CD556F26E4B
SHA-512:	AD7CA93D93A69F273CE80BE7F2F477543B9C5F9C7E4D7448223BFF084EA956B626D6837F22D83C5E282688B938F58C29073C4B5C6F26A797F716C14FABF9FFEE
Malicious:	false
Preview:	<.d....!..`.......it_ITB...(.(.....g.0T....y.5w... ..Uj....2.`.......a[............'..t..............39..........&..........B<s...j..M^...h......K...J..%..O5^...K..)^......o>...u...J..%.......#....t.....8dz..$..D ......k.N.....k.N.......n.......I..............2>.................o..G..."...w............-......./..,................^...'........$a......6.>..........#...K...........$..W.b....._Xn......GN......~.......TH.."n.!.....5.K.H..#"......>..pN..........&..P.~.....o.....~..(....p.....!...~....A.s.>.....o.... ..z.q..........................q.h....!0.......*..e....;i..'!......(.L.a. .c.a.u.s.a. .d.i. .c.i... .p.o.t.r.e.b.b.e. .e.s.s.e.r.e. .c.h.e. .l.'.i.n.d.i.c.i.z.z.a.z.i.o.n.e. .d.e.l.l.a. .d.o.c.u.m.e.n.t.a.z.i.o.n.e. ... .a.n.c.o.r.a. .i.n. .c.o.r.s.o...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.......N.o.t.a.:..........Note:.....QCLuceneResultWidget.......R.i.s.u.l.t.a.t.i. .d.e.l.l.a. .r.i.c.e.r.c.

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_help_ja.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	7917
Entropy (8bit):	5.680408580146589
Encrypted:	false
SSDEEP:	192:mP6J37GcBzRjYEPEJJGTnwfJJxb7FTPjzzZBL3/q/I53:mSVqclR5s6Tnwfb7Pj/PL3/q/w3
MD5:	1380A9352C476071BDA5A5D4FED0B6C5
SHA1:	9B737ED05F80FE5D3CD8F588CCEC16BB11DD3560
SHA-256:	AE603B2C0D434D40CDE433FFCBA65F9EE27978A9E19316007BE7FE782A5B8B47
SHA-512:	EC3D68126488C3A163898BACAF7E783217868573635182CAF511ED046B4BE1F99A71FBB24DA607CCB50EDAF70893007AAEE9A6BAAE4C1CD33465A0915AA965DA
Malicious:	false
Preview:	<.d....!..`.......jaB...(.(.....S.0T......5w....'.Uj......`.......a[............u..t............!.39.....................B<s......M^..............J...>.O5^...O..)^......o>.......J...............t...w.8dz.....D ......k.N.....k.N...H...n.......I...........i..2>...<......G......9..G....P..w............i..........,................^..........'.$a......6.>...5..........K............S.W.b...2._Xn......GN...@..~.......TH.....!.......K.H.............pN...........S.P.~.....o.....\|..(..............~....o.s.>.....o.......z.q..................@.........h.....&....... ..e.....i........@.(0.0.0.0.0.0.0n}"_.0nO\b.0L}BN.0W0f0D0j0D0_0.0K0.0W0.0~0[0.0..).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget......l..:..........Note:.....QCLuceneResultWidget......i.}"}Pg...........Search Results.....QCLuceneResultWidget.....R0.0.0.0.0.0.0n}"_.0nO\b.0L}BN.0W0f0D0j0D0_0.0.i.}"}Pg.0LN.[.Qh0jS..`'0L0B0.0~0Y0..........VThe search results may

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_help_ko.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	5708
Entropy (8bit):	5.698914195742074
Encrypted:	false
SSDEEP:	96:elPQHJ6L4c7LaQaFQv2QEhBL+Ejma0W40U0BzlQlcrnUSaTIdspIc18CLRSM3LBY:dHI97W1BbNz1VqqzJpoj5y5uY7OGrWFE
MD5:	CD15674A652C2BF435F7578E119182F8
SHA1:	AEA22E4A0D21396733802C7AB738DDD03737B7D6
SHA-256:	F11C64694E8E34E1D2C46C1A1D15D6BA9F2DB7B61DE4FDF54ECA5AB977C3E052
SHA-512:	88BFA112F4DBC0BFB4013CE0937E5180B4AB4A217FC8A963798C7C86532E794E4A1AD88416AE42F26A1C0631B465A5D69BFE75366E048502F5E21F4115A12F19
Malicious:	false
Preview:	<.d....!..`.......koB............%.......0T......K:^...g.Uj......`........YJ...>.E.4...........z...>..........;.B<s...K.B\>...b........+.s.....zq....[..9....F..vR......@.......@.......:....c.8Z......g.N...7..F....\|...........t.....D ......k.N.......I...m..^......`#....!..2.......G....@...N.................................X..K....{.......i..GN......NO.............K.H..........S..pN...z..V...............................>...........:.~.....i..%c.....z.q....i...s......D.0. .............Add Filter.....FilterNameDialogClass.......D.0. .t...:..........Filter Name:.....FilterNameDialogClass........... ...L..........Untitled.....QHelp.....(...L... ...\|.D. .....`. ... ...L.:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler.....".....0...\|. .... ... ...L.:. .%.1..........Cannot create directory: %1.....QHelpCollectionHandler.....2...\|. .%.1... ...x. .L.t...D. .... ... .................&Cannot create index tables in file %1......QHelpCollectionHandler.....,.

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_help_pl.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	9673
Entropy (8bit):	4.622652249027856
Encrypted:	false
SSDEEP:	192:TO/7kBL9wGu3wtCnlhLJUBB7oph+mZ18LgP:T8QnwcCnlhdvphpZ18LgP
MD5:	2B68446B69D9AA40B273D75A581D2992
SHA1:	8A09BD38998543B74E2673478EDD54FB4BBDD068
SHA-256:	CC6CB4D8C54086224672F2E49E623C8CB7C0C1CD65B8D5ECD42FC9BA3A6065BD
SHA-512:	F3A3D6A416B3411613B06FC3EE56625D4D4DE80087182AB0D0601E49314861ABEF97D11A15B4C0511911544A59FBC4A4A52F0CCF0FD43F763A76A8922D8E57B6
Malicious:	false
Preview:	<.d....!..`.......plB.....(.......0T....T.5w......Uj... R.`.......a[...............t............2.39....H......6.......n.B<s.. ...M^..._......6.O5^...F..)^......o>...............t.....D ......k.N.....k.N.../...n.......I...W..........2>...w................G.......w............&.......:..,................^...(..... ..$a....?.6.>...$..........K......W.b....._Xn......GN...Y..~......!.....*.K.H...E....."...pN...-.........P.~...}.o........(....1..~......s.>......%c.."..o.....r.z.q............................h................e.....i..#.......N.i.e.n.a.z.w.a.n.y..........Untitled.....QHelp.....P.N.i.e. .m.o.\|.n.a. .s.k.o.p.i.o.w.a... .p.l.i.k.u. .z. .k.o.l.e.k.c.j...:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler.....>.N.i.e. .m.o.\|.n.a. .u.t.w.o.r.z.y... .k.a.t.a.l.o.g.u.:. .%.1..........Cannot create directory: %1.....QHelpCollectionHandler.....H.N.i.e. .m.o.\|.n.a. .u.t.w.o.r.z.y... .t.a.b.e.l. .w. .p.l.i.k.u. .%.1........... Cannot create tables in file

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_help_ru.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	7288
Entropy (8bit):	5.297177914619657
Encrypted:	false
SSDEEP:	192:dBJjvfq7D6X68uBAzlp5W9+yBPZZZMM7vL0PXJL:JKrMEL0PXJL
MD5:	794AF445A5D7082D51BD22683449F86D
SHA1:	3A0C369872B112A1572AA17EEB814B168B225D98
SHA-256:	557B644E6DA5F1EC720EF93965617087E4D1F40B2494CC5AA524CF3796108DE7
SHA-512:	D42C870A16AEE7626BBE24886AD423895529A2F1A51AC2DBC303BC0E4EF9D3241FE894ECA3F7217AD408C8DCEE165CA4B89D84570357B0EB80340A3F72B0A846
Malicious:	false
Preview:	<.d....!..`.......ruB..........\.%.......0T......K:^.....Uj....L.`........YJ...X.E.4...............>............B<s.....B\>............+.s.....zq.......9....B..vR...L..@.......@....G..:......8Z......g.N......F....>...........t.....D ....R.k.N...E...I...W..^......`#....s..2.......G....^...N.........................K.......d..K............O..GN...b..NO.............K.H.............pN...P..V....................g..........>.............~........%c.....z.q....i........$...>.1.0.2.;.5.=.8.5. .D.8.;.L.B.@.0..........Add Filter.....FilterNameDialogClass.........<.O. .D.8.;.L.B.@.0.:..........Filter Name:.....FilterNameDialogClass.........5.7.K.<.O.=.=.K.9..........Untitled.....QHelp.....b...5. .C.4.0.;.>.A.L. .A.:.>.?.8.@.>.2.0.B.L. .D.0.9.;. .:.>.;.;.5.:.F.8.8. .A.?.@.0.2.:.8.:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler.....<...5. .C.4.0.;.>.A.L. .A.>.7.4.0.B.L. .:.0.B.0.;.>.3.:. .%.1..........Cannot create directory: %1.....QHelpCollectionHandler.....`

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_help_sk.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10388
Entropy (8bit):	4.70568613551943
Encrypted:	false
SSDEEP:	192:uPq7iBWseXKkVu4+Qv9zEJ1xGMaLNmBgJqdC6/MxIMt:LWcseV04Xv9zEoLNDJqdX/MxRt
MD5:	75C94E59F1FC5312AE25381C247AF992
SHA1:	E3E5F4582CC5FAFE6DF43644D11484861023C084
SHA-256:	F41E33E1D790BD0D3EB180F1F875BC191FE74773628F25C2CAD95E1402E66867
SHA-512:	959B8F4D57FC9728DD4804322333D1792D45A0EE85615B559E0CA3BD2DEA22E2C8C68C6482AE9425D29C819B0ED27473EDDC82EF4B6ECFFB2E2E7B56E1509B63
Malicious:	false
Preview:	<.d....!..`.......sk_SKB...8.(.......0T......Uj......`.....0.a[....8..........t..............1"......39.......s........... .....%..........B<s...6..MQ..............J..$-.0.......O5Q......)Q...;..o>...........G...J..$......."....t.....8dz..#..D ......k.A...2.k.A.......n..._...I.................. ...21..........e.........G...!...w....Y...........!...........=...Q............$a......6.>.........."...K....i......# ._Xa..."..GA..............~.......TH..!{.K.H.."7.........pA..........%..P.~.....o........(..........!...~....u.s.1.....o.......z.q...c..............................f..e....9i..&-......(.D...v.o.d.o.m. .m...~.e. .b.y.e. .t.o.,. .~.e. .d.o.k.u.m.e.n.t...c.i.a. .s.t...l.e. .n.i.e. .j.e. .z.i.n.d.e.x.o.v.a.n.....).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.......P.o.z.n...m.k.a.:..........Note:.....QCLuceneResultWidget.....".V...s.l.e.d.k.y. .h.>.a.d.a.n.i.a..........Search Results.....QCLuceneResultWidg

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_help_sl.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	10363
Entropy (8bit):	4.613473842638716
Encrypted:	false
SSDEEP:	192:vNBqTi7qBCVIQf54EslZ2Jy/L/BnmpP0bX3caK6q1B6/hgIlCCUb0:vjq2+UVT4ESZOYmpP0bX26q1I/yqCCUw
MD5:	3B0AEE27B193A8A563C5CB5C7C4FE60F
SHA1:	C94E832595EC765370553468F87C02DB7E7D138A
SHA-256:	2EC955E662407EBCD8DCDAE5AAA21E4108E0B5B0AEE0E9DB712C27072943535F
SHA-512:	EBC25C378126876F44279E23CA0CF06FC9E7D5F51AD7E3DBDABA7A50C81112EDC1C76F7FD0AF47E447A93C3593BB953A0C9C1FBBFC49494E6B29BF21655F690E
Malicious:	false
Preview:	<.d....!..`.......slB...8.(.....E.0T......Uj......`.......a[............!..t..............1"....;.39.......s....^............$........i.B<s...,..MQ..........}...J..#..0.....Z.O5Q...[..)Q......o>...............J..$I......"W...t...C.8dz..#H.D ......k.A.....k.A.......n.......I.................. P..21....................G...!...w............?...!...3...........Q...+........$a....>.6.>.........."...K...........".._Xa......GA..............~....A..TH..!I.K.H..!..........pA...>......%..P.~...>.o........(....d..... ...~......s.1.....o.......z.q.....................................e....{i..&.....z.(.R.a.z.l.o.g. .j.e. .m.o.r.d.a. .t.o.,. .d.a. .s.e. .d.o.k.u.m.e.n.t.a.c.i.j.o. .a.e. .v.e.d.n.o. .i.n.d.e.k.s.i.r.a...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.......O.p.o.m.b.a.:..........Note:.....QCLuceneResultWidget.....".R.e.z.u.l.t.a.t.i. .i.s.k.a.n.j.a..........Search Results.....QCLuceneResultWidget.......R.e.

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_help_tr.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	4629
Entropy (8bit):	4.68793836539357
Encrypted:	false
SSDEEP:	96:BoiK0UD2wMLb7Lqlguotqbww5BLNwWjK0kHU9zuQlUVUfniqthweEIFwC18lLEGA:PXFf7pU75BWWOpcJcVqDFNz8brgyf76r
MD5:	32D6EE3D8EE6408A03E568B972F93BCB
SHA1:	582EE079DBD42000C378E0701D26405750524DBA
SHA-256:	EBDECA0CFEE7A9441DEB800BABFD97C63BC4E421DA885C55B3BD49725EBACD25
SHA-512:	24AAA30B9CB4DB82A57411FBA24A87D70D8B845AE48A6FDA633D0BE6B824B58FDD2F450C2B385F16F49E2F9C6FA0A3124FD0F28594726940F996C66F8F3216CC
Malicious:	false
Preview:	<.d....!..`.......tr_TRB.....%.....[.0T......Uj......`.....$..............L.B<s.....B\>..........4.+.s...............t.....D ......k.N...5...I......2.......G....5...N..........a...............f..K....9..........GN...........@.K.H..........q..pN...t..........>...z.~...../..%c.....z.q....i..........B.a._.l.1.k.s.1.z..........Untitled.....QHelp.....J.K.o.l.e.k.s.i.y.o.n. .d.o.s.y.a.s.1. .k.o.p.y.a.l.a.n.a.m.1.y.o.r.:. .%.1..........Cannot copy collection file: %1.....QHelpCollectionHandler.....2.D.i.z.i.n. .o.l.u._.t.u.r.u.l.a.m.1.y.o.r.:. .%.1..........Cannot create directory: %1.....QHelpCollectionHandler.....\.%.1. .d.o.s.y.a.s.1.n.d.a. .d.i.z.i.n. .t.a.b.l.o.l.a.r.1. .o.l.u._.t.u.r.u.l.a.m.1.y.o.r...........&Cannot create index tables in file %1......QHelpCollectionHandler.....N.%.1. .d.o.s.y.a.s.1.n.d.a. .t.a.b.l.o.l.a.r. .o.l.u._.t.u.r.u.l.a.m.1.y.o.r........... Cannot create tables in file %1......QHelpCollectionHandler.....P.S.q.l.i.t.e. .v.e.r.i.t.a.b.a.n.1. .s...r...c...

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_help_uk.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	9750
Entropy (8bit):	5.281035122342072
Encrypted:	false
SSDEEP:	192:eMp79BCN+u8hhbHbny+HJouHgei50JBSfDvbetpP/RIkT:eIhgNgBbny+phiS3SfDDetpP/RRT
MD5:	90A776917D534B65942063C319573CDC
SHA1:	5DF3B213D985A3BBDB476B37B7780D7D7DF17E41
SHA-256:	497CFC473684692EE44D7A3795E8FB2270C57069FD9EB98A615DD29AB9BE8A7C
SHA-512:	B34A019716B50CE8E1E20AC32756B3B0D5802971F7A04F4BDDE2418DA551AFB9742B79E934979DB6FAB9DAC05D7D26A3B19ABA77158321F8D9AAB08AEBBD455A
Malicious:	false
Preview:	<.d....!..`.......uk_UAB...(.(.....?.0T......5w......Uj......`.......a[...............t............K.39....u....."..........B<s...8..M^...j......y...J..!..O5^...Y..)^......o>...o...J..":...... <...t...E.8dz..!3.D ....".k.N.....k.N...d...n.......I..............2>...>......o.........G.......w............E.......e..,................^...S........$a......6.>...'...... y..K........... ..W.b....._Xn......GN...p..~.......TH...4.!.....9.K.H.............pN..........#].P.~...~.o.....N..(....b.........~......s.>.....o.....o.z.q..........................U.h.............D..e.....i..#.......(...@.8.G.8.=.>.N. .F.L.>.3.>. .<.>.6.5. .1.C.B.8. .B.5.,. .I.>. .4.>.:.C.<.5.=.B.0.F.V.O. .4.>.A.V. .V.=.4.5.:.A.C.T.B.L.A.O...).........M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget.........@.8.<.V.B.:.0.:..........Note:.....QCLuceneResultWidget.....". .5.7.C.;.L.B.0.B.8. .?.>.H.C.:.C..........Search Results.....QCLuceneResultWidget....... .5.7

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_help_zh_CN.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	6441
Entropy (8bit):	5.790303416386852
Encrypted:	false
SSDEEP:	192:pB37nBD4H5PCyLDxLSzJPduYx9vja/FIgH9yIFqfs:rTZ4HUAD1S1JFe/F59PFqfs
MD5:	9297A6905B8B1823BF7E318D9138A104
SHA1:	3DB992A1B3BBCAF314B7EA4A000D6334D7492A52
SHA-256:	C02AAA20923F18ADDAB520BE5CB84EFD4C723396BDC24B4C9A72D406F101C7B4
SHA-512:	01F12CEE0AE456D78942A6049E1C77F94B406C8FFB4A5944DE15E54D1C760CDBA13279530A8F29B1443D1BBC647D3AF5436AAD8C43EB3944316C48300B3827E4
Malicious:	false
Preview:	<.d....!..`.......zhB......I....L.0T......Uj......`.......a[...............t....P..@....Z.......<.........39.......s....2.................B<s......MQ..........9...J......31.....0.......O5Q......)Q...^..o>...........(...........J...V...........t.....8dz.....D ....Z.k.A.....k.A.......n.......I...........t..w................!...........o.......D...Q...E........$a......6.>...h...............%._Xa......GA..........._..TH...r.........pA.............P.~.....o.....].~.q.............~......o.....h.z.q...........H..0q....................i........2..S.u...y.`.Q.v.S.V.S..f/V.N:..e.hckcW(..}"_.0............M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget......l..............Note:.....QCLuceneResultWidget......d.}"~.g...........Search Results.....QCLuceneResultWidget.....,d.}"~.g.N_..^vN.[.et..V.N:..e.hckcW(..}"_............VThe search results may not be complete since the documentation is still being indexed!.....QCLuceneResultWidget..

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_help_zh_TW.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	9301
Entropy (8bit):	5.80411750798786
Encrypted:	false
SSDEEP:	192:4bgIXwsL78BQp4dRDP0ludqODa/wkB/tTWn5dJ6mO8IZiT9Dzz/wI3HyRWqUqS:lI/oS4dR5c/tTWn5/EZA9D/w+H8WqUqS
MD5:	47C3328D3918CF627112BB6C50E30B86
SHA1:	05705603AB3F28402A6C103E1C41DDFF21D140C0
SHA-256:	3697F1660D7F2AC9B37AC33CD1C7ECAE08ADBD26710E7E0076497CCDDC8BC830
SHA-512:	8DE1C3C5A48965CF6D8AA545DA9F0A5C00AE124F3E4153597915E7C0F4CAE1E26723270F58A47AA9FFA4AAF30E6EBA522D4EBAD27DECF17EF108E353E611980E
Malicious:	false
Preview:	<.d....!..`.......zh_TWB......I....[.%.......0T......0T......Uj......Uj....R.`.....>.a[....................g..t....7..@......................39.......s................... .........B<s.....B<s.....B\>......MQ..........[...J...]..31.....+.s...c.0.....U.O5Q......)Q...C..o>.......................J...............t...3...t.....8dz.....D ....R.D ......k.A.....k.A.....k.N...'...n.......I.......I...........[..2....x..G........N......w................!...........:...........Q...&...............$a......6.>...I.......L.......$..K......................_Xa...y..GA...O..GN...........$..........TH...I.K.H................ Y..pA...K..pN.............P.~.....o.....D.~.q......>.............~......~........%c.. ..o.....!.z.q...........#..0q....................i..!Y....(..g.S..f/V.p.N.W(^.z.e.N.v.}"_.uvN-0............M(The reason for this might be that the documentation is still being indexed.).....QCLuceneResultWidget......P..;............Note:.....QCLuceneResultWidget......d.\.}Pg...........Sea

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_hu.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	146
Entropy (8bit):	3.6255640074603277
Encrypted:	false
SSDEEP:	3:j2wZC4C/IrLlAlHekfK/gp1MUXaMlI+rwtbWlMiayIPldkOgn:CwDrC+TYIUrIRt6HoiHn
MD5:	5A46979B45C67DD6312F33CCEA2ED7BC
SHA1:	4C56836B1FB10D9903B299CBCB925947D515B4C8
SHA-256:	BB246AABD501E14CED8B1FFC1369E3D5D26567AAE62B3EAD4D94C22FB77C3471
SHA-512:	BDBA4E1731CF254E95B0F1337410937C765E96FBB1D42F1D053033E1511FEE6F50C02705F781F4DAA0347E2299DC78A5A9942AC4EA343ED1F8F401F9ACD961E4
Malicious:	false
Preview:	<.d....!..`.......hu....v.....q.t.b.a.s.e._.h.u.....q.t.s.c.r.i.p.t._.h.u.....q.t.m.u.l.t.i.m.e.d.i.a._.h.u... .q.t.x.m.l.p.a.t.t.e.r.n.s._.h.u

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_it.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153
Entropy (8bit):	3.5752972123113778
Encrypted:	false
SSDEEP:	3:j2wZC4C/EbFlAlHeke5zOp1MUWLt7KlI+rwtbWlMj5FKIPldkOA9kk:CwDM+35aIUW5SIRt6Q50oi9Gk
MD5:	2BB8C94D420D3BC344C79A01043BDC89
SHA1:	3FBA773D58E6D3699C20AB41AEE6801E71E2DDAE
SHA-256:	9117AAC2D07BC86DFA55A29B8825ED27C7093300FCC90E143E135E00E85F09D7
SHA-512:	C6B13655AFB206B0056F5656B4A9BF33CC267FCC928F6973258131CFA6443970510226FE45A041E5AA988809E17D0B11C7458F4A241C71521EDED186596C6055
Malicious:	false
Preview:	<.d....!..`.......it....v.....q.t.b.a.s.e._.i.t.....q.t.s.c.r.i.p.t._.i.t.....q.t.m.u.l.t.i.m.e.d.i.a._.i.t... .q.t.x.m.l.p.a.t.t.e.r.n.s._.i.t.......

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_ja.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	146
Entropy (8bit):	3.599979504080125
Encrypted:	false
SSDEEP:	3:j2wZC4C/il/lAlHekd6hY1MUV6JAlI+rwtbWlMgel3UlIPldkOG:Cwz4+pjUGAIRt6qVUloiB
MD5:	8A1EE3433304838CCD0EBE0A825E84D8
SHA1:	2B3476588350C5384E0F9A51FF2E3659E89B4846
SHA-256:	23457CE8E44E233C6F85D56A4EE6A2CECD87C9C7BDDE6D8B8A925902EED1CD9C
SHA-512:	2D8ACD668DF537E98B27161F9FA49828EB2EB6E9CF41DB38E7F5D31F610D150CD1B580A8AE9B472A4DFDE4D4BF983C24A56293BB911CF5879368664E4D4CF3D2
Malicious:	false
Preview:	<.d....!..`.......ja....v.....q.t.b.a.s.e._.j.a.....q.t.s.c.r.i.p.t._.j.a.....q.t.m.u.l.t.i.m.e.d.i.a._.j.a... .q.t.x.m.l.p.a.t.t.e.r.n.s._.j.a

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_ko.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	146
Entropy (8bit):	3.652277257665055
Encrypted:	false
SSDEEP:	3:j2wZC4C/rrr/lAlHekcQ/01MUUQMlI+rwtbWlMhQGlIPldkORn:CwCC+1Q/UUpIRt6SBloimn
MD5:	7B2659AF52B824EAC6C169CDD9467EE9
SHA1:	5727109218B222E3B654A8CC9933E970EB7C2118
SHA-256:	4CC1AF37E771F0A43898849CFF2CD42A820451B8D2B2E88931031629D781DB05
SHA-512:	E9475AC80BDBBEFF54F2724A2B6BA76992F18FD1913FD8EE1540A99FD7A112B79FED5A130B6AC6D7460E4420C06354FC6E4CF7770A7C6CBD3EAC1BDAF0082DE5
Malicious:	false
Preview:	<.d....!..`.......ko....v.....q.t.b.a.s.e._.k.o.....q.t.s.c.r.i.p.t._.k.o.....q.t.m.u.l.t.i.m.e.d.i.a._.k.o... .q.t.x.m.l.p.a.t.t.e.r.n.s._.k.o

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_lt.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	165383
Entropy (8bit):	4.805977227348512
Encrypted:	false
SSDEEP:	1536:i5v3+zmayloj6yJjhnBAbnrKnGrhA7WgdXclIsooY9i:SvOzAloj6yJ9BA7riGr+7WKXc+s5ui
MD5:	8992B652D1499F5D2F12674F3F875A35
SHA1:	E22766A49612F79156C550D83C6C230345DDA433
SHA-256:	47EB5F97467DF769261421D54A5BEA1131C9FB9B6388791D38BB6574335B64BF
SHA-512:	9B8B6DBFF432F2A46C14BC183A6BAF84ACBF02BF2C5BB8C306C6538FBD9BE1C0A9015BD46728F2F652F9163AFC56B1E16D16EB95D8F7728F3C562AE9F4F1AE1E
Malicious:	false
Preview:	<.d....!..`.......ltB..0X.....)C...+...\|......P....@..9....A..9....B..:....C..:....D..;....E..;....F..<6...G..<....H..=)...I..=....P..>q...Q..>....R..?....S..@f...T..@....U..A\...V..B....W..B....X..C....Y..Cy...]..k....t..........t>......th......t.......pd...;..J'...;.._h...;.......;...{...;..J....;...)...M..l....O...R...O...............}..l9...m..lo......^S..(5..P{..+;..4...+;......+;......+O..4...+O......1...^...E@..?p..F...C...H4......HY......H.......I...D...I@..s...IA..t...IC...2..J.......J....Y..J.......J.......K...9...LD...`..L.......PS......R.......T...q...Zr...`..[`......[`..&@..\....e..\....b.._......._....P..1........E..........5........L..1...O...1...PP......7......../...........$.......$.......,.......y.......y..........K^..............x......8................L...E.......E.......E......................%..:....%.........0U.....W......Zo.....^....5.......0..I....0...F...0...\|...0.......0.......0..+\...5...}.......... D...g.. D......+....j..,.......,.......<U...+..<U

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_lv.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	89
Entropy (8bit):	4.156834975253888
Encrypted:	false
SSDEEP:	3:j2wZC4C/HzllldQlHekbxplUp1MUTJ+b:Cwv+DIUEb
MD5:	19F1B919BB531E9E12E7F707BEBD8497
SHA1:	46E82683CEA28D877C73A5CE02F965BB1130FC62
SHA-256:	03467738042A15676E504BA02CB326DCDB773B171FADA3CD62B7A0E0564314A0
SHA-512:	901D7B26CAC7A4D0FFDB39A1D25767B5BC71BED4AFBE788D70BF19D4C58A8295167111675AB45E743FDF4768AF874D69417414C01CF23D5C525A3F6C8BF7D21F
Malicious:	false
Preview:	<.d....!..`.......lv....0.....q.t.b.a.s.e._.l.v.....q.t.s.c.r.i.p.t._.l.v........)....

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_pl.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	161
Entropy (8bit):	3.8693516202048612
Encrypted:	false
SSDEEP:	3:j2wZC4C/5J/p/lAlHekHp/7KlI+rwtbWlM6Tl/z21MUPp/FOlIPldkOjehB:Cwr+26IRt6nFURkloiT
MD5:	D71EA9FEFD97464B178235150EC8759E
SHA1:	61026FE602FD1B8B442A0D341C6BD759EEC75488
SHA-256:	BD7DD0C2CAB119A973DC10C3BFF7499D9728B928B541F86056921B30C8DB78E6
SHA-512:	ECD76A7D8B8D733E635B2BFEA90A4CD387B83D9D8A4EB6D299F59FF22AAA8D617A4C886A825A1CDDD901925C7839E2C18BDD4E0CD84152641922B66B62663F77
Malicious:	false
Preview:	<.d....!..`.......pl....v.....q.t.b.a.s.e._.p.l.....q.t.m.u.l.t.i.m.e.d.i.a._.p.l.....q.t.s.c.r.i.p.t._.p.l... .q.t.x.m.l.p.a.t.t.e.r.n.s._.p.l............,..

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_pt.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	70334
Entropy (8bit):	4.732724622610353
Encrypted:	false
SSDEEP:	768:OKGUuWW+WHjS0gMBd483+Y7bDPs4RHBloLUIltlzAJnx4nnliM1OPlOibLG:JGUuWPuSgm0Jn+n4Mhj
MD5:	6656500F7A28EF820AE9F97FD47FB5BB
SHA1:	CC112B9C9513BCF7497F3417168B4C8A9F7640A9
SHA-256:	2C1E7BBF5168A64B43752DD4C547601C0BDE6D610F8671FA3E3AF38597E84783
SHA-512:	5C3CBFCF86AF6B4D949C1D914CD379E512E73BA350AF661033A386EE7FB981FBFCB43D9A35FDE7656E17BB09F64F1469F84867A780573C3359D645269461D5A6
Malicious:	false
Preview:	<.d....!..`.......pt_PTB...(......9...+...e...]..6....;.......;..-....;..;`...;..};...;.......M..6....O... ...O...w...........}..7....m..7B..........+;......+;..8S..+;..>...+O......+O..8#..H4......H.......J......K.......LD...)..L....}..PS...l..Zr...B..[`...;..[`.....\...kU.._......._.......1...?...............8...............E............,..................p........0...............v...........%...O...%..G........4...0.......0..:....0..y....0..\|....0.......0...X...5.......5...... D..=... D..Kn..+....L..,...>...,......<U..z...<U......<.......F...>...F.......H5...4..H5..=...H5..K...H5......f....p..f...1...f...;...f...I...f...\|H..f.......f.......l....................b......<...............>.......L ...........`......`..._.......A......2....e...g...e..>D...e..LW................y...,..y......y..o...y......T..L...0..'..*.0....+F...y..+F......+f......+f...C..+.z..0..+.....d.+....p0.+.....R.+.z..0U.+.....u.+....8..+....Ct.+....L..+....y..+.....Z.+......+...pc.+.....+....0..

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_ru.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	164
Entropy (8bit):	3.984562388316898
Encrypted:	false
SSDEEP:	3:j2wZC4C/oZlAlHekF8Op1MUNKJKlI+rwtbWlM4KKIPldkOSxRMugB:CwY+GIUgcIRt61oihM3
MD5:	F7A8C75408B9A34A2B185E76F51B7B85
SHA1:	065E987139C5FB809A6F9CDF3845BCD79707FDBB
SHA-256:	6492B267608C6FB76907BD8FCFC8F1EF57E9F4EBBC2E81ACA81715A88388F94A
SHA-512:	E768C5B438EC899801B22B1325F2244ACCC5E7C2EC5D270F510BC3CBC2D9A0536949C026DB7FB5862835E506A9F2020DEB2CC4001E7011FF974324542734F855
Malicious:	false
Preview:	<.d....!..`.......ru....v.....q.t.b.a.s.e._.r.u.....q.t.s.c.r.i.p.t._.r.u.....q.t.m.u.l.t.i.m.e.d.i.a._.r.u... .q.t.x.m.l.p.a.t.t.e.r.n.s._.r.u........)......,..

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_sk.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	157
Entropy (8bit):	3.7731953311404336
Encrypted:	false
SSDEEP:	3:j2wZC4C/3xRlAlHekE8lgp1MUM8lMlI+rwtbWlM5UllyIPldkOfll6kchn:CwS0+t8CIUM86IRt6KUlsoi2CVh
MD5:	24C179481B5EF574F33E983A62A34D53
SHA1:	0A67F1ED8CA4A5182F504806F8D47D499789F2D2
SHA-256:	B6ADFFD889FF96BF195CB997327E7D7005A815CAD67823FA6915A19C2D9BB668
SHA-512:	4757F3693120DAB2FBB7BCF1734EA20B3E3D9056B4B4E934A3129D660CFDC6C58B230459DB55912AF24AD5692BD221830BE0FF91E41D3EECD9439E79AC23FFE6
Malicious:	false
Preview:	<.d....!..`.......sk....v.....q.t.b.a.s.e._.s.k.....q.t.s.c.r.i.p.t._.s.k.....q.t.m.u.l.t.i.m.e.d.i.a._.s.k... .q.t.x.m.l.p.a.t.t.e.r.n.s._.s.k...........

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_sl.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	228428
Entropy (8bit):	4.726953418955661
Encrypted:	false
SSDEEP:	3072:9zQH0hOtgmiAZu0eeAEv+v49JnnSmICgr3n7jhCQUeinqyU5UggtRLGrQ2LZO+Y1:RpUsSpGr36wsR
MD5:	D35A0FE35476BE8BD149CEE46E42B5E9
SHA1:	9F3C85C115A283E5230D1EEAD84C8CB73A71FA03
SHA-256:	C44E0313A9414CC0E490B65B0C036FA11BCA959353B228886547BC2C8492034F
SHA-512:	BEEB1751882AF081E80BE93F7464D4C6322B724EFA2CBD3E1CBE709181D380C1C57E770FA962BB706D6FCF4A8CB393E3F6E187C1F604F8CEEFB201CA3200BD1C
Malicious:	false
Preview:	<.d....!..`.......slB..<....*.......+.......@...C...A.......B...<...C.......D...2...E.......F...d...G.......H...W...I.......P.......Q.......R.......S...x...T.......U...n...V...%...W.......X.......Y.......]..g~...t...V.......f..................................;..G....;..[....;...q...;..ia...;... ...M..g....O.......O.......[..,e...........}..g....m..h........Q..(5......+;..2...+;...b..+;...i..+O..2...+O...4..1......E@......F.......H4......HY...%..H.......I.......I@......IA...9..IC......J...6...J.......J.......J...^...K...7...LD......L....n..PS...U..R.......T....=..Zr......[`...V..[`......\...!,..\...8U.._..."b.._.../h..1.......E...9......4...............5........e...................$...<...$..Z....[.......,.......y...L...y..].......H.......@.......J.......6........~..........E...O...E..+....E...~..............,1...%..8r...%...........^..............................5.......0..Gx...0.......0..P....0..h....0.......0.......5...^.......... D...... D......+....`..,.......,...-...<U

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_sv.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	65851
Entropy (8bit):	4.7906769989650515
Encrypted:	false
SSDEEP:	1536:4u6DkpgyKmRmG15mGM6iFPi6Q/qTlOQZY2dKN8gKw:4u6DotUG1sGMZPi6Q/qTlO2Y2YKw
MD5:	0E85E0E0E7DDFE3D4BDE302F27047F9C
SHA1:	AE59348E0C2E4F86F99DA6CF5DAB3B7E92504B7C
SHA-256:	4B4B6FF7FD237C9DA0301B4946132E68653D15EB5FAF38E4C5FBFEBB12DD97F7
SHA-512:	8CAAB6C61E9FA26A3A289A9E4DC515D157B3092D6D4ED43861220261BD2B7CC79B35B52F9ADE4EF558B5385B37EAC14575420DD55C475F435BB95B6C1E2561B6
Malicious:	false
Preview:	<.d....!..`...B..............+...i...]..6....;.......;..-f...;..:;...;..t....;.......M..64...O.......O...........q...}..6\...m..6........(..+;......+;..7...+;..=...+O......+O..7c..H4......H.......J.......K....F..LD...+..L.......PS...N..Zr......[`...7..[`...N..\...h4.._....J.._....k..1...>...............7........}......D............,.................i....................................%.......%..Fc.......6...0.......0..9....0..q....0..t....0.......0.......5.......5...... D..<}.. D..I...+.......,...=X..,.......<U..r...<U...n..<.......F...=...F....F..H5......H5..<...H5..J4..H5......f.......f...1V..f...:f..f...H;..f...t&..f.......f.......l..................8......;z..............<.......Je.......6...`...&...`...!.......9......1....e.......e..=....e..J..............g...y......y.../..y..h...y......T..J...0..'[..0...K.+F...q..+F.....+f......+f...A..+.z../..+.......+....i`.+.....X.+.z../..+.....S.+....7..+....Bi.+....K..+....q..+.......+......+...i..+.....+....0..F0i.....G.

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_tr.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	110
Entropy (8bit):	3.630483009136986
Encrypted:	false
SSDEEP:	3:j2wZC4C/7zl9lAlHekDN/01MULV4LlI+rwtbWlM+N:Cw5+wUGRIRt6n
MD5:	16CDF5B9D48B0F795D532A0D07F5C3A0
SHA1:	6E403C9096B3051973E2B681DFEBBC8DD024830D
SHA-256:	F574A2CFD4715885C3DBDF5AE60995252673BD94FDAA9586F7E0586F6C1AC0EE
SHA-512:	36A0431368010157EA8A45DCB00458076CCFFC08B37E443DEBD1AAD4A30C6080803337725A7A3DCBF2B410DC7BE89CEAF6C07C46F876E4EF5B08159E3BF38E6D
Malicious:	false
Preview:	<.d....!..`.......tr....R.....q.t.b.a.s.e._.t.r.....q.t.s.c.r.i.p.t._.t.r.....q.t.m.u.l.t.i.m.e.d.i.a._.t.r

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_uk.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	164
Entropy (8bit):	4.021402900389864
Encrypted:	false
SSDEEP:	3:j2wZC4C/ZlRlAlHekCczOp1MUKUt7KlI+rwtbWlM/cFKIPldkONRMugB:CwUl0+rjIUKUcIRt6M/oioM3
MD5:	9B101363343847FE42167183320C03F0
SHA1:	F0DF2CFF913E588B7CADFDABBF69F4F632B2F96A
SHA-256:	F1621E680E1642F9463E4B07E7E78B50F9A7BDB7C321D7302039CB3405CBDEA4
SHA-512:	DA14FDF8DB514902733CAAC492293873351C595EBBE0ACB0849BECE24AB822602EE64D01051F1426CD1FC13A95D8607302CF9B515D9806FDD3BD047087DE447C
Malicious:	false
Preview:	<.d....!..`.......uk....v.....q.t.b.a.s.e._.u.k.....q.t.s.c.r.i.p.t._.u.k.....q.t.m.u.l.t.i.m.e.d.i.a._.u.k... .q.t.x.m.l.p.a.t.t.e.r.n.s._.u.k........)......,..

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_zh_CN.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	117347
Entropy (8bit):	5.8593733369029195
Encrypted:	false
SSDEEP:	1536:51dXW89nqEFu54aekvRzHHSVuf8j2+/xc3lhnbsfdAoz/w:v9qEFeLekvRznSVHJG3lhn+djY
MD5:	0D02F0DE5A12BCB338B7042DFBDAACF3
SHA1:	B7C10D249D8986AD8C6939B370407D07227A39F5
SHA-256:	28CDE75D7B32C81FEF1D4630C37B79A61DEC24B357632FF00D6365A57D8BE43B
SHA-512:	21F02EBA36B4411921EA3C70310B8E454E8FC2B8F09957FD6A63B71689DC381F7A5E2C3BDF2810734D659AB43D8A7BD46EF6436ECC52F75C71B5F5C313365444
Malicious:	false
Preview:	<.d....!..`.......zhB..+...........+.......@.......A...8...B.......C.......D.......E...V...F.......G...L...H.......I...9...P.......Q...e...R...^...S.......T...T...U.......V...\|...W.......X...o...Y.......]..4 ...;...2...;..,....;..8....;.......;.......M..4H...O.......O...........#...}..4p...m..4........N..(5......+;...f..+;..6Y..+;..<...+O...8..+O..6'..1......E@......F....Y..H4..."..HY..J...H.......I.......J.......J.......K....5..LD..._..L......PS...V..Q....6..R...N...W..../..Zr.....[`.....[`......\...lU.._......._....L..1...<........j......6...............B........I...$..K....$.......,...g...y...3.......A......r...........................9..L7......;w...E..5b...E...G.......5...%.......%..D........`..............................0.......0..8W...0..}y...0...6...0.......0.......5.......5...... D..:... D..J...+....R..,...;...,......<U..~...<U......<......F...;...F......H5...i..H5..:...H5..Jk..H5...w..VE...[..f....u..f...0X..f...9...f...E...f.......f.......f....j..g....A..l.

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qt_zh_TW.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	141
Entropy (8bit):	3.7198292994386235
Encrypted:	false
SSDEEP:	3:j2wZC4C/0N6xg/Rl/gl+kNXDelHrwtbWlMwTolIPldkOfDn:CwOO2+g6Mt63oloiUn
MD5:	ED4135D705AEF3D97F8BF6B8FF11F09C
SHA1:	308E2B8F74B863A61AD0B68F4A18ED06965EBEAA
SHA-256:	751ECDA0C33E061D91241268357FBD2F6B7F70A1116E714F28D22EFD61EC7A1A
SHA-512:	B6E6D00553A9C427130129B9D30E862028E549F372A832F0F05747C8E2A79E443F4932EC3AE177537C8BA00D26B5B6CB97D5B35426AB5229F6A468CA485BE0B1
Malicious:	false
Preview:	<.d....!..`.......zh_TW....n.....q.t.b.a.s.e._.z.h._.T.W...$.q.t.m.u.l.t.i.m.e.d.i.a._.z.h._.T.W...&.q.t.x.m.l.p.a.t.t.e.r.n.s._.z.h._.T.W

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qtbase_ar.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	160017
Entropy (8bit):	5.35627970915292
Encrypted:	false
SSDEEP:	1536:XGlAMfkX1M0RdaCkR8lfv8vtc8EFrVYA2I4AJZWEWgHg1C8COvzHKHC6Jp9NV0V7:XUr0RACkIwDEpV1Lgf1ubtw3Bb
MD5:	A7E4D0BA0FC5DF07F62CC66EC9878979
SHA1:	21FD131B23BDD1BBA7BBB86F3ED5C83876F45638
SHA-256:	E03FE68D83201543698FD7FE267DD5DFC5BFD195147E74FF2F19AC3491401263
SHA-512:	D9E6B10506FCF20B5B783F011908083D9DF6C5DF88E21B10D07F53A01AD6506A4B921C85335A25BAE54E27BAD7D01B6E240D58FDEEAABC7FF32014EC120C2ECF
Malicious:	false
Preview:	<.d....!..`.......arB..2....*.......+.......@.......A.......B..._...C......D.......E......F.......G... ...H...D...I...h...P...C...Q...g...R......S.......T.......U.......V...x...W......X.......Y.......]..'=...s......t...........]...........;..'....;..(....;.......;.......M..'e...O.......O...9...........}..'........C...=......m..'....t..........!o..(5...Z..+;..5u..+;..c...+O......1...!...D@...8..E@.....H4...,..HY..QI..H.......IC......J....1..J.......J.......LD......L.......PS......QR...R..R...V2..T.......U....]..X.......Zr.....[`......\....t..]x......_......._.......yg......1...6....E..8V..............C............................$..RN...[...0...,.......y.......y...................K...........9..R....E.."............z.......................%..F;...D...[..................................!....5.......0...I...0.......0...5...0..#....5.......5...p..............W}.. D..(... D..P=..+.......<U......<U......<.......H5..(...H5..P...L.......VE......VE......V....B..f...JJ..f.......f.

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qtbase_bg.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	165337
Entropy (8bit):	5.332219158085151
Encrypted:	false
SSDEEP:	1536:9ULiyUxPoT6qx+J7FJlaaMJnxjqxq+0Uiff0mbVeb7wiEwYuYqDKBkKHMXHCIMll:9ULpIVFnpwUiEujw27ncUQUz
MD5:	660413AD666A6B31A1ACF8F216781D6E
SHA1:	654409CDF3F551555957D3DBCF8D6A0D8F03A6C5
SHA-256:	E448AC9E3F16C29EB27AF3012EFE21052DAA78FABFB34CD6DFF2F69EE3BD3CDB
SHA-512:	C6AE4B784C3D302D7EC6B9CE7B27DDAF00713ADF233F1246CD0475697A59C84D6A86BAA1005283B1F89FCC0835FD131E5CF07B3534B66A0A0AA6AC6356006B8F
Malicious:	false
Preview:	<.d....!..`.......bg_BGB../......,....+..."...@...]...A.......B.......C.......D...P...E...!...F.......G.......H.......I.......P.......Q.......R...A...S...e...T.......U.......V.......W...1...X...U...Y...y...]..,....s...,...t...................P...;..+....;..-E...;..!....;..+....M..,Y...O...,...O..............}..,............=...Q...m..,....t...\|......>...(5..1...+;..<...+;..o...+O...r..1...>...D@......E@......H4......HY..[...H.......IC......J....E..J....X..J.......LD......L....L..PS......QR.."...R...`...T....X..U.......X.......Zr...q..[`...`..\.......]x......_......._....T..yg.....1...=....E..?...............L(.......(...............'...$..\....[.......,...I...y...!...y...................S...........9..]%...E..5p...........z..!q...................%..O....D..................D.....8......:......?....5...&...0.......0.. ....0...c...0..5....5.......5..................b:.. D..-... D..Z...+.......<U......<U...0..<.......H5..-...H5..[...L.......VE..#a..VE..;...V.......f...T...f...!..

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qtbase_ca.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	210159
Entropy (8bit):	4.666388181115542
Encrypted:	false
SSDEEP:	3072:P/DVhdlafzvZfeW+6kXEVjSVPzC3ceKdP2:xYf7UW+WjwP2
MD5:	B383F6D4B9EEA51C065E73ECB95BBD23
SHA1:	DD6C2C4B4888B0D14CEBFC86F471D0FC9B07FE42
SHA-256:	52E94FCC9490889B55812C5433D009B44BDC2DC3170EB55B1AF444EF4AAE1D7F
SHA-512:	9401940A170E22CE6515E3C1453C563D93869A3C3686C859491A1F8795520B61BF3F0BFE4687A7380C0CC0C75E25559354FDB5CEF916AF4C5B6CD9661464A54A
Malicious:	false
Preview:	<.d....!..`.......caB..7....*.......+.../...@..:P...A..:t...B..:....C..:....D..;=...E..<....F..<Z...G..<~...H..<....I..<....P..>....Q..>....R..?....S..?R...T..?v...U..?....V..?....W..@....X..@<...Y..@`...]../....s..1....t..........2s......#p...;.......;../....;..W....;..e+...M../3...O.......O..9.......J....}../]......8....=..9....m../....t..9Y.......S..(5..lB..+;.._...+;...=..+O..U...1.......D@..:...E@..?...H4...J..HY..~...H..."...IC...0..J....W..J....0..J.......LD..!...L...!f..PS..)...QR.."...R.......T...9~..U...9...U...z...X...>...Zr..E...[`...e..\...LD..]x..7U.._......._...M...yg..f...1...a....E..c....7.........U.......p........b.......4.......K...$.......[.......,.......y.......y...................^...........9...:...E...s...... (...z..":.......d......!....%..tQ...D.."......."......2......ve.....y...........5..#H...0...\...0..W+...0..';...0.......5..(....5..........)s.......... D..0w.. D..}...+...1...<?..5x..<U......<U..5...<...6@..H5..0...H5..~...L...9...VE..$...V...SV..f.

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qtbase_cs.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	174701
Entropy (8bit):	4.87192387061682
Encrypted:	false
SSDEEP:	3072:5WjuhX0CVRaakGjW9E8SSOQfX/JlwVOMxrboRPqWxXfQvO7zjBf:5iFGj1QfXr8Gd
MD5:	C57D0DE9D8458A5BEB2114E47B0FDE47
SHA1:	3A0E777539C51BB65EE76B8E1D8DCE4386CBC886
SHA-256:	03028B42DF5479270371E4C3BDC7DF2F56CBBE6DDA956A2864AC6F6415861FE8
SHA-512:	F7970C132064407752C3D42705376FE04FACAFD2CFE1021E615182555F7BA82E7970EDF5D14359F9D5CA69D4D570AA9DDC46D48CE787CFF13D305341A3E4AF79
Malicious:	false
Preview:	<.d....!..`.......cs_CZB..3p.....F....+.......@..!....@..Ef...A..!....A..E....B.."1...B..E....C.."U...C..E....D.."....D..F....E..#p...E..F)...F..#....F..FP...G..#....G..Fw...H..$....H..F....I..$6...I..F....P..&%...P..Gr...Q..&I...Q..G....R..&....R..G....S..&....S..H....T..&....T..H8...U..'....U..H_...V..'Z...V..H....W..'~...W..H....X..'....X..H....Y..'....Y..H....]..,....]..,....s.......t...9..................;.......;..+....;..1B...;......;..?x...;..N....;..iY...;..s3...M..,B...M..,....O.......O...w...O..rr...........}..,j...}..-....... 5...=.. ....m..,....m..-8...t.. .......ay..(5..TT..+;...A..+;..B...+;..u...+O......+O..=a..1...a...D@.."...E@..&m..E@..G...F...J...H4...=..HY..`...H.......I...J...IC......J....-..J.......J.......LD......L....(..PS.....QR.."S..R...e...T.... ..U......X.......Zr...g..[`......\......]x......_......._......._...v...yg......1...C....E..E...............=.......Q........................s...$..a....[.......,.......y.......y...y..............G..........

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qtbase_da.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	181387
Entropy (8bit):	4.755193800761075
Encrypted:	false
SSDEEP:	3072:XzswP2UvZ5aZ9jFTkmq/gnBNW/+PcWrqm2Vliz0DGdaS4KSLZjwTTgwUR0toT:j3m27AjCT
MD5:	859CE522A233AF31ED8D32822DA7755B
SHA1:	70B19B2A6914DA7D629F577F8987553713CD5D3F
SHA-256:	7D1E5CA3310B54D104C19BF2ABD402B38E584E87039A70E153C4A9AF74B25C22
SHA-512:	F9FAA5A19C2FD99CCD03151B7BE5DDA613E9C69678C028CDF678ADB176C23C7DE9EB846CF915BC3CC67ABD5D62D9CD483A5F47A57D5E6BB2F2053563D62E1EF5
Malicious:	false
Preview:	<.d....!..`.......daB..4......h....+......@...f...A.......B.......C.......D...U...E.......F...v...G.......H.......I.......P.......Q.......R...6...S...Z...T...~...U.......V.......W..."...X...F...Y...j...]..+....s.......t..................-...;..+....;..,....;../....;..;....M..+....O.......O...r...........}..,............=...8...m..,0...t...c......T...(5..B...+;..NH..+;..~H..+O..,...1...UP..D@......E@......H4...E..HY..j...H.......IC...#..J....J..J.......J.......LD......L....1..PS...B..QR......R...o...T.......U.......X.......Zr......[`...W..\....}..]x...[.._....-.._.......yg...e..1...O....E..R....7..........-!......]............................$..k....[...7...,.......y...c...y.................j4...........9..l8...E..p............z...;..................%..a....D...~.............-.....L......OH.....Uz...5.......0.......0...U...0.......0..p....5...7...5..L$..............p... D..-... D..i...+....@..<U.....<U.....<....S..H5..-2..H5..j$..L....B..VE.. ...VE..P...V......f...e...f.

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qtbase_de.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	220467
Entropy (8bit):	4.626295310482312
Encrypted:	false
SSDEEP:	3072:7w8go8+ph6JVB8XVXYWpSNEeg8+vaD+p4N8DDiEKugwGZulh15ce4M+4NsPYXCZW:88h8Sj286tTiDD
MD5:	40760A3456C9C8ABE6EA90336AF5DA01
SHA1:	B249AA1CBF8C2636CE57EB4932D53492E4CE36AC
SHA-256:	553C046835DB9ADEF15954FA9A576625366BA8BFD16637038C4BCD28E5EBACE1
SHA-512:	068E55F39B5250CC937E4B2BD627873132D201D351B9351BE703CD9B95D3BAFB4BD649CB4DF120A976D7C156DA679758D952CAC5E0523107244E517D323BC0C5
Malicious:	false
Preview:	<.d....!..`.......de_DEB..7....*.......+..3....@..R....A..R....B..S....C..S@...D..S....E..T]...F..T....G..T....H..T....I..U#...P..W....Q..W6...R..W....S..W....T..W....U..W....V..XG...W..Xk...X..X....Y..X....]..2%...s..J$...t..9R......J.......B....;..1....;..3....;..q....;.......M..2O...O.......O..X@......ia...}..2y......Q....=..Q....m..2....t..Q...........(5......+;..ev..+;......+O..oh..1....4..D@..R...E@..WZ..H4..4...HY...[..H...AY..IC..>o..J...>...J.......J...>6..LD..@A..L...@...PS..I...QR..#...R....h..T...W...U...Xh..U....~..X...]...Zr..e(..[`..)...\...j...]x..O..._....K.._...lI..yg...U..1...f....E..i....7..........o.......wG......6.......6.......8....$...n...[..8....,..9....y.......y..=................3......>....9.......E..."......?_...z..#d.......0......A%...%..z....D..A.......B......KP......2.............^...5..B....0.......0..p....0..F....0...}...5..G....5..........H........... D..3}.. D...O..+...Q...<?..Ti..<U......<U..T...<...U)..H5..3...H5......L...X...VE..%j..V...l..

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qtbase_en.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	16
Entropy (8bit):	4.0
Encrypted:	false
SSDEEP:	3:j2wZC4n:CwZ
MD5:	BCEBCF42735C6849BDECBB77451021DD
SHA1:	4884FD9AF6890647B7AF1AEFA57F38CCA49AD899
SHA-256:	9959B510B15D18937848AD13007E30459D2E993C67E564BADBFC18F935695C85
SHA-512:	F951B511FFB1A6B94B1BCAE9DF26B41B2FF829560583D7C83E70279D1B5304BDE299B3679D863CAD6BB79D0BEDA524FC195B7F054ECF11D2090037526B451B78
Malicious:	false
Preview:	<.d....!..`...

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qtbase_es.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	165170
Entropy (8bit):	4.679910767547088
Encrypted:	false
SSDEEP:	1536:JVwzuvb+Ta64KQd84arHX5pxiVhA8QlOD/BnFNa8NsvsfFsfcoZtIx6F:JVwSTG4KqVaLX5pEVK7OJFczstgRtIx8
MD5:	C7C58A6D683797BFDD3EF676A37E2A40
SHA1:	809E580CDBF2FFDA10C77F8BE9BAC081978C102B
SHA-256:	4FFDA56BA3BB5414AB0482D1DDE64A6F226E3488F6B7F3F11A150E01F53FA4C8
SHA-512:	C5AED1A1AA13B8E794C83739B7FDDEAFD96785655C287993469F39607C8B9B0D2D8D222ECD1C13CF8445E623B195192F64DE373A8FB6FE43743BAF50E153CDA5
Malicious:	false
Preview:	<.d....!..`.......es_ESB../......,...+...y...@.......A.......B.......C.......D...v...E...=...F.......G.......H.......I.......P.......Q... ...R...k...S.......T.......U.......V...1...W...U...X...y...Y.......]..+....s.......t...................c...;..+....;..,....;...%...;..#....;..-....M..+....O.......O...............}..,............=...]...m..,/...t..........A...(5..3...+;..<...+;..o...+O..!b..1...Ap..D@......E@...D..H4...-..HY..[F..H.......IC...%..J....L..J.......J.......LD......L....O..PS......QR..!...R...`K..T.......U....&..X.......Zr.....[`...h..\......]x...\|.._....Y.._....A..yg......1...=....E..?a......!.......K........G...............R...$..\Q...[.......,...z...y.......y..................+............9..\....E..2............z.. ....................%..ON...D........................:......=B.....A....5...7...0.......0......0.."....0...,...0..3....5...}...5...Y..............a... D..-!.. D..Z6..+....0..<U...h..<U......<.......H5..-M..H5..Z...L.......VE.."...VE..>...V......

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qtbase_fi.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	179941
Entropy (8bit):	4.720938209922096
Encrypted:	false
SSDEEP:	3072:lvdTgO2Yl97ZWnbgTLt/Tf9IlqAeiy5uWkYGM0wNCdRjSK2YUlUs:lvdkA9vh5uWkY0MK2YXs
MD5:	8472CF0BF6C659177AD45AA9E3A3247C
SHA1:	7B5313CDA126BB7863001499FB66FB1B56C255FC
SHA-256:	E47FE13713E184D07FA4495DDE0C589B0E8F562E91574A3558A9363443A4FA72
SHA-512:	DE36A1F033BD7A4D6475681EDC93CC7B0B5DCB6A7051831F2EE6F397C971B843E1C10B66C4FB2EFF2A23DC07433E80FBF7B95E62C5B93E121AB5AD88354D9CB8
Malicious:	false
Preview:	<.d....!..`.......fiB..38.....ct...+......@.......A.......B.......C...@...D.......E...]...F.......G.......H.......I...#...P.......Q...6...R.......S.......T.......U.......V...G...W...k...X.......Y.......]......s...T...t.......................;......;..+....;..&....;..3....M..+!...O.......O...e...........}..+K...........=.......m..+w...t..........J...(5..9...+;..:y..+;..mW..+O..$...1...KY..D@......E@...Z..H4...l..HY..X&..H.......IC......J.......J...."..J......LD.....L.......PS...'..QR.. L..R...]...T.......U.......X.......Zr......[`......\.......]x......_....k.._....>..yg.. /..1...;....E..>....7..{(......%.......J........T.......&.......U...$..Y[...[......,...s...y.......y...a.......}......d...........9..Y....E..k'...........z...........V..........%..M....D...Q.......{......d.....A......E......K....5.......0.......0..&J...0.......0..k....5......5..I9.............._:.. D..,O.. D..W...+....9..<U...G..<U...*..<.......H5..,y..H5..W...H5......L....5..VE..!u..VE..E...V..."{..f.

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qtbase_fr.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	166167
Entropy (8bit):	4.685212271435657
Encrypted:	false
SSDEEP:	1536:CLZ1w8McowCppcPwL5pYFw+G00QsbLckCiWxvq+sjs06oFm:C91wxcowspc4L5pUw+cz39CiQ7tloFm
MD5:	1F41FF5D3A781908A481C07B35998729
SHA1:	ECF3B3156FFE14569ECDF805CF3BE12F29681261
SHA-256:	EDB32A933CEF376A2636634E14E2977CED6284E4AA9A4AC7E2292F9CA54C384A
SHA-512:	A492E8AC88095A38A13549C18C68E1F61C7054AB9362C2B04C65B93E48E4A07941C8DA6950BAE79041094623E0ED330CA975110FDE8248B4D9380B9F729AD891
Malicious:	false
Preview:	<.d....!..`.......fr_FRB../....*..-....+.......@.......A.......B.......C...?...D.......E...\...F.......G.......H.......I..."...P.......Q...5...R.......S.......T.......U.......V...F...W...j...X.......Y.......]..+....s...=...t.......................;..+....;..,....;.......;..$b...;.......M..,....O.......O...5...........}..,3...........=.......m..,]...t..........A...(5..5j..+;..<T..+;..o...+O.."+..1...B\..D@......E@...Y..H4...8..HY..[{..H.......IC......J.......J.......J.......LD...\|..L.......PS...?..QR..!...R...`j..T.......U....[..X.......Zr.....[`...)..\......]x......_....7.._.......yg...i..1...=Q...E..?@......"Y......K............................$..\....[...^...,...'...y.......y...+.......o....../c.......Y...9..\....E..6(...........z..!................j...%..OC...D...+.......[......a.....;......>......B....5.......0.......0...m...0..#....0.......0..6....5.......5..................a... D..-Y.. D..Ze..+....]..<U...;..<U......<.......H5..-...H5..Z...L.......VE.."...VE..?...V......

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qtbase_gd.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	189580
Entropy (8bit):	4.630160941635514
Encrypted:	false
SSDEEP:	1536:SiaI3C87jhakhR0VGkw7ys7CskUH6y4e6IFB4xyMuhvDnJGhFaCo527arBbm07LZ:S2yGjh17yGqxTXhvQoejJd8FUjVgk
MD5:	EB1FB93B0BE51C2AD78FC7BA2F8B9F42
SHA1:	24F7FF809E2F11C579CD388FEA5A4C552FF8D4D0
SHA-256:	63B439DD44139AA3AED54C2EBE03FA9BC77F22C14ED8FBA8EFF2608445BB233D
SHA-512:	E13770AEF33B6666ED7D54E03EE20CA291D4167D673BA6C61D8E64CDD5F7FFE0A9521B95AF67BE719BF263932ECF16E2B2D0B5F3404F9BCD7879114FCC6FC474
Malicious:	false
Preview:	<.d....!..`.......gd_GBB..2....*...u...+......@.......A...B...B.......C.......D.. ....E.. ....F..!&...G..!J...H..!n...I..!....P..#m...Q..#....R..#....S..$....T..$$...U..$H...V..$....W..$....X..$....Y..%....]../....s...'...t...................F...;.......;../....;..=V...;..G....M../G...O.......O...k......$....}../o.......i...=.......m../....t..........[...(5..M...+;..@...+;..x...+O..:...1...\7..D@...f..E@..#...H4...p..HY..be..H.......IC......J.......J....R..J.......LD......L.......PS......QR..#l..R...g...T.......U.......X....\..Zr......[`......\...&...]x......_....C.._...'t..yg..?...1...BM...E..D.......;.......R'.......t.......@.......?...$..c....[......,...i...y.......y...Y.......f.......+...........9..c....E...............z.."....................%..U....D..................G.....UB.....W......\]...5.......0.......0..<....0...;...0.......5.......5..ij..............h... D..0... D..aC..+....K..<U.....<U...~..<.......H5..0...H5..a...L....1..VE..$...VE..X...V...8\|..f...Z...f...=..

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qtbase_he.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	138690
Entropy (8bit):	5.515748942553918
Encrypted:	false
SSDEEP:	3072:XSue8Z7T3iJsqBejt/zNHSLzdetY2ZISfC/S:XSueK3w7Ijt8zUtYAISfC/S
MD5:	DEAF87D45EE87794AB2DC821F250A87A
SHA1:	DB39C6BAA443AA9BB208043EF7FB7E3403C12D90
SHA-256:	E1EBCA16AFE8994356F81CA007FBDB9DDF865842010FE908923D873B687CAD3F
SHA-512:	276FCE81249EFFE19E95607C39F9ACB3A4AFA3F90745DA21B737A03FEA956B079BCA958039978223FD03F75AC270EC16E46095D0C6DDA327366C948EC2D05B9C
Malicious:	false
Preview:	<.d....!..`.......he_ILB../....*......+..Sw...@......A......B.......C.......D...X...E.......F.../...G...O...H...o...I......P.......Q.......R...I...S...i...T......U......V.......W.......X.../...Y...O...]..$....s......t..X:.......4......`Y...;..$....;..%....;.......;...5...;.......M..$....O...6...O..s............}..%-...........=...m...m..%k...t..........^..(5......+;..2...+;..^...+O...N..1.......D@......E@...(..H4..T...HY..L...H..._...IC..\...J...\...J.......J...\j..LD..^...L...^o..PS..fl..QR......R...Q...T...su..U...s...X...x3..Zr..~...[`..L\..\.......]x....._......._....o..yg...(..1...3....E..5C.......z......?V......U.......U.......W....$..M....[..W....,..X....y.......y..\........a..............\@...9..NO...E...?......]s...z...G.......(......^....%..B^...D.._......._.................... ..........5..`/...0.......0...L...0......0..d(...0......5..ek...5..........fB......R... D..&O.. D..K...+...l...<U......<U..p)..<...p...H5..&w..H5..La..L...s...VE......VE......V.....

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qtbase_hu.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	160494
Entropy (8bit):	4.831791320613137
Encrypted:	false
SSDEEP:	3072:BmOMZadV9n51xXeQvjOiIzz7/Vs9Db3ihuJNvMfWxBNlYzYbTrIkfwb03l24cNKu:HkWa5pg0MahBHDd
MD5:	E9D302A698B9272BDA41D6DE1D8313FB
SHA1:	BBF35C04177CF290B43F7D2533BE44A15D929D02
SHA-256:	C61B67BB9D1E84F0AB0792B6518FE055414A68E44D0C7BC7C862773800FA8299
SHA-512:	12947B306874CF93ABA64BB46FAC48179C2D055E770D41AF32E50FFFB9F0C092F583AFCEA8B53FE9E238EF9370E9FFFBEB581270DFA1A7CB74EBE54D9BFF459F
Malicious:	false
Preview:	<.d....!..`.......hu_HUB../...........+.......@.......A...0...B...{...C.......D.......E.......F.......G...<...H...`...I.......P...s...Q.......R.......S.......T......U...N...V.......W.......X.......Y.......]..+y...s.......t.......................;..+Q...;..,U...;.......;.......;..&....M..+....O.......O...U..........}..+............=.......m..+....t..........9c..(5..,...+;..;...+;..m7..+O......1...9...D@...T..E@......H4...v..HY..Y...H.......IC......J.......J.......J.......LD......L.......PS...}..QR..!...R...]...T.......U....{..X.......Zr...=..[`......\......]x...-.._......._......yg...M..1...<....E..>...............J........T.......(.......S...$..Z....[.......,...u...y.......y...[...............#...........9..Z....E..#&...........z..!'...................%..Mv...D..._....................32.....5......9....5.......0...h...0...E...0.......0.......0..#....5...Z...5...........G......_2.. D..,... D..W...+....W..<U......<U...B..<.......H5..,...H5..X{..L....)..VE.."...VE..6l..V.....

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qtbase_it.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	161172
Entropy (8bit):	4.680034416311688
Encrypted:	false
SSDEEP:	1536:eSfxfdO4BKJb0td5pqCOIUP/PFIM7gxGQ9sRrFM6QJ4m8ihkM:eSfxFO4BKJb0td5pnOrvCqg9mRK4IkM
MD5:	88D040696DE3D068F91E0BF000A9EC3E
SHA1:	F978B265E50D14FDDE9693EC96E99B636997B74D
SHA-256:	7C7DC8B45BF4E41FEC60021AB13D9C7655BE007B8123DB8D7537A119EB64A366
SHA-512:	F042637B61C49C91043D73B113545C383BD8D9766FD4ACC21675B4FF727652D50863E72EA811553CB26DF689F692530184A6CE8FE71F9250B5A55662AFE7D923
Malicious:	false
Preview:	<.d....!..`.......it_ITB../....*.......+.......@.......A..."...B...m...C.......D.......E.......F.......G...0...H...T...I...x...P...q...Q.......R.......S.......T...(...U...L...V.......W.......X.......Y.......]..+....s...'...t...................^...;..+[...;..,g...;.......;.......;..!B...M..+....O...D...O...........(...}..+........I...=.......m..,....t..........4...(5..'...+;..<...+;..oV..+O......1...5...D@...F..E@......H4...J..HY..Z...H.......IC...L..J....s..J....j..J.......LD......L....f..PS......QR..!...R..._...T.......U....3..X.......Zr......[`...Q..\.......]x......_......._....0..yg...C..1...=....E..?o..............Kf.......h.......8.......I...$..[....[.......,...m...y...9...y...........z.......z...........9..\=...E..$u.......:...z.. k...................%..N....D..................M............0......5/...5...2...0.......0...0...0...A...0...)...0..$....5.......5...J.......a......a... D..,... D..Y...+.......<U......<U......<....v..H5..-...H5..Z...L.......VE.."c..VE..1...V....X.

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qtbase_ja.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	129911
Entropy (8bit):	5.802855391832282
Encrypted:	false
SSDEEP:	1536:W8YYSCjKBJ26c1Z7f25pVmuLXpxfqt7FEUWNrfQje9kWI23pKXvx:xYuKBJ01Z7u5pQuLbESUWNzAAI23pKfx
MD5:	608B80932119D86503CDDCB1CA7F98BA
SHA1:	7F440399ABA23120F40F6F4FCAE966D621A1CC67
SHA-256:	CBA382ACC44D3680D400F2C625DE93D0C4BD72A90102769EDFD1FE91CB9B617B
SHA-512:	424618011A7C06748AADFC2295109D2D916289C81B01C669DA4991499B207B781604A03259C546739A3A6CF2F8F6DFA753B23406B2E2812F5407AEE343B5CBDD
Malicious:	false
Preview:	<.d....!..`.......jaB../....*...'...+..=....@.......A.......B...?...C...c...D......E......F.......G.......H..."...I...F...P.......Q...'...R...r...S......T......U.......V...8...W...\...X......Y......].."k...s...Q...t..A...............I....;.."C...;..#A...;.......;.......;.......M.."....O...B...O..[?......h....}.."........m...=.......m.."....t...........M..(5......+;......+;..WU..+O......1.......D@......E@...K..H4..>=..HY..F...H...Hr..IC..E...J...F...J.......J...E...LD..Gz..L...G...PS..O...QR......R...K!..T...Z...U...[e..X..._f..Zr..e...[`..7...\...i...]x...'.._......._...j...yg..~+..1.../....E..1?.......#......:.......?.......?n......A....$..G....[..Ap...,..B....y.......y..Ew......\|...............E....9..H....E..........F....z...]..............HL...%..=R...D..H.......I!......[......J......M..........5..It...0...3...0.......0...C...0..M....0...a...5..N....5..........N.......L6.. D..#... D..E...+...U%..<U......<U..X ..<...X...H5..#...H5..FK..L...[...VE......VE......V......f.

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qtbase_ko.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	156799
Entropy (8bit):	5.859529082176036
Encrypted:	false
SSDEEP:	1536:rvTy18hhPekHs1iNXVExWbStnn8TExgkYOvYejZOvXx4Mmf0MwUL8smk/pDZyy:y18hJ61nMStnn8TOgknQRLWZmkxNyy
MD5:	082E361CBAC2E3A0849F87B76EF6E121
SHA1:	F10E882762DCD2E60041BDD6CC57598FC3DF4343
SHA-256:	0179ED1B136E1CB3F583351EAA2C545BA3D83A6EE3F82C32505926A1A5F5F183
SHA-512:	F378A42116924E30FA0B8FFF1D3C3CB185DC35B2746DCE2818BE7C2AA95C5DE103DF44AAC74DA969C36C557F1D4DE42AC7647EC41066247F8AD2697BDED667EA
Malicious:	false
Preview:	<.d....!..`.......koB..7...........+.......@...K...A...o...B......C.......D...8...E.......F...U...G...y...H......I.......P......Q.......R.......S...C...T...g...U.......V.......W.......X...-...Y...Q...]..$....s...>...t...................y...;..${...;..%....;...u...;...l...M..$....O.......O...8...........}..$............=...C...m..%!...t...n..........(5...a..+;..E@..+;..l\|..+O......1.......D@.....E@......H4......HY..\...H....]..IC......J.......J....8..J.......LD...a..L.......PS......QR......R...`...T.......U....^..U.......X....y..Zr......[`..y...\....A..]x......_......._....o..yg......1...FJ...E..HE...7..................Q........a.......5...........$..]....[...;...,.......y.......y...V...............!.......\|...9..]....E...R...........z...4.......f.......5...%..Te...D..................D......^................5...S...0.......0.......0.......0.......5.......5...........n......a... D..%... D..[...+.......<?......<U...;..<U...+..<.......H5..&...H5..\...L.......VE......V....A..f.

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qtbase_lv.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	153608
Entropy (8bit):	4.843805801051326
Encrypted:	false
SSDEEP:	3072:y5pmbKIhooMbGe91MrjOhmGzP6LJbWz5XIxELpU6:yObeqrjPGzeJyJLy6
MD5:	BD8BDC7BBDB7A80C56DCB61B1108961D
SHA1:	9538C4D8BB9A95C0D9DC57C7708A99DD53A32D1F
SHA-256:	846E047573AE40C83671C3BA7F73E27EFC24B98C82701DA0DF9973E574178BB2
SHA-512:	F040EC410EBFEA21145F944E71ADCAE8E5F60907D1D3716A937A9A59A48F70C6B7EAAC91C2C554F59357A7BC820CDBD17C73A4DECC20B51F68EB79EDD35C5554
Malicious:	false
Preview:	<.d....!..`.......lv_LVB..........B...+..y....@.......A...=...B......C......D.......E.......F...#...G...G...H...k...I.......P...~...Q......R.......S.......T...5...U...Y...V......W.......X.......Y.......]..%....s.......t...8.......n.......A...;..&....;.......;...!...;...A...;../....M..%....O.......O...............}..%...........=.......m..&....t...(......(g..(5...+..+;..4...+;..d...+O......1...(...D@...a..E@......H4..z...HY..Q...H.......IC......J....6..J.......J.......LD......L....9..PS......QR......R...U...T....S..U.......X...._..Zr......[`..r...\.......]x....._......._....{..yg......1...5v...E..7........(......B.......\|.......\|W......~r...$..R....[..~....,.......y...l...y...............................9..S....E...g...........z...z...................%..F....D........................"Z.....$......)....5.......0...\...0.......0...r...0.......0.......5...a...5..........J......V... D..&... D..P...+.......<U......<U......<.......H5..'"..H5..P...L....~..VE...R..VE..%...V......

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qtbase_pl.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	162982
Entropy (8bit):	4.841899887077422
Encrypted:	false
SSDEEP:	1536:sXpestp/YIFtDT8FIWYbIJmPYuIpnmxAk6mwyJNqSm9+P:sxpTDT8FIWfJmdCmxApmbnqSm9+P
MD5:	F9475A909A0BAF4B6B7A1937D58293C3
SHA1:	76B97225A11DD1F77CAC6EF144812F91BD8734BD
SHA-256:	CE99032A3B0BF8ABAD758895CC22837088EAD99FD2D2514E2D180693081CFE57
SHA-512:	8A4F1B802B6B81FF25C44251FB4A880E93E9A5FE25E36825A24BFE0EFB34E764E7E1EE585D3A56554964B7921E7813C67F12D200D6E0C5EAF4BB76B064B5C890
Malicious:	false
Preview:	<.d....!..`.......pl_PLB..0......"....+.......@...F...A...j...B......C.......D...3...E.......F...P...G...t...H.......I.......P.......Q.......R.......S...>...T...b...U.......V.......W.......X...(...Y...L...]......s.......t...r.......o.......+...;......;..+....;..."...;... ...M......O...6...O...........a...}..+...........=.......m..+G...t...G......,...(5......+;..:...+;..k...+O......1...-[..D@.....E@......H4...U..HY..WU..H.......IC......J....6..J.......J.......LD......L....%..PS......QR.. ...R...[...T....1..U.......X......Zr......[`......\.......]x...A.._......._....}..yg......1...;W...E..=........%......H....................$..Xp...[.......,.......y...i...y...........}......$R...........9..X....E..+)...........z.. E...................%..K....D...p....................&......(......-....5.......0.......0...e...0.......0..+....5...]...5...........f......]-.. D..,%.. D..V?..+....V..<U......<U......<....-..H5..,M..H5..V...L....Z..VE..!...VE..)...V.......f...P...f....K..f......

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qtbase_ru.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	203767
Entropy (8bit):	5.362551648909705
Encrypted:	false
SSDEEP:	1536:hn4dEJ63pdhPpy6gu5fs4MHQv6sLlxnrncF423ZL9xyuXwdcX8LZuf76CW+WeXFx:aN3pdV5fZbpItXsttRY+WSq
MD5:	5096AD2743BF89A334FBA6A2964300D4
SHA1:	405F45361A537C7923C240D51B0FF1C46621C203
SHA-256:	3DA6605668F9178D11A838C4515478084DCFB4F9CF22F99D7A92B492DB9C224B
SHA-512:	7B88B501792B5831426BAA669138192ED94CC3F8323A3DF9D5287655DC4D877706908C517AB7523AE8A283BF50B47123F13B8AE40EA2F3081C3459EDC47FC8DD
Malicious:	false
Preview:	<.d....!..`.......ru_RUB..7.......L...+...W...@..,....A..,....B..-1...C..-U...D..-....E...r...F.......G.......H../....I../8...P..1'...Q..1K...R..1....S..1....T..1....U..2....V..2\...W..2....X..2....Y..2....].......s..$c...t...'......%........r...;..-....;.......;..J....;..V....M...C...O.......O..&.......8....}...m......+3...=..+....m.......t..+.......p...(5..]@..+;..[0..+;......+O..H...1...qM..D@..-...E@..1o..H4...p..HY..xm..H......IC...@..J....g..J.......J.......LD......L....p..PS......QR..!...R...}...T...&...U...'...U...ki..X...+...Zr..3...[`......\...:...]x..)..._......._...;...yg..S...1...\....E..__...7.........H.......k................j.......U...$..y....[.......,.......y...k...y...............................9..y....E...O...........z..!*...................%..nW...D.................%w.....g......j~.....qw...5...H...0.......0..I....0..._...0......5.......5..................~... D../k.. D..wa..+....?..<?.."t..<U......<U.."...<...#z..H5../...H5..w...L...&...VE.."...V...F$.

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qtbase_sk.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	125763
Entropy (8bit):	4.80343609423322
Encrypted:	false
SSDEEP:	3072:roXDuC1u/2lUBGjJirE5tsd/aev1GIfOdvhw:OucMGjH5tbm
MD5:	3D60E50DCBCBD70EE699BC9B1524FCB9
SHA1:	0211B4911B5B74CC1A46C0FCA87D3BF5632AA44A
SHA-256:	D586AE2C314074CF398417FDECB40709D5478DFEB0A67C2FE60D509EE9B59ED7
SHA-512:	F98211867F1DBCB8A342C00E23FA5718BE6E999F7449CB8470B41BF0F527C7F78CC4D6666E28968F32E96026907156753979BFADA7E6BF4225D02A902D24906D
Malicious:	false
Preview:	<.d....!..`.......sk_SKB..$x...*.......+..>....@......A......B.......C.......D...3...E...Z...F......G......H.......I.......P.......Q...D...R.......S......T.......U.......V...1...W...X...X.......Y......]...Y...t..D-......K....;...3...;.......;.......;......;...V...M.......O.._ ......l....}.......m...........T..(5...(..+;......+;..%...+O......1......E@...k..F.......H4..?I..HY..@7..H...J...I....,..IC..HT..J...H{..J...H...LD..J"..L...Jv..PS..Q...R...D...Zr..i]..[`..7...\...nB.._...o...1...&....E..(........B......19......A.......A....$..AF...[..C....,..D....y..G.......v........g......G....9..A....E..........IH...%..4.......Kf..............................5..K....0...,...0.......0.......0..Of...0.......5..P....5..........E... D...C.. D..?'..+...Y`..<U......<U..\...<...]...H5...m..H5..?...L...^...VE......f.......f...8...g.......l...aP.......................6......d....D..f(...`..f...............?....`..h5...y..H....5..j........E...e.......e..@....... ......>......oZ......l..

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qtbase_tr.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	194487
Entropy (8bit):	4.877239354585035
Encrypted:	false
SSDEEP:	3072:yRRhAFCvqDBitD/iDG9AOH+l4TcwZBPqHo9fd9CFRK+2IKAimxsjucV2p0ZqvRu7:yRRHs5mksWVX3lA3
MD5:	6CBC5D8E1EABEC96C281065ECC51E35E
SHA1:	4E1E6BA3772428227CB033747006B4887E5D9AD1
SHA-256:	6A0BF6E70E7920C2B193E76E92F78F315936955D3B06AC039D917F2E06C43281
SHA-512:	CE1F9EE180176153D5F523D71E0DB06F4DEA65C24E5E2CD56341CFAEE349A8E9A0F606D99F7219A35DD4516D1528C90AEA4BB87548A55392B8F2B36164D478B1
Malicious:	false
Preview:	<.d....!..`.......tr_TRB..7....*.......+...-...@.......A.......B.......C...%...D.......E...F...F.......G.......H.......I.......P.. ....Q.. ....R..!D...S..!h...T..!....U..!....V.."....W.."0...X.."T...Y.."x...]..,g...s.../...t......................;..,9...;..-I...;..9@...;..E....M..,....O.......O...G...........}..,............=...\...m..,....t.........._3..(5..LJ..+;..Wt..+;...\..+O..7...1..._...D@......E@..!...H4...@..HY..t...H....2..IC...r..J......J....D..J....K..LD...$..L....x..PS......QR..!...R...x...T.......U....q..U...Y...X...."..Zr...%..[`......\....:..]x......_......._.......yg..6...1...X....E..[....7...Z......7Q......f............................$..u....[...:...,...5...y.......y...........7...............!...9..u....E...........P...z.. ........p...........%..j....D..................A.....U......Y......_....5...V...0.......0..8....0...U...0.......5.......5..~b..............z+.. D..-... D..s...+.......<?...8..<U...s..<U...p..<.......H5..-...H5..s...L.......VE.."0..V...4..

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qtbase_uk.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	158274
Entropy (8bit):	5.402056706327934
Encrypted:	false
SSDEEP:	1536:jXwjFVUDdMUD4TzdAhpQgO5poZHvJllEnhmdK4I77/dnPJX/imfb1jhvv3BxT8ue:jBzD4Tzaw5pCvJ8hVPdlvj3p8
MD5:	D6234E4E21021102B021744D5FA22346
SHA1:	63A14327D0CF0941D6D6B58BFA7E8B10337F557B
SHA-256:	51B8FF55B37DC5907D637A8DDDA12FBE816852B0244C74EB4F0FB84867A786E0
SHA-512:	37D24A092C5F29BACB7A4CA8207C4EEFD0F073B7E74A492402867F758084091BF1D79D2BA2B4A28B35FEF42E8023C371FDE97578F74BB2033551154E77102DE6
Malicious:	false
Preview:	<.d....!..`.......uk_UAB../.......E...+...l...@.......A.......B...G...C...k...D.......E.......F.......G.......H......I...N...P...=...Q...a...R.......S.......T.......U.......V...r...W.......X.......Y.......]..y...s.......t...........;.......n...;..Q...;..+U...;.......;...x...;..!(...M......O.......O...........6...}..........E...=.......m..*....t..........3...(5..&...+;..:...+;..k0..+O...A..1...4-..D@... ..E@......H4...8..HY..W...H....2..IC...V..J....}..J.......J....%..LD...&..L....z..PS......QR.. ...R...\...T....(..U.......X.......Zr......[`..~...\.......]x......_......._....4..yg...c..1...;....E..=w.......m......I............................$..X....[...<...,.......y.......y...........M...................9..Y....E...F.......D...z.. ........P...........%..LB...D.......................-n...../......4W...5...F...0...p...0...W...0.......0...k...0.......5.......5..................^... D..+... D..V...+.......<U.../..<U......<....>..H5..+...H5..V...L....S..VE..!...VE..0...V......

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\translations\qtbase_zh_TW.qm

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Qt Translation file
Category:	dropped
Size (bytes):	127849
Entropy (8bit):	5.83455389078597
Encrypted:	false
SSDEEP:	3072:Fv2cHP10gOs6dcFxsJopMqOWv2WIrPFP8pa:Fh6s6iFxEodjef8pa
MD5:	9C6A3721D01ECAF3F952CE96F46CE046
SHA1:	4A944E9E31DF778F7012D8E4A66497583BFD2118
SHA-256:	085D29EAF9BBB788B2F2503D74A1EF963A9411CEB600441254CE49A120E1AB63
SHA-512:	6E2807B8785F42A26C9CCBDBA0327DD40B529B10C468593F0E74113774D1CCDAA4FD9ACE9B259B9040E1475911428ECAEA49425B0F170862CF8147D23DB48E46
Malicious:	false
Preview:	<.d....!..`.......zh_TWB..2x..........+..)....@.......A.......B...j...C......D.......E......F.......G...)...H...M...I...q...P...%...Q...I...R......S......T.......U.......V...Z...W...~...X......Y.......]..!....s.......t..-...............4....;..!z...;.."\|...;.......;.......M..!....O.......O..Ay......N)...}..!............=.......m.." ...t...(.........(5......+;..;...+;.._...+O......1.......D@...C..E@...m..H4..W..HY..Pm..H...3...IC..1...J...1...J.......J...1...LD..2...L...38..PS..6...QR...T..R...T...T...A...U...A...X...E...Zr..K...[`..$...\...OW..]x......_......._...P...yg..a^..1...<....E..>....7...>.......;......Fo......+.......+.......-L...$..QR...[..-....,...F...y.......y..1J...............6......1p...9..Q....E..........2....z...........<......3....%..H....D..4W......4}....................Z...... ...5..4....0...?...0...K...0..5....0...L...5..6....5..........6.......U... D.."... D..O...+...<%..<U......<U..>...<...?:..H5..#...H5..O...L...AS..VE...M..VE......V.......f...L..

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\QtCore.pyd

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2483712
Entropy (8bit):	6.241719144701645
Encrypted:	false
SSDEEP:	49152:ZYS8YHrNj4/7RsRLvYpiW3pCBU+Z7bJWvCSBYgbxGJ5M2GM/fXR1fUdihfSbCo6e:9bpj4/7RsRLvYpiW3pCBU+Z7bJWvCSBv
MD5:	678FA1496FFDEA3A530FA146DEDCDBCC
SHA1:	C80D8F1DE8AE06ECF5750C83D879D2DCC2D6A4F8
SHA-256:	D6E45FD8C3B3F93F52C4D1B6F9E3EE220454A73F80F65F3D70504BD55415EA37
SHA-512:	8D9E3FA49FB42F844D8DF241786EA9C0F55E546D373FF07E8C89AAC4F3027C62EC1BD0C9C639AFEABC034CC39E424B21DA55A1609C9F95397A66D5F0D834E88E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........}.........../....td./..../...td./...td./...td./...n../...1../......P...c./....c./....c./...Rich...........................PE..d....p.f.........." ...(............+.......................................0&...........`.............................................L.....................#.$.............%.... t.......................t..(....r..@............@..(o...........................text...~(......................... ..`.rdata..x....@......................@..@.data...h...........................@....pdata..$.....#......n#.............@..@.reloc.......%......L%.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\QtGui.pyd

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2494976
Entropy (8bit):	6.232020603277999
Encrypted:	false
SSDEEP:	24576:SUjOoTFrwI8nc6EmRAQ9RzgpP2bXYUKuXeLQp5PjYq0zb:SUqCgnZXRAQ9RzggbozJLQp5Mq
MD5:	AE182C36F5839BADDC9DCB71192CFA7A
SHA1:	C9FA448981BA61343C7D7DECACAE300CAD416957
SHA-256:	A9408E3B15FF3030F0E9ACB3429000D253D3BB7206F750091A7130325F6D0D72
SHA-512:	8950244D828C5EDE5C3934CFE2EE229BE19CC00FBF0C4A7CCEBEC19E8641345EF5FD028511C5428E1E21CE5491A3F74FB0175B03DA17588DAEF918E3F66B206A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......... j..sj..sj..sc..sn..s.p.rh..s1..rh..s.p.ri..s.p.rb..s.p.r...s...rh..s..ro..sj..s...syw.ra..syw.rk..syw.rk..sRichj..s........PE..d....p.f.........." ...(.....................................................P&...........`.........................................`&..L....&................$...............%.....................................p...@...............@{...........................text...O........................... ..`.rdata..............................@..@.data...xz.......^...t..............@....pdata........$.......#.............@..@.reloc........%......^%.............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\QtWidgets.pyd

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5144576
Entropy (8bit):	6.262739223310643
Encrypted:	false
SSDEEP:	49152:Qi+reIG7QwktsFPKoe2yicbbqgkcY9abW7KnTYK2bjMkTDGM7y:uqT7Q1kyTvoWW7EYvM9M
MD5:	E8C3BFBC19378E541F5F569E2023B7AA
SHA1:	ACA007030C1CEE45CBC692ADCB8BCB29665792BA
SHA-256:	A1E97A2AB434C6AE5E56491C60172E59CDCCE42960734E8BDF5D851B79361071
SHA-512:	9134C2EAD00C2D19DEC499E60F91E978858766744965EAD655D2349FF92834AB267AC8026038E576A7E207D3BBD4A87CD5F2E2846A703C7F481A406130530EB0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................=....1M............1M.....1M.....1M.....+......t.............J......J......J.....Rich...........................PE..d....p.f.........." ...(..,...!.....P.,.......................................N...........`..........................................><.T...D?<...............H..z...........pM..O..Pa8..............................`8.@.............,..............................text.....,.......,................. ..`.rdata........,.......,.............@..@.data... :....A.......A.............@....pdata...z....H..\|....H.............@..@.reloc...O...pM..P...0M.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\sip.cp313-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	120320
Entropy (8bit):	6.034057886020456
Encrypted:	false
SSDEEP:	1536:pPd5NTdYgpmMrZhekwFH4PqgZNBQmT6V6WRFYE9Icx7pz4H5B:NhTdtmMdEkwuFTSvYE9Iczz4H5
MD5:	4F7F9E3A9466F4C0103FB04E1987E098
SHA1:	D4A339702E936AA5ECC1FE906AE2BA3BB0E481D7
SHA-256:	EBF27146466D61411493D2E243EAC691740F9C4B7A4B9AB0D408BE45B5E0AA35
SHA-512:	920BA8D58DCA7946341C1CC01FEA0B76CCE008F1D10061F84455A3DE9BA00FD9534F40C983486211BE92B85F786CD610C386529711A6F573A02BFAF8CA543A19
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........kSR...R...R...[...Z....X..P.......P....X..Q....X..Z....X.._....^..Q...R.......G_..[...G_..S...G_..S...G_..S...RichR...........PE..d.... g.........." ...(.H...........J.......................................0............`.............................................X...h................................ ..........................................@............`...............................text...(G.......H.................. ..`.rdata..lU...`...V...L..............@..@.data.... ..........................@....pdata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\VCRUNTIME140.dll

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	120400
Entropy (8bit):	6.6017475353076716
Encrypted:	false
SSDEEP:	1536:N9TXF5LLXQLlNycKW+D4SdqJk6aN1ACuyxLiyazYaCVoecbdhgOwAd+zfZ1zu:N9jelDoD9uyxLizzFzecbdPwA87S
MD5:	862F820C3251E4CA6FC0AC00E4092239
SHA1:	EF96D84B253041B090C243594F90938E9A487A9A
SHA-256:	36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153
SHA-512:	2F8A0F11BCCC3A8CB99637DEEDA0158240DF0885A230F38BB7F21257C659F05646C6B61E993F87E0877F6BA06B347DDD1FC45D5C44BC4E309EF75ED882B82E4E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\=..\...\...\..S$...\...$...\...\..5\...\...\.....\.....\.....\.....\......\.....\..Rich.\..........PE..d.....x.........." ...).$...d............................................................`A........................................0u..4...d}..........................PP...........^..p............................\..@............@...............................text............................... ..`fothk........0...................... ..`.rdata...C...@...D...(..............@..@.data................l..............@....pdata...............p..............@..@_RDATA...............\|..............@..@.rsrc................~..............@..@.reloc..............................@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\VCRUNTIME140_1.dll

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	49744
Entropy (8bit):	6.701724666218339
Encrypted:	false
SSDEEP:	768:ApzzO6ujT3MbR3v0Cz6SR8q83yaFdWr9zRcmgEl6U9zSC:9q/oGw3fFdwzRcmZFzSC
MD5:	68156F41AE9A04D89BB6625A5CD222D4
SHA1:	3BE29D5C53808186EBA3A024BE377EE6F267C983
SHA-256:	82A2F9AE1E6146AE3CB0F4BC5A62B7227E0384209D9B1AEF86BBCC105912F7CD
SHA-512:	F7BF8AD7CD8B450050310952C56F6A20B378A972C822CCC253EF3D7381B56FFB3CA6CE3323BEA9872674ED1C02017F78AB31E9EB9927FC6B3CBA957C247E5D57
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?.{...{...{...0...y.......y...r.H.p...{...H.......\|.......`.......~.......z.....$.z.......z...Rich{...........PE..d...l0.?.........." ...).<...8.......@...............................................b....`A........................................pm.......m..x....................r..PP......D....c..p...........................`b..@............P..`............................text....;.......<.................. ..`.rdata.."#...P...$...@..............@..@.data................d..............@....pdata...............f..............@..@.rsrc................l..............@..@.reloc..D............p..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\_bz2.pyd

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	84240
Entropy (8bit):	6.607563436050078
Encrypted:	false
SSDEEP:	1536:Kdrz7l1EVLsSuvX3dUK4MLgqK7YEog8y5sV8lIJLVy7SyFB:urzcuvXvrEo7y6V8lIJLVyB
MD5:	CB8C06C8FA9E61E4AC5F22EEBF7F1D00
SHA1:	D8E0DFC8127749947B09F17C8848166BAC659F0D
SHA-256:	FC3B481684B926350057E263622A2A5335B149A0498A8D65C4F37E39DD90B640
SHA-512:	E6DA642B7200BFB78F939F7D8148581259BAA9A5EDDA282C621D14BA88083A9B9BD3D17B701E9CDE77AD1133C39BD93FC9D955BB620546BB4FCF45C68F1EC7D6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e...!m..!m..!m..(.o.+m..1...#m..1..."m..1...%m..1...)m..1...,m..i..."m..j...#m..!m..\|m..i...)m..i... m..i... m..i... m..Rich!m..........PE..d.....g.........." ...).....\......0........................................P......7[....`.............................................H...(........0....... .. ......../...@..........T...........................`...@...............x............................text............................... ..`.rdata...=.......>..................@..@.data...............................@....pdata.. .... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\_ctypes.pyd

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	131344
Entropy (8bit):	6.311142284249784
Encrypted:	false
SSDEEP:	3072:3RF024DWkT/DKGkXY402iXnVJf/FO50XnekZ39gPhvEQZIJyPArm:j0nHT/DKFXZorf/FO50uW3SEQt
MD5:	A55E57D7594303C89B5F7A1D1D6F2B67
SHA1:	904A9304A07716497CF3E4EAAFD82715874C94F1
SHA-256:	F63C6C7E71C342084D8F1A108786CA6975A52CEFEF8BE32CC2589E6E2FE060C8
SHA-512:	FFA61AD2A408A831B5D86B201814256C172E764C9C1DBE0BD81A2E204E9E8117C66F5DFA56BB7D74275D23154C0ED8E10D4AE8A0D0564434E9761D754F1997FC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........h~..............q...............................................q.......q......!u.............................................Rich....................PE..d.....g.........." ...).............h....................................... .......Z....`.........................................P.................................../...........=..T............................;..@............0...............................text............................... ..`.rdata...y...0...z..................@..@.data....$....... ..................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\_decimal.pyd

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	277776
Entropy (8bit):	6.5855511991551
Encrypted:	false
SSDEEP:	6144:x9iD78EIq4x4OA5bZZ0KDgQcI79qWM53pLW1AFR8E4wXw76TPlpV77777VMvyk:xwDGqr5b8EgQ5+w6k
MD5:	F3377F3DE29579140E2BBAEEFD334D4F
SHA1:	B3076C564DBDFD4CA1B7CC76F36448B0088E2341
SHA-256:	B715D1C18E9A9C1531F21C02003B4C6726742D1A2441A1893BC3D79D7BB50E91
SHA-512:	34D9591590BBA20613691A5287EF329E5927A58127CE399088B4D68A178E3AF67159A8FC55B4FCDCB08AE094753B20DEC2AC3F0B3011481E4ED6F37445CECDD5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j2U..\...\...\..s....\..]...\.._...\..X...\..Y...\...]...\..s]...\...].z.\..._...\...Q...\...\...\.......\...^...\.Rich..\.........................PE..d......g.........." ...).....Z...............................................P......W.....`.................................................L........0..........t+......./...@..........T...............................@............... ............................text.............................. ..`.rdata..\...........................@..@.data...8'......."..................@....pdata..t+.......,..................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\_hashlib.pyd

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	64272
Entropy (8bit):	6.220967684620152
Encrypted:	false
SSDEEP:	768:eNJI0DWiflFwY9X3Th1JnptE462TxNvdbj4dIJvI75YiSyvE62Em:2LDxflFwY9XDhPfVNv+dIJvIF7Syc6c
MD5:	32D76C9ABD65A5D2671AEEDE189BC290
SHA1:	0D4440C9652B92B40BB92C20F3474F14E34F8D62
SHA-256:	838D5C8B7C3212C8429BAF612623ABBBC20A9023EEC41E34E5461B76A285B86C
SHA-512:	49DC391F4E63F4FF7D65D6FD837332745CC114A334FD61A7B6AA6F710B235339964B855422233FAC4510CCB9A6959896EFE880AB24A56261F78B2A0FD5860CD9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W.A.6...6...6...N%..6.......6.......6.......6.......6.......6...N...6.......6...6..26.......6.......6....I..6.......6..Rich.6..........PE..d......g.........." ...).P...~.......=..............................................!.....`.........................................p...P................................/......X....l..T............................k..@............`...............................text....N.......P.................. ..`.rdata...M...`...N...T..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..X...........................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\_lzma.pyd

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	157968
Entropy (8bit):	6.854644275249963
Encrypted:	false
SSDEEP:	3072:KbbS4R/G4Z8r7NjwJTSUqCRY4By7znfB9mNowgn0lCelIJ012+j:KbR/8oWeBi5YOwflCe8o
MD5:	1BA022D42024A655CF289544AE461FB8
SHA1:	9772A31083223ECF66751FF3851D2E3303A0764C
SHA-256:	D080EABD015A3569813A220FD4EA74DFF34ED2A8519A10473EB37E22B1118A06
SHA-512:	2B888A2D7467E29968C6BB65AF40D4B5E80722FFDDA760AD74C912F3A2F315D402F3C099FDE82F00F41DE6C9FAAEDB23A643337EB8821E594C567506E3464C62
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........7...V.,.V.,.V.,...,.V.,..-.V.,..-.V.,..-.V.,..-.V.,..-.V.,...-.V.,.V.,.V.,..-.V.,..-.V.,..u,.V.,..-.V.,Rich.V.,................PE..d......g.........." ...).`...........1.......................................p.......P....`.............................................L.......x....P.......0.......:.../...`..4....\|..T...........................P{..@............p...............................text...^^.......`.................. ..`.rdata.......p.......d..............@..@.data........ ......................@....pdata.......0......................@..@.rsrc........P......................@..@.reloc..4....`.......8..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\_queue.pyd

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	33552
Entropy (8bit):	6.446391764486538
Encrypted:	false
SSDEEP:	384:7GpPCRjqMu/AoS6rf7sif0NHQibZIJ9UoOHQIYiSy1pCQ5xX1rSJIVE8E9VF0Nyf:fkTM6rg9aeZIJ9Uok5YiSyvTo2Et
MD5:	1C03CAA59B5E4A7FB9B998D8C1DA165A
SHA1:	8A318F80A705C64076E22913C2206D9247D30CD7
SHA-256:	B9CF502DADCB124F693BF69ECD7077971E37174104DBDA563022D74961A67E1E
SHA-512:	783ECDA7A155DFC96A718D5A130FB901BBECBED05537434E779135CBA88233DD990D86ECA2F55A852C9BFB975074F7C44D8A3E4558D7C2060F411CE30B6A915F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T...........-.........................................................................A...........Rich...................PE..d.....g.........." ...).....:.......................................................r....`.........................................PD..L....D..d....p.......`..l....T.../..........@4..T............................3..@............0...............................text............................... ..`.rdata..2....0....... ..............@..@.data........P.......>..............@....pdata..l....`.......D..............@..@.rsrc........p.......H..............@..@.reloc...............R..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\_socket.pyd

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	83728
Entropy (8bit):	6.331814573029388
Encrypted:	false
SSDEEP:	1536:XuV3gvWHQdMq3ORC/OypTXQlyJ+9+nzEYwsBI6tzOKuZIJywJ7Sy21:XuVQvcQTSypTXQlyJs+nzEYJI6QlZIJY
MD5:	FE896371430BD9551717EF12A3E7E818
SHA1:	E2A7716E9CE840E53E8FC79D50A77F40B353C954
SHA-256:	35246B04C6C7001CA448554246445A845CE116814A29B18B617EA38752E4659B
SHA-512:	67ECD9A07DF0A07EDD010F7E3732F3D829F482D67869D6BCE0C9A61C24C0FDC5FF4F4E4780B9211062A6371945121D8883BA2E9E2CF8EB07B628547312DFE4C9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............ll}.ll}.ll}...}.ll}..m\|.ll}..o\|.ll}..h\|.ll}..i\|.ll}..m\|.ll}.lm}.ll}..m\|.ll}..a\|.ll}..l\|.ll}..}.ll}..n\|.ll}Rich.ll}........PE..d.....g.........." ...).x.......... -.......................................`.......s....`.........................................@...P............@.......0.........../...P..........T...........................@...@............................................text....w.......x.................. ..`.rdata.. y.......z...\|..............@..@.data...............................@....pdata.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\_ssl.pyd

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	181520
Entropy (8bit):	5.972827303352998
Encrypted:	false
SSDEEP:	3072:kO+IWyXHllRhN1qhep7fM6CpqjZI8u7pUULbaLZErWreVEzvT3iFCNc6tYwJc1OW:kpSrhN1E2M6CpUuwg5dEW7
MD5:	1C0E3E447F719FBE2601D0683EA566FC
SHA1:	5321AB73B36675B238AB3F798C278195223CD7B1
SHA-256:	63AE2FEFBFBBBC6EA39CDE0A622579D46FF55134BC8C1380289A2976B61F603E
SHA-512:	E1A430DA2A2F6E0A1AED7A76CC4CD2760B3164ABC20BE304C1DB3541119942508E53EA3023A52B8BADA17A6052A7A51A4453EFAD1A888ACB3B196881226C2E5C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......FM.^.,k..,k..,k..T...,k...j..,k...h..,k...o..,k...n..,k.J.j..,k...j..,k..,j..-k.ITj..,k.J.f..,k.J.k..,k.J....,k.J.i..,k.Rich.,k.................PE..d......g.........." ...)............ /..............................................R\....`.............................................d................................/..............T...........................P...@............................................text...0........................... ..`.rdata..D%.......&..................@..@.data...`...........................@....pdata...............n..............@..@.rsrc................z..............@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\_wmi.pyd

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	38160
Entropy (8bit):	6.338856805460127
Encrypted:	false
SSDEEP:	768:fEkK9VgWOZbs3550QcJpPllIJLiX5YiSyvQ602Euf0:fE93jkbQcJvlIJLiJ7Syq00
MD5:	1C30CC7DF3BD168D883E93C593890B43
SHA1:	31465425F349DAE4EDAC9D0FEABC23CE83400807
SHA-256:	6435C679A3A3FF4F16708EBC43F7CA62456C110AC1EA94F617D8052C90C143C7
SHA-512:	267A1807298797B190888F769D998357B183526DFCB25A6F1413E64C5DCCF87F51424B7E5D6F2349D7A19381909AB23B138748D8D9F5858F7DC0552F5C5846AC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........H2.&a.&a.&a..a.&a..'`.&a..%`.&a.."`.&a..'`.&a..#`.&a..'`.&a.'a..&a.."`.&a../`.&a..&`.&a...a.&a..$`.&aRich.&a................PE..d.....g.........." ...).,...<.......)..............................................'.....`.........................................0V..H...xV.......................f.../......x...tG..T............................C..@............@.......T..@....................text....*.......,.................. ..`.rdata..d ...@..."...0..............@..@.data........p.......R..............@....pdata...............V..............@..@.rsrc................Z..............@..@.reloc..x............d..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\base_library.zip

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	1394456
Entropy (8bit):	5.531698507573688
Encrypted:	false
SSDEEP:	12288:IW7WpLV6yNLeGQbVz3YQfiBgDPtLwjFx278e6ZQnHS91lqyL+DXUgnxOr+dx5/GO:B7WpLtHa9BHSHAW+dx5/GP05vddD
MD5:	A9CBD0455B46C7D14194D1F18CA8719E
SHA1:	E1B0C30BCCD9583949C247854F617AC8A14CBAC7
SHA-256:	DF6C19637D239BFEDC8CD13D20E0938C65E8FDF340622FF334DB533F2D30FA19
SHA-512:	B92468E71490A8800E51410DF7068DD8099E78C79A95666ECF274A9E9206359F049490B8F60B96081FAFD872EC717E67020364BCFA972F26F0D77A959637E528
Malicious:	false
Preview:	PK..........!..b.e............_collections_abc.pyc......................................\.....S.r.S.S.K.J.r.J.r. .S.S.K.r.\.".\.\.....5.......r.\.".S.5.......r.S...r.\.".\.5.......r.C./.S.Q.r.S.r.\.".\.".S.5.......5.......r.\.".\.".\.".5.......5.......5.......r.\.".\.".0.R%..................5.......5.......5.......r.\.".\.".0.R)..................5.......5.......5.......r.\.".\.".0.R-..................5.......5.......5.......r.\.".\."./.5.......5.......r.\.".\.".\."./.5.......5.......5.......r.\.".\.".\.".S.5.......5.......5.......r.\.".\.".\.".S.S.-...5.......5.......5.......r.\.".\.".\.".5.......5.......5.......r.\.".\.".S.5.......5.......r \.".\.".S.5.......5.......r!\.".\.".\"".5.......5.......5.......r#\.".0.R%..................5.......5.......r$\.".0.R)..................5.......5.......r%\.".0.R-..................5.......5.......r&\.".\.RN..................5.......r(S...r)\)".5.......r*C)\.".S...".5.......5.......r+S...r,\,".5.......r,\.".\,5.......r-\,R]..................5.......

C:\Users\user\AppData\Local\Temp\_MEI65242\certifi\cacert.pem

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	299427
Entropy (8bit):	6.047872935262006
Encrypted:	false
SSDEEP:	6144:QW1x/M8fRR1jplkXURrVADwYCuCigT/QRSRqNb7d8iu5Nahx:QWb/TRJLWURrI5RWavdF08/
MD5:	50EA156B773E8803F6C1FE712F746CBA
SHA1:	2C68212E96605210EDDF740291862BDF59398AEF
SHA-256:	94EDEB66E91774FCAE93A05650914E29096259A5C7E871A1F65D461AB5201B47
SHA-512:	01ED2E7177A99E6CB3FBEF815321B6FA036AD14A3F93499F2CB5B0DAE5B713FD2E6955AA05F6BDA11D80E9E0275040005E5B7D616959B28EFC62ABB43A3238F0
Malicious:	false
Preview:	.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

C:\Users\user\AppData\Local\Temp\_MEI65242\charset_normalizer\md.cp313-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	4.818583535960129
Encrypted:	false
SSDEEP:	96:Mvs10hZd9D74ACb0xx2uKynu10YLsgxwJiUNiL0U5IZsJFPGDtCFCCQAADo+cX6m:MXv9XFCk2z1/t12iwU5usJFuCyPcqgE
MD5:	56FE4F6C7E88212161F49E823CCC989A
SHA1:	16D5CBC5F289AD90AEAA4FF7CB828627AC6D4ACF
SHA-256:	002697227449B6D69026D149CFB220AC85D83B13056C8AA6B9DAC3FD3B76CAA4
SHA-512:	7C9D09CF9503F73E6F03D30E54DBB50606A86D09B37302DD72238880C000AE2B64C99027106BA340753691D67EC77B3C6E5004504269508F566BDB5E13615F1E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k............r_...........r................................................3..........Rich....................PE..d....$.g.........." ...).....................................................p............`..........................................'..p...`(..d....P.......@...............`..,...`#.............................. "..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\charset_normalizer\md__mypyc.cp313-win_amd64.pyd

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	124928
Entropy (8bit):	5.953784637413928
Encrypted:	false
SSDEEP:	3072:JDE+0ov6ojgN3qN8h51Zlh+YW5E38vCsmLS:JdefPZE2ICDLS
MD5:	10116447F9276F10664BA85A5614BA3A
SHA1:	EFD761A3E6D14E897D37AFB0C7317C797F7AE1D6
SHA-256:	C393098E7803ABF08EE8F7381AD7B0F8FAFFBF66319C05D72823308E898F8CFC
SHA-512:	C04461E52B7FE92D108CBDEB879B7A8553DD552D79C88DFA3F5D0036EED8D4B8C839C0BF2563BC0C796F8280ED2828CA84747CB781D2F26B44214FCA2091EAE4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........y.....................7...............7.......7.......7.......6..........D....6.......6.......6.......6......Rich............................PE..d....$.g.........." ...).@...........C.......................................0............`.........................................0...d.................................... ......................................P...@............P...............................text....?.......@.................. ..`.rdata..nY...P...Z...D..............@..@.data....=.......0..................@....pdata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\libcrypto-3.dll

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5232408
Entropy (8bit):	5.940072183736028
Encrypted:	false
SSDEEP:	98304:/V+Qs2NuR5YV0L8PQ1CPwDvt3uFlDC4SC9c:9rs2NuDYV0L841CPwDvt3uFlDC4SCa
MD5:	123AD0908C76CCBA4789C084F7A6B8D0
SHA1:	86DE58289C8200ED8C1FC51D5F00E38E32C1AAD5
SHA-256:	4E5D5D20D6D31E72AB341C81E97B89E514326C4C861B48638243BDF0918CFA43
SHA-512:	80FAE0533BA9A2F5FA7806E86F0DB8B6AAB32620DDE33B70A3596938B529F3822856DE75BDDB1B06721F8556EC139D784BC0BB9C8DA0D391DF2C20A80D33CB04
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........._~.._~.._~..V.S.M~.....]~.....[~.....W~.....S~.._~...~......T~..J....~..J...7}..J...^~..J.?.^~..J...^~..Rich_~..........................PE..d......f.........." ...(..7..<......v........................................0P.......O...`...........................................H.0.....O.@....@O.\|.... L. .....O../...PO.$...`{D.8............................yD.@.............O..............................text.....7.......7................. ..`.rdata........7.......7.............@..@.data...Ao....K..<....K.............@....pdata....... L.......K.............@..@.idata...%....O..&....N.............@..@.00cfg..u....0O.......N.............@..@.rsrc...\|....@O.......N.............@..@.reloc..~....PO.......N.............@..B................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\libffi-8.dll

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	39696
Entropy (8bit):	6.641880464695502
Encrypted:	false
SSDEEP:	768:NiQfxQemQJNrPN+moyijAc5YiSyvkIPxWEqG:dfxIQvPkmoyijP7SytPxF
MD5:	0F8E4992CA92BAAF54CC0B43AACCCE21
SHA1:	C7300975DF267B1D6ADCBAC0AC93FD7B1AB49BD2
SHA-256:	EFF52743773EB550FCC6CE3EFC37C85724502233B6B002A35496D828BD7B280A
SHA-512:	6E1B223462DC124279BFCA74FD2C66FE18B368FFBCA540C84E82E0F5BCBEA0E10CC243975574FA95ACE437B9D8B03A446ED5EE0C9B1B094147CEFAF704DFE978
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".H...(.......L...............................................n....`......................................... l.......p..P...............P....l.../......,...@d...............................c..@............`.. ............................text....G.......H.................. ..`.rdata..h....`.......L..............@..@.data................b..............@....pdata..P............d..............@..@.reloc..,............j..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\libssl-3.dll

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	792856
Entropy (8bit):	5.57949182561317
Encrypted:	false
SSDEEP:	12288:7LN1sdyIzHHZp5c3nlUa6lxzAG11rbmFe9Xbv:7LgfzH5I3nlUa2AU2Fe9Xbv
MD5:	4FF168AAA6A1D68E7957175C8513F3A2
SHA1:	782F886709FEBC8C7CEBCEC4D92C66C4D5DBCF57
SHA-256:	2E4D35B681A172D3298CAF7DC670451BE7A8BA27C26446EFC67470742497A950
SHA-512:	C372B759B8C7817F2CBB78ECCC5A42FA80BDD8D549965BD925A97C3EEBDCE0335FBFEC3995430064DEAD0F4DB68EBB0134EB686A0BE195630C49F84B468113E3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l.>..\|m..\|m..\|m.u.m..\|m+.}l..\|m.u}l..\|m+..l..\|m+.xl..\|m+.yl..\|m..}l..\|m..}m..\|m..xl..\|m..\|l..\|m...m..\|m..~l..\|mRich..\|m................PE..d......f.........." ...(.>..........K........................................0......!+....`..........................................x...Q..............s.... ...M......./......d...p...8...............................@............................................text....<.......>.................. ..`.rdata..hz...P...\|...B..............@..@.data...qN.......H..................@....pdata..pV... ...X..................@..@.idata...c.......d...^..............@..@.00cfg..u...........................@..@.rsrc...s...........................@..@.reloc..C...........................@..B........................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\psutil\_psutil_windows.pyd

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	67072
Entropy (8bit):	5.909456553599775
Encrypted:	false
SSDEEP:	1536:j3sHmR02IvVxv7WCyKm7c5Th4JBHTOvyyaZE:jnIvryCyKx5Th4J5OvyyO
MD5:	49AC12A1F10AB93FAFAB064FD0523A63
SHA1:	3AD6923AB0FB5D3DD9D22ED077DB15B42C2FBD4F
SHA-256:	BA033B79E858DBFCBA6BF8FB5AFE10DEFD1CB03957DBBC68E8E62E4DE6DF492D
SHA-512:	1BC0F50E0BB0A9D9DDDAD31390E5C73B0D11C2B0A8C5462065D477E93FF21F7EDC7AA2B2B36E478BE0A797A38F43E3FBEB6AAABEF0BADEC1D8D16EB73DF67255
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......nT..5..5..5..#M2. 5..x@..(5..x@..&5..x@.."5..x@...5...k..(5..aM..;5..5...5...@..:5...@..+5...@^.+5...@..+5..Rich*5..................PE..d...._.g.........." .........h......\........................................@............`.........................................0...`.......@.... .......................0..(.......................................8............................................text...h........................... ..`.rdata..\I.......J..................@..@.data...x...........................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..(....0......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\python3.dll

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	70416
Entropy (8bit):	6.1258200129869405
Encrypted:	false
SSDEEP:	768:pQEotsskOv6pWVCB4p/uKlZPRQcFIc9qunV0Jku/YFI1Hu1wEBbCpVNyD6VdPxiD:/otssyKcunV8PjZIJy0i7SyWH1
MD5:	16855EBEF31C5B1EBE767F1C617645B3
SHA1:	315521F3A748ABFA35CD4D48E8DD09D0556D989B
SHA-256:	A5C6A329698490A035133433928D04368CE6285BB91A9D074FC285DE4C9A32A4
SHA-512:	C3957B3BD36B10C7AD6EA1FF3BC7BD65CDCEB3E6B4195A25D0649AA0DA179276CE170DA903D77B50A38FC3D5147A45BE32DBCFDBFBF76CC46301199C529ADEA4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%?..a^e.a^e.a^e.).m.`^e.).e.`^e.)..`^e.).g.`^e.Richa^e.........PE..d......g.........." ...)............................................................z.....`.........................................`..................................../..............T............................................................................rdata..............................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\python313.dll

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6083856
Entropy (8bit):	6.126922729922386
Encrypted:	false
SSDEEP:	49152:fXGc3O7T4DKX+vLFMmKYxiAYNBD987KdJlI9HbeX2jrgQcw6Zc4h67mM+XDQ3bLi:Of42zJiwJl/YF7v3vaHDMiEN3Kr
MD5:	B9DE917B925DD246B709BB4233777EFD
SHA1:	775F258D8B530C6EA9F0DD3D1D0B61C1948C25D2
SHA-256:	0C0A66505093B6A4BB3475F716BD3D9552095776F6A124709C13B3F9552C7D99
SHA-512:	F4BF3398F50FDD3AB7E3F02C1F940B4C8B5650ED7AF16C626CCD1B934053BA73A35F96DA03B349C1EB614BB23E0BC6B5CC58B07B7553A5C93C6D23124F324A33
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........s]{v ]{v ]{v M.w!_{v M.. S{v M.u!Y{v M.r!U{v M.s!P{v T.. G{v ..w!V{v ]{w .zv ..{!.{v ..v!\{v ... \{v ..t!\{v Rich]{v ........................PE..d......g.........." ...).:+..T9......J........................................d.....uF]...`...........................................O.....h.P.......d......0].......\../....d..... A3.T.....................I.(....?3.@............P+..............................text....8+......:+................. ..`.rdata....%..P+...%..>+.............@..@.data...$9....P..N....P.............@....pdata.......0]...... U.............@..@PyRuntim.N...._..P....W.............@....rsrc.........d.......[.............@..@.reloc........d.......[.............@..B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\select.pyd

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	30992
Entropy (8bit):	6.554484610649281
Encrypted:	false
SSDEEP:	384:7hhxm9tKLhuoNHfzzlvFy0ZZIJ9GckHQIYiSy1pCQ4HWSJIVE8E9VF0Ny6sC:tCytHf98uZIJ9Gx5YiSyvy2ES
MD5:	20831703486869B470006941B4D996F2
SHA1:	28851DFD43706542CD3EF1B88B5E2749562DFEE0
SHA-256:	78E5994C29D8851F28B5B12D59D742D876683AEA58ECEEA1FB895B2036CDCDEB
SHA-512:	4AAF5D66D2B73F939B9A91E7EDDFEB2CE2476C625586EF227B312230414C064AA850B02A4028363AA4664408C9510594754530A6D026A0A84BE0168D677C1BC4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........tV..'V..'V..'_.j'T..'F:.&T..'F:.&R..'F:.&^..'F:.&Z..'.;.&T..'V..'...'...&S..'.;.&W..'.;.&W..'.;.'W..'.;.&W..'RichV..'................PE..d.....g.........." ...).....2............................................................`..........................................@..L...<A..x....p.......`.......J.../......L....3..T............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...p....P.......8..............@....pdata.......`.......:..............@..@.rsrc........p.......>..............@..@.reloc..L............H..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\_MEI65242\unicodedata.pyd

Download File

Process:	C:\Users\user\Desktop\wp-s2.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	709904
Entropy (8bit):	5.861739047785334
Encrypted:	false
SSDEEP:	12288:FYGdLI/X77mvfldCKGihH32W3cnPSqrUgLIe:FYGW7qNxr3cnPXLIe
MD5:	0902D299A2A487A7B0C2D75862B13640
SHA1:	04BCBD5A11861A03A0D323A8050A677C3A88BE13
SHA-256:	2693C7EE4FBA55DC548F641C0CB94485D0E18596FFEF16541BD43A5104C28B20
SHA-512:	8CBEF5A9F2D24DA1014F8F1CCBDDD997A084A0B04DD56BCB6AC38DDB636D05EF7E4EA7F67A085363AAD3F43D45413914E55BDEF14A662E80BE955E6DFC2FECA3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Q.............(.....(.....(.....(.....)................).....).....)x....)....Rich..................PE..d.....g.........." ...).B...f......P,..............................................<.....`.........................................P...X................................/..........p...T...........................0...@............`..h............................text....@.......B.................. ..`.rdata...?...`...@...F..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465467726947162
Encrypted:	false
SSDEEP:	6144:kIXfpi67eLPU9skLmb0b40WSPKaJG8nAgejZMMhA2gX4WABl0uNbdwBCswSbI:ZXD940WlLZMM6YFHp+I
MD5:	DF03A50FC0FD71912322CB2413ACCE21
SHA1:	570A8BF81BA5D69F0CBA9C62688CAD2C4A136D91
SHA-256:	180C23F1168C456EF47DB11ACC70D31F6637243A038CCCFCF82259F8F07666A9
SHA-512:	018E41EF5F08C45F9CF4C49AFED272F02CE2147880D2C543997C2C23990A6DE5B6CE8EE701590A31E74588A3ABF5E4002005BD423F4ED4A4696BEB0FFB644333
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....R..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.995837929088591
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	wp-s2.exe
File size:	38'752'565 bytes
MD5:	62370a84134040d803eae9a4bd34342c
SHA1:	207f73ffdcdfa2cb5d713e13385a8c65bb19adf7
SHA256:	e84a1edd3826ccb96eadc6d62410361e7820f3c5bc8b7ba308278f33aa2266e4
SHA512:	163e43dc823bbbba4a7899a2e50c66f75d5ecfd74c95d0ebb81c508a77ad6eb350412bbf93a0ddf94889ea30781afd02f33f0381371394110f3b79ea51b3a10b
SSDEEP:	786432:/+gX4BMdhwzTQXR5FbPp6FcSS5U/LT2KzVyPVLBdebXMb8VH/zEa:BXGMK4XR3bLSCU/+6yPl3ebcBa
TLSH:	F9873300E5D409DEE5B22974F5F1528BD559F0EE4B72C2EB81B0025385B7BC09B2EA7B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n=..\.Z\.Z\.Za$.[-\.Za$.[.\.Za$.[ \.Z:..Z)\.Z:..[#\.Z:..[;\.Z:..[.\.Za$.[!\.Z\.Z.\.Zb..[3\.Zb..[+\.ZRich*\.Z........PE..d..

File Icon


Icon Hash:	4a464cd47461e179

Static PE Info

General

Entrypoint:	0x14000cdb0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x67601DBF [Mon Dec 16 12:31:59 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	72c4e339b7af8ab1ed2eb3821c98713a

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F4A40D77F5Ch
dec eax
add esp, 28h
jmp 00007F4A40D77B7Fh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec eax
sub esp, 28h
call 00007F4A40D78328h
test eax, eax
je 00007F4A40D77D23h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007F4A40D77D07h
dec eax
cmp ecx, eax
je 00007F4A40D77D16h
xor eax, eax
dec eax
cmpxchg dword ptr [0003577Ch], ecx
jne 00007F4A40D77CF0h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007F4A40D77CF9h
int3
int3
int3
dec eax
sub esp, 28h
test ecx, ecx
jne 00007F4A40D77D09h
mov byte ptr [00035765h], 00000001h
call 00007F4A40D77455h
call 00007F4A40D78740h
test al, al
jne 00007F4A40D77D06h
xor al, al
jmp 00007F4A40D77D16h
call 00007F4A40D8525Fh
test al, al
jne 00007F4A40D77D0Bh
xor ecx, ecx
call 00007F4A40D78750h
jmp 00007F4A40D77CECh
mov al, 01h
dec eax
add esp, 28h
ret
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [0003572Ch], 00000000h
mov ebx, ecx
jne 00007F4A40D77D69h
cmp ecx, 01h
jnbe 00007F4A40D77D6Ch
call 00007F4A40D7829Eh
test eax, eax
je 00007F4A40D77D2Ah
test ebx, ebx
jne 00007F4A40D77D26h
dec eax
lea ecx, dword ptr [00035716h]
call 00007F4A40D85052h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3ca5c	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x47000	0xf41c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x44000	0x2250	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x57000	0x764	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3a080	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x39f40	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b000	0x4a0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29f00	0x2a000	2a7ae207b6295492e9da088072661752	False	0.5514439174107143	data	6.487454925709845	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2b000	0x12a50	0x12c00	57258b1831c470607d36a5c0628eff30	False	0.5244661458333333	data	5.7526463108375125	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x53f8	0xe00	dba0caeecab624a0ccc0d577241601d1	False	0.134765625	data	1.8392217063172436	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x44000	0x2250	0x2400	f5559f14427a02f0a5dbd0dd026cae54	False	0.470703125	data	5.291665041994019	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x47000	0xf41c	0xf600	455788c285fcfdcb4008bc77e762818a	False	0.803099593495935	data	7.5549760623589695	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x57000	0x764	0x800	816c68eeb419ee2c08656c31c06a0fff	False	0.5576171875	data	5.2809528666624175	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x47208	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.585820895522388
RT_ICON	0x480b0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.7360108303249098
RT_ICON	0x48958	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.755057803468208
RT_ICON	0x48ec0	0x952c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9975384937676757
RT_ICON	0x523ec	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.3887966804979253
RT_ICON	0x54994	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.49530956848030017
RT_ICON	0x55a3c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.7207446808510638
RT_GROUP_ICON	0x55ea4	0x68	data	0.7019230769230769
RT_MANIFEST	0x55f0c	0x50d	XML 1.0 document, ASCII text	0.4694508894044857

Imports

DLL	Import
USER32.dll	CreateWindowExW, ShutdownBlockReasonCreate, MsgWaitForMultipleObjects, ShowWindow, DestroyWindow, RegisterClassW, DefWindowProcW, PeekMessageW, DispatchMessageW, TranslateMessage, PostMessageW, GetMessageW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
COMCTL32.dll
KERNEL32.dll	GetACP, IsValidCodePage, GetStringTypeW, GetFileAttributesExW, SetEnvironmentVariableW, FlushFileBuffers, GetCurrentDirectoryW, LCMapStringW, CompareStringW, FlsFree, GetOEMCP, GetCPInfo, GetModuleHandleW, MulDiv, FormatMessageW, GetLastError, GetModuleFileNameW, LoadLibraryExW, SetDllDirectoryW, CreateSymbolicLinkW, GetProcAddress, GetEnvironmentStringsW, GetCommandLineW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, DeleteFileW, FindClose, FindFirstFileW, FindNextFileW, GetDriveTypeW, RemoveDirectoryW, GetTempPathW, CloseHandle, QueryPerformanceCounter, QueryPerformanceFrequency, WaitForSingleObject, Sleep, GetCurrentProcess, TerminateProcess, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LocalFree, SetConsoleCtrlHandler, K32EnumProcessModules, K32GetModuleFileNameExW, CreateFileW, FindFirstFileExW, GetFinalPathNameByHandleW, MultiByteToWideChar, WideCharToMultiByte, FlsSetValue, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, HeapReAlloc, WriteConsoleW, SetEndOfFile, CreateDirectoryW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ReadFile, GetFullPathNameW, SetStdHandle, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue
ADVAPI32.dll	OpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
GDI32.dll	SelectObject, DeleteObject, CreateFontIndirectW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 20, 2024 09:55:14.256908894 CET	49731	443	192.168.2.4	104.20.22.46
Dec 20, 2024 09:55:14.257008076 CET	443	49731	104.20.22.46	192.168.2.4
Dec 20, 2024 09:55:14.257110119 CET	49731	443	192.168.2.4	104.20.22.46
Dec 20, 2024 09:55:14.258028984 CET	49731	443	192.168.2.4	104.20.22.46
Dec 20, 2024 09:55:14.258059025 CET	443	49731	104.20.22.46	192.168.2.4
Dec 20, 2024 09:55:15.484909058 CET	443	49731	104.20.22.46	192.168.2.4
Dec 20, 2024 09:55:15.485589027 CET	49731	443	192.168.2.4	104.20.22.46
Dec 20, 2024 09:55:15.485675097 CET	443	49731	104.20.22.46	192.168.2.4
Dec 20, 2024 09:55:15.487660885 CET	443	49731	104.20.22.46	192.168.2.4
Dec 20, 2024 09:55:15.487746000 CET	49731	443	192.168.2.4	104.20.22.46
Dec 20, 2024 09:55:15.489037037 CET	49731	443	192.168.2.4	104.20.22.46
Dec 20, 2024 09:55:15.489248037 CET	443	49731	104.20.22.46	192.168.2.4
Dec 20, 2024 09:55:15.489284992 CET	49731	443	192.168.2.4	104.20.22.46
Dec 20, 2024 09:55:15.489308119 CET	49731	443	192.168.2.4	104.20.22.46

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 20, 2024 09:55:14.115966082 CET	49241	53	192.168.2.4	1.1.1.1
Dec 20, 2024 09:55:14.252846003 CET	53	49241	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 20, 2024 09:55:14.115966082 CET	192.168.2.4	1.1.1.1	0x526b	Standard query (0)	nodejs.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 20, 2024 09:55:14.252846003 CET	1.1.1.1	192.168.2.4	0x526b	No error (0)	nodejs.org		104.20.22.46	A (IP address)	IN (0x0001)	false
Dec 20, 2024 09:55:14.252846003 CET	1.1.1.1	192.168.2.4	0x526b	No error (0)	nodejs.org		104.20.23.46	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	03:55:01
Start date:	20/12/2024
Path:	C:\Users\user\Desktop\wp-s2.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\wp-s2.exe"
Imagebase:	0x7ff6d09e0000
File size:	38'752'565 bytes
MD5 hash:	62370A84134040D803EAE9A4BD34342C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	03:55:07
Start date:	20/12/2024
Path:	C:\Users\user\Desktop\wp-s2.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\wp-s2.exe"
Imagebase:	0x7ff6d09e0000
File size:	38'752'565 bytes
MD5 hash:	62370A84134040D803EAE9A4BD34342C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PythonBackDoor_1, Description: Yara detected Python BackDoor, Source: 00000001.00000002.2082080905.000001B81E841000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PythonBackDoor_1, Description: Yara detected Python BackDoor, Source: 00000001.00000003.1755036913.000001B81EABA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PythonBackDoor_1, Description: Yara detected Python BackDoor, Source: 00000001.00000003.1755225796.000001B81E7F6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PythonBackDoor_1, Description: Yara detected Python BackDoor, Source: 00000001.00000003.1758008751.000001B81E7F6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PythonBackDoor_1, Description: Yara detected Python BackDoor, Source: 00000001.00000003.1755864798.000001B81EABD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PythonBackDoor_1, Description: Yara detected Python BackDoor, Source: 00000001.00000003.1757583955.000001B81E7F6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PythonBackDoor_1, Description: Yara detected Python BackDoor, Source: 00000001.00000003.1756150289.000001B81E7F6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PythonBackDoor_1, Description: Yara detected Python BackDoor, Source: 00000001.00000002.2082516614.000001B81EAA1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PythonBackDoor_1, Description: Yara detected Python BackDoor, Source: 00000001.00000003.1757204060.000001B81E7F6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:55:11
Start date:	20/12/2024
Path:	C:\Windows\System32\systeminfo.exe
Wow64 process (32bit):	false
Commandline:	systeminfo
Imagebase:	0x7ff689160000
File size:	110'080 bytes
MD5 hash:	EE309A9C61511E907D87B10EF226FDCD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:55:11
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:55:12
Start date:	20/12/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	03:55:12
Start date:	20/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c "wmic computersystem get manufacturer"
Imagebase:	0x7ff652b50000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:55:12
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:55:12
Start date:	20/12/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic computersystem get manufacturer
Imagebase:	0x7ff7409a0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:55:17
Start date:	20/12/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6752 -s 940
Imagebase:	0x7ff737880000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	44

Executed Functions

Function 00007FF6D09E89E0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257
synchronizationwindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6D09E9390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6D09E45F4,00000000,00007FF6D09E1985), ref: 00007FF6D09E93C9

SetConsoleCtrlHandler.KERNEL32(?,?,FFFFFFFF,00007FF6D09E3F7F), ref: 00007FF6D09E8A3B
GetStartupInfoW.KERNEL32(?,FFFFFFFF,00007FF6D09E3F7F), ref: 00007FF6D09E8A56

Part of subcall function 00007FF6D09FA47C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D09FA490

Part of subcall function 00007FF6D09F871C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D09F8783

GetCommandLineW.KERNEL32(?,FFFFFFFF,00007FF6D09E3F7F), ref: 00007FF6D09E8AE6
CreateProcessW.KERNELBASE ref: 00007FF6D09E8B1E
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6D09E3F7F), ref: 00007FF6D09E8B28

Part of subcall function 00007FF6D09E2C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF6D09E3706,?,00007FF6D09E3804), ref: 00007FF6D09E2C9E
Part of subcall function 00007FF6D09E2C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF6D09E3706,?,00007FF6D09E3804), ref: 00007FF6D09E2D63
Part of subcall function 00007FF6D09E2C50: MessageBoxW.USER32 ref: 00007FF6D09E2D99

RegisterClassW.USER32 ref: 00007FF6D09E8B80
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6D09E3F7F), ref: 00007FF6D09E8B8B
CreateWindowExW.USER32 ref: 00007FF6D09E8BD5
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6D09E3F7F), ref: 00007FF6D09E8BE7
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF6D09E3F7F), ref: 00007FF6D09E8C02
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6D09E3F7F), ref: 00007FF6D09E8C15
PeekMessageW.USER32 ref: 00007FF6D09E8C39
TranslateMessage.USER32 ref: 00007FF6D09E8C47
DispatchMessageW.USER32(?,FFFFFFFF,00007FF6D09E3F7F), ref: 00007FF6D09E8C51
PeekMessageW.USER32 ref: 00007FF6D09E8C6C
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF6D09E3F7F), ref: 00007FF6D09E8C7E
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF6D09E3F7F), ref: 00007FF6D09E8C99
TerminateProcess.KERNEL32(?,FFFFFFFF,00007FF6D09E3F7F), ref: 00007FF6D09E8CAF
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6D09E3F7F), ref: 00007FF6D09E8CB9
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF6D09E3F7F), ref: 00007FF6D09E8CC7
DestroyWindow.USER32(?,FFFFFFFF,00007FF6D09E3F7F), ref: 00007FF6D09E8E04
GetExitCodeProcess.KERNELBASE ref: 00007FF6D09E8E19
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF6D09E3F7F), ref: 00007FF6D09E8E22
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF6D09E3F7F), ref: 00007FF6D09E8E2F

Strings

PyInstallerOnefileHiddenWindow, xrefs: 00007FF6D09E8B54
CreateProcessW, xrefs: 00007FF6D09E8B37
Failed to create child process!, xrefs: 00007FF6D09E8B30
PyInstaller Onefile Hidden Window, xrefs: 00007FF6D09E8B95

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
API String ID: 3832162212-3165540532
Opcode ID: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
Instruction ID: 1c041c2bf00e6a7509045843fe90a2af158539d2eb8f2e2fdb29c652ec2e9437
Opcode Fuzzy Hash: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
Instruction Fuzzy Hash: C5D1D132A19A86A6E7148F75E8502AE3760FF84758F141237DA5DC6BAECF3CD564C700

Function 00007FF6D09E1000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 511
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Py_GIL_DISABLED, xrefs: 00007FF6D09E3AF4
_PYI_PARENT_PROCESS_LEVEL, xrefs: 00007FF6D09E3A17, 00007FF6D09E3A2F, 00007FF6D09E3A9B
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF6D09E3EA6
Failed to load splash screen resources!, xrefs: 00007FF6D09E3E85
pyi-disable-windowed-traceback, xrefs: 00007FF6D09E3BB2
Failed to start splash screen!, xrefs: 00007FF6D09E3ED4
_PYI_APPLICATION_HOME_DIR, xrefs: 00007FF6D09E3A0B, 00007FF6D09E3CD4, 00007FF6D09E3F6B
MEI, xrefs: 00007FF6D09E3933
PYINSTALLER_RESET_ENVIRONMENT, xrefs: 00007FF6D09E3882, 00007FF6D09E38AF
Could not create temporary directory!, xrefs: 00007FF6D09E3CBF
pyi-runtime-tmpdir, xrefs: 00007FF6D09E3B68
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF6D09E3C61
pkg, xrefs: 00007FF6D09E39BE
_PYI_APPLICATION_HOME_DIR not set for onefile child process!, xrefs: 00007FF6D09E3D35
pyi-python-flag, xrefs: 00007FF6D09E3AD6
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF6D09E3EBB
_PYI_ARCHIVE_FILE, xrefs: 00007FF6D09E38D2, 00007FF6D09E39FF
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF6D09E3971
PYINSTALLER_SUPPRESS_SPLASH_SCREEN, xrefs: 00007FF6D09E3E0A
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF6D09E3BE8
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF6D09E3D12
Failed to convert DLL search path!, xrefs: 00007FF6D09E3DDC
_PYI_SPLASH_IPC, xrefs: 00007FF6D09E3A23, 00007FF6D09E3EF5
Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s, xrefs: 00007FF6D09E3B32
VCRUNTIME140.dll, xrefs: 00007FF6D09E3DB1
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF6D09E39DE
pyi-contents-directory, xrefs: 00007FF6D09E3B8D
Failed to remove temporary directory: %s, xrefs: 00007FF6D09E3FCF

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag$pyi-runtime-tmpdir
API String ID: 2776309574-4232158417
Opcode ID: 2d77af2a2f9236e5f1bda1603447cca491bc739d444c9c91c5f96d0c69afedc5
Instruction ID: a6592dbe3827e356133bab30d7f88d9f2a4431c85bc425dbf9a034c6d1eec82a
Opcode Fuzzy Hash: 2d77af2a2f9236e5f1bda1603447cca491bc739d444c9c91c5f96d0c69afedc5
Instruction Fuzzy Hash: 1C326D22A0E686B1EA19D721D5582BD2651BF44788F84A037DA5DCB3DFDF2CE974C300

Function 00007FF6D0A05C00 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF6D0A05C45

Part of subcall function 00007FF6D0A05598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D0A055AC

Part of subcall function 00007FF6D09FA948: RtlFreeHeap.NTDLL(?,?,?,00007FF6D0A02D22,?,?,?,00007FF6D0A02D5F,?,?,00000000,00007FF6D0A03225,?,?,?,00007FF6D0A03157), ref: 00007FF6D09FA95E
Part of subcall function 00007FF6D09FA948: GetLastError.KERNEL32(?,?,?,00007FF6D0A02D22,?,?,?,00007FF6D0A02D5F,?,?,00000000,00007FF6D0A03225,?,?,?,00007FF6D0A03157), ref: 00007FF6D09FA968

Part of subcall function 00007FF6D09FA900: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF6D09FA8DF,?,?,?,?,?,00007FF6D09FA7CA), ref: 00007FF6D09FA909
Part of subcall function 00007FF6D09FA900: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6D09FA8DF,?,?,?,?,?,00007FF6D09FA7CA), ref: 00007FF6D09FA92E

_get_daylight.LIBCMT ref: 00007FF6D0A05C34

Part of subcall function 00007FF6D0A055F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D0A0560C

_get_daylight.LIBCMT ref: 00007FF6D0A05EAA
_get_daylight.LIBCMT ref: 00007FF6D0A05EBB
_get_daylight.LIBCMT ref: 00007FF6D0A05ECC
GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6D0A0610C), ref: 00007FF6D0A05EF3

Strings

Eastern Summer Time, xrefs: 00007FF6D0A05FB1
Eastern Standard Time, xrefs: 00007FF6D0A05F99

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 4070488512-239921721
Opcode ID: c8e181fbda5929fcc8f6a75e148055e791a7ddaa32984997676ab034941af52a
Instruction ID: 66e38184289a3be2b4f4b6e99bd80dc3e597eb48f2b04b08605f0f5e7aee020e
Opcode Fuzzy Hash: c8e181fbda5929fcc8f6a75e148055e791a7ddaa32984997676ab034941af52a
Instruction Fuzzy Hash: 30D19D27A0C246A6E728DF37D8411BE6751AF94784F489037EA4D8B79FDE3CE4618740

Function 00007FF6D0A06964 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6D0A06698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D0A066D9
Part of subcall function 00007FF6D0A06698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D0A06757
Part of subcall function 00007FF6D0A06698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D0A067A8

CreateFileW.KERNELBASE ref: 00007FF6D0A06A6A
CreateFileW.KERNEL32 ref: 00007FF6D0A06ABA
GetLastError.KERNEL32 ref: 00007FF6D0A06AEA
GetFileType.KERNELBASE ref: 00007FF6D0A06AFF
GetLastError.KERNEL32 ref: 00007FF6D0A06B09
CloseHandle.KERNEL32 ref: 00007FF6D0A06B3C
CloseHandle.KERNEL32 ref: 00007FF6D0A06C9F
CreateFileW.KERNEL32 ref: 00007FF6D0A06CD4
GetLastError.KERNEL32 ref: 00007FF6D0A06CE3

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
Instruction ID: 164288afb55d3a770f19b57e4f06bf6d42ae9702afe0eadfec71595e560aba31
Opcode Fuzzy Hash: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
Instruction Fuzzy Hash: 66C1B133B28A4595EB14CF6AC4912AD3765F749B98F05523ADE2E9B79ECF38D061C300

Function 00007FF6D09E83C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,00007FF6D09E8919,00007FF6D09E3FA5), ref: 00007FF6D09E842B
RemoveDirectoryW.KERNEL32(?,00007FF6D09E8919,00007FF6D09E3FA5), ref: 00007FF6D09E84AE
DeleteFileW.KERNELBASE(?,00007FF6D09E8919,00007FF6D09E3FA5), ref: 00007FF6D09E84CD
FindNextFileW.KERNELBASE(?,00007FF6D09E8919,00007FF6D09E3FA5), ref: 00007FF6D09E84DB
FindClose.KERNEL32(?,00007FF6D09E8919,00007FF6D09E3FA5), ref: 00007FF6D09E84EC
RemoveDirectoryW.KERNELBASE(?,00007FF6D09E8919,00007FF6D09E3FA5), ref: 00007FF6D09E84F5

Strings

%s\*, xrefs: 00007FF6D09E83F2

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
String ID: %s\*
API String ID: 1057558799-766152087
Opcode ID: 7c12b01ff297979e1ecdf005a6213684df6049b407edb1b83f88227167b7eee2
Instruction ID: 1d3cc0cb36fe40e25eb1a303680d9bb97aaa10b7b81667f4aadfec04efb0c7a8
Opcode Fuzzy Hash: 7c12b01ff297979e1ecdf005a6213684df6049b407edb1b83f88227167b7eee2
Instruction Fuzzy Hash: 1B41A232A1D947A1EA209B61E4541BE2360FB94758F441233E5ADC67EEEF3CD9668700

Function 00007FF6D0A05E7C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF6D0A05EAA

Part of subcall function 00007FF6D0A055F8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D0A0560C

_get_daylight.LIBCMT ref: 00007FF6D0A05EBB

Part of subcall function 00007FF6D0A05598: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D0A055AC

_get_daylight.LIBCMT ref: 00007FF6D0A05ECC

Part of subcall function 00007FF6D0A055C8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D0A055DC

Part of subcall function 00007FF6D09FA948: RtlFreeHeap.NTDLL(?,?,?,00007FF6D0A02D22,?,?,?,00007FF6D0A02D5F,?,?,00000000,00007FF6D0A03225,?,?,?,00007FF6D0A03157), ref: 00007FF6D09FA95E
Part of subcall function 00007FF6D09FA948: GetLastError.KERNEL32(?,?,?,00007FF6D0A02D22,?,?,?,00007FF6D0A02D5F,?,?,00000000,00007FF6D0A03225,?,?,?,00007FF6D0A03157), ref: 00007FF6D09FA968

GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6D0A0610C), ref: 00007FF6D0A05EF3

Strings

Eastern Summer Time, xrefs: 00007FF6D0A05FB1
Eastern Standard Time, xrefs: 00007FF6D0A05F99

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3458911817-239921721
Opcode ID: 6f2171165b001c2744b9d494c76d2a7753c36df5ed5d67f3075860c83c0dbe14
Instruction ID: aa72d6167e706b7a433abad8c72b83b1dce9109ddd4c098689236fbd2bd2098d
Opcode Fuzzy Hash: 6f2171165b001c2744b9d494c76d2a7753c36df5ed5d67f3075860c83c0dbe14
Instruction Fuzzy Hash: 8B516023A0C646A6E728DF32D8811AE6760BB58784F489137EA4DC779FDF3CE4608740

Function 00007FF6D09E9280 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNELBASE ref: 00007FF6D09E92B3
FindClose.KERNELBASE ref: 00007FF6D09E92C2

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
Instruction ID: 0a9c964f69650bd0d8743b18a6d3717ae02265dabd5718434ec87261d38c95a2
Opcode Fuzzy Hash: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
Instruction Fuzzy Hash: 36F0C832A1D74196FB608B60B49876E7390BB84328F041337DA7D867D9DF7CD469CA00

Function 00007FF6D0A008C8 Relevance: 2.0, APIs: 1, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor
String ID:
API String ID: 1010374628-0
Opcode ID: 537422541fbed36a77ddee3a41e978a3695e14332b64c7d8d0a2d6c09592a1ae
Instruction ID: 35eafa134b3c5e6a445ee583c37a02939530d37d03be136be98582955421d5cd
Opcode Fuzzy Hash: 537422541fbed36a77ddee3a41e978a3695e14332b64c7d8d0a2d6c09592a1ae
Instruction Fuzzy Hash: 1E02F523B1D65B60FA699B23940067D2A84AF41BA4F5D9637ED5DCA3DFDE3CA4708300

Function 00007FF6D09E1950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6D09E7F90: _fread_nolock.LIBCMT ref: 00007FF6D09E803A

_fread_nolock.LIBCMT ref: 00007FF6D09E1A1B

Part of subcall function 00007FF6D09E2910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF6D09E1B6A), ref: 00007FF6D09E295E

Strings

fread, xrefs: 00007FF6D09E1A32, 00007FF6D09E1B5C
Failed to read cookie!, xrefs: 00007FF6D09E1A2B
Error on file., xrefs: 00007FF6D09E1B8D
calloc, xrefs: 00007FF6D09E1A68
Failed to seek to cookie position!, xrefs: 00007FF6D09E19EE
malloc, xrefs: 00007FF6D09E1B22
Could not allocate memory for archive structure!, xrefs: 00007FF6D09E1A61
MEI, xrefs: 00007FF6D09E1991
fseek, xrefs: 00007FF6D09E19F5
Could not read full TOC!, xrefs: 00007FF6D09E1B55
Could not allocate buffer for TOC!, xrefs: 00007FF6D09E1B1B

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: _fread_nolock$CurrentProcess
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 2397952137-3497178890
Opcode ID: ed5d37bd12c92faad5b6bf746ee66ab535d4fcd70a2e81ebf99a2f5a44e873f3
Instruction ID: 3b6ab2d8e24f5d1667d40138e1b6b8dce6d1b3c827b625028375aa5aaed2ee66
Opcode Fuzzy Hash: ed5d37bd12c92faad5b6bf746ee66ab535d4fcd70a2e81ebf99a2f5a44e873f3
Instruction Fuzzy Hash: E881B371A1D686A6EB14DB15D0412BD2390FF88788F545433E98DCB79FDE3CE9658700

Function 00007FF6D09E1600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to open archive file!, xrefs: 00007FF6D09E16A2
fread, xrefs: 00007FF6D09E17E6
fopen, xrefs: 00007FF6D09E1663
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6D09E17DF
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6D09E16DA
malloc, xrefs: 00007FF6D09E1749
fseek, xrefs: 00007FF6D09E16E1
Failed to extract %s: failed to write data chunk!, xrefs: 00007FF6D09E17CA
fwrite, xrefs: 00007FF6D09E17D1
Failed to create symbolic link %s!, xrefs: 00007FF6D09E1622
Failed to extract %s: failed to open target file!, xrefs: 00007FF6D09E165C
Failed to extract %s: failed to allocate temporary buffer!, xrefs: 00007FF6D09E1742

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
API String ID: 2050909247-1550345328
Opcode ID: 20e17bd6c553c2d1bb16f42c1bd2daa45422ba949397fd2f79efb246dcdc4b64
Instruction ID: 70b23e18935649b2e5a7c8622632d6ee79767407004a9786f605705dd281cf66
Opcode Fuzzy Hash: 20e17bd6c553c2d1bb16f42c1bd2daa45422ba949397fd2f79efb246dcdc4b64
Instruction Fuzzy Hash: BD518E22B1A647B2EA149B1295005BD6394BF84B98F846533EE0CCB79FDF3CE965C700

Function 00007FF6D09E8660 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(?,?,00000000,00007FF6D09E3CBB), ref: 00007FF6D09E8704
GetCurrentProcessId.KERNEL32(?,00000000,00007FF6D09E3CBB), ref: 00007FF6D09E870A
CreateDirectoryW.KERNELBASE(?,00000000,00007FF6D09E3CBB), ref: 00007FF6D09E874C

Part of subcall function 00007FF6D09E8830: GetEnvironmentVariableW.KERNEL32(00007FF6D09E388E), ref: 00007FF6D09E8867
Part of subcall function 00007FF6D09E8830: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF6D09E8889

Part of subcall function 00007FF6D09F8238: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D09F8251

Part of subcall function 00007FF6D09E2810: MessageBoxW.USER32 ref: 00007FF6D09E28EA

Strings

LOADER: failed to set the TMP environment variable., xrefs: 00007FF6D09E86DC
_MEI%d, xrefs: 00007FF6D09E8712
LOADER: length of teporary directory path exceeds maximum path length!, xrefs: 00007FF6D09E877E
TMP, xrefs: 00007FF6D09E86C2
TMP, xrefs: 00007FF6D09E869C, 00007FF6D09E87A3

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
API String ID: 3563477958-1339014028
Opcode ID: 191653d34e5a06968e8282251bef030903df87164e49fe651f79a53b4d97858f
Instruction ID: 4e60c4160fd104835e1a41c00ba488f64c150a0a9f9adcb34137fb77471b0327
Opcode Fuzzy Hash: 191653d34e5a06968e8282251bef030903df87164e49fe651f79a53b4d97858f
Instruction Fuzzy Hash: 2C41BE12A1E64260FA14AB66A9512BE1294FF847C8F846133ED1DCF7DFDE3CE9258300

Function 00007FF6D09E1210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF6D09E12EF
Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF6D09E141E
1.3.1, xrefs: 00007FF6D09E1249
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF6D09E12BA
malloc, xrefs: 00007FF6D09E12C1, 00007FF6D09E12F6
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF6D09E1276

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: CurrentProcess
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2050909247-2813020118
Opcode ID: ef842027a1d970694cc0f789b50cc720652ec9763b74026d17365e7fd9a410f4
Instruction ID: 260760d33eb09f9417d8b0b525b0475f77f359b53f13aae4cd8130d4d30d18da
Opcode Fuzzy Hash: ef842027a1d970694cc0f789b50cc720652ec9763b74026d17365e7fd9a410f4
Instruction Fuzzy Hash: 4851C632A0E642A5E6249B12A4403BE6691FF84798F446137ED4DCB7DFEE3CE961C700

Function 00007FF6D09FED10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF6D09FF0AA,?,?,-00000018,00007FF6D09FAD53,?,?,?,00007FF6D09FAC4A,?,?,?,00007FF6D09F5F3E), ref: 00007FF6D09FEE8C
GetProcAddress.KERNEL32(?,?,?,00007FF6D09FF0AA,?,?,-00000018,00007FF6D09FAD53,?,?,?,00007FF6D09FAC4A,?,?,?,00007FF6D09F5F3E), ref: 00007FF6D09FEE98

Strings

ext-ms-, xrefs: 00007FF6D09FEDE9
api-ms-, xrefs: 00007FF6D09FEDD6

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
Instruction ID: 5b6bc8dc7691fa4612e5d6742adb46c458d0fd17a23324315445220b6f6241ee
Opcode Fuzzy Hash: 113d78e4ddfca44ef7199ea688f338981f8b4522c7c5ddaba00381c3941a83e2
Instruction Fuzzy Hash: 63411922B19A0261FB15CB16A80067D2799BF48BD4F485537ED1DCB78EDF3CE8658300

Function 00007FF6D09E36B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF6D09E3804), ref: 00007FF6D09E36E1
GetLastError.KERNEL32(?,00007FF6D09E3804), ref: 00007FF6D09E36EB

Part of subcall function 00007FF6D09E2C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF6D09E3706,?,00007FF6D09E3804), ref: 00007FF6D09E2C9E
Part of subcall function 00007FF6D09E2C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF6D09E3706,?,00007FF6D09E3804), ref: 00007FF6D09E2D63
Part of subcall function 00007FF6D09E2C50: MessageBoxW.USER32 ref: 00007FF6D09E2D99

Strings

Failed to convert executable path to UTF-8., xrefs: 00007FF6D09E3790
Failed to resolve full path to executable %ls., xrefs: 00007FF6D09E3739
Failed to obtain executable path., xrefs: 00007FF6D09E36F3
GetModuleFileNameW, xrefs: 00007FF6D09E36FA
\\?\, xrefs: 00007FF6D09E375A

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 3187769757-2863816727
Opcode ID: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
Instruction ID: 3b16a2486419b671d8efc8867afbb449ba1c1740344d1d912b63513927b24d8f
Opcode Fuzzy Hash: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
Instruction Fuzzy Hash: 7C2197A1B2D64271FA24D721E8143BE2250BF48358F445133E65DCA7DFEE6CE925C300

Function 00007FF6D09FBA5C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D09FBE89

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 1c0df5e74df0118619baac061aee596465bcef498cfc928fc9eaa168a483e3b3
Instruction ID: d0f5e870961ecdb69b579d92d072ece4f6c29e809a174e55abb5730ca3738a0b
Opcode Fuzzy Hash: 1c0df5e74df0118619baac061aee596465bcef498cfc928fc9eaa168a483e3b3
Instruction Fuzzy Hash: 54C1E2A2A1C686A1E7608F1590402BD2F58FB81B88F596133FB4D8B7DBCE7CE4658701

Function 00007FF6D09E8570 Relevance: 10.6, APIs: 7, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF6D09E8590
OpenProcessToken.ADVAPI32 ref: 00007FF6D09E85A3
GetTokenInformation.KERNELBASE ref: 00007FF6D09E85C8
GetLastError.KERNEL32 ref: 00007FF6D09E85D2
GetTokenInformation.KERNELBASE ref: 00007FF6D09E8612
ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6D09E862E
CloseHandle.KERNEL32 ref: 00007FF6D09E8646

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID:
API String ID: 995526605-0
Opcode ID: 1c88e2159774aae00215e56fe2a2a719af09135261df6dbcfc7a62e4558c2eb4
Instruction ID: f4787eda5ab0cceb4a4f108e0e3f4143c0370e3139378c5064b4d61cf4c8e4e1
Opcode Fuzzy Hash: 1c88e2159774aae00215e56fe2a2a719af09135261df6dbcfc7a62e4558c2eb4
Instruction Fuzzy Hash: 22219132A1C64652EA108B55B54023FA3A0FFC5BA4F541237EA6DC7BEEDE7CD8558700

Function 00007FF6D09E90E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6D09E8570: GetCurrentProcess.KERNEL32 ref: 00007FF6D09E8590
Part of subcall function 00007FF6D09E8570: OpenProcessToken.ADVAPI32 ref: 00007FF6D09E85A3
Part of subcall function 00007FF6D09E8570: GetTokenInformation.KERNELBASE ref: 00007FF6D09E85C8
Part of subcall function 00007FF6D09E8570: GetLastError.KERNEL32 ref: 00007FF6D09E85D2
Part of subcall function 00007FF6D09E8570: GetTokenInformation.KERNELBASE ref: 00007FF6D09E8612
Part of subcall function 00007FF6D09E8570: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6D09E862E
Part of subcall function 00007FF6D09E8570: CloseHandle.KERNEL32 ref: 00007FF6D09E8646

LocalFree.KERNEL32(?,00007FF6D09E3C55), ref: 00007FF6D09E916C
LocalFree.KERNEL32(?,00007FF6D09E3C55), ref: 00007FF6D09E9175

Strings

S-1-3-4, xrefs: 00007FF6D09E9121
Security descriptor string length exceeds PYI_PATH_MAX!, xrefs: 00007FF6D09E9183
D:(A;;FA;;;%s), xrefs: 00007FF6D09E9157
D:(A;;FA;;;%s)(A;;FA;;;%s), xrefs: 00007FF6D09E9142

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
API String ID: 6828938-1529539262
Opcode ID: 5ed7a9ba3e6ce910408607b93085540bd422a8d0f9e00f9f84049ca226c14b37
Instruction ID: 0988c40098757a80cc164de3477efe355e169441a6717033aa0a60f7e8e84953
Opcode Fuzzy Hash: 5ed7a9ba3e6ce910408607b93085540bd422a8d0f9e00f9f84049ca226c14b37
Instruction Fuzzy Hash: EB217132A0D742A1F614AB21E5152EE6260FF88784F845037EA4DCB79FDF7CE8658740

Function 00007FF6D09E7E20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(00000000,?,00007FF6D09E352C,?,00000000,00007FF6D09E3F23), ref: 00007FF6D09E7F32

Strings

%.*s, xrefs: 00007FF6D09E7EEB
%s%c, xrefs: 00007FF6D09E7EA4
\, xrefs: 00007FF6D09E7E97

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: CreateDirectory
String ID: %.*s$%s%c$\
API String ID: 4241100979-1685191245
Opcode ID: 302ffdc47f1f131389ecc473fe7ae023bae846d875cccfc6523225b15fd92315
Instruction ID: 24b1e26ab26a384f4ecd0cf04a740b14d5024e006b4d84739f3f2452ff787572
Opcode Fuzzy Hash: 302ffdc47f1f131389ecc473fe7ae023bae846d875cccfc6523225b15fd92315
Instruction Fuzzy Hash: 9031D82161AAC565EA218721E4103AE6354FB84BE8F441632FE6DCB7CEDE3CDA118700

Function 00007FF6D09FCF60 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6D09FCF4B), ref: 00007FF6D09FD07C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6D09FCF4B), ref: 00007FF6D09FD107

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
Instruction ID: 930f57e884679c9544b5dde74835a6ef6e88a1bc8eb7b6ba255b3871039a402f
Opcode Fuzzy Hash: a47a8d54e36ced6583969bea4ac316e5fdc1f02f5f342ddc714eca2f45cad1a1
Instruction Fuzzy Hash: 8891E572F19651A5F7649F6594402BD2FA9AB40B8CF146137EE0E9BB8ECF38D462C300

Function 00007FF6D09FF98C Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF6D09FFA7C
_get_daylight.LIBCMT ref: 00007FF6D09FFA8D
_get_daylight.LIBCMT ref: 00007FF6D09FFA9E
_isindst.LIBCMT ref: 00007FF6D09FFB69

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
Instruction ID: 576ccc30c3309e7820e50b6d768e5ed48d0bd775ca8cc0cf793c7e93b20b9a58
Opcode Fuzzy Hash: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
Instruction Fuzzy Hash: A751F773F0411196EB18CF65D9616BC2B69AF4435DF501236ED1D9ABDEDF3CA4128700

Function 00007FF6D09F577C Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE ref: 00007FF6D09F57AF
GetFileInformationByHandle.KERNELBASE ref: 00007FF6D09F5811
GetLastError.KERNEL32 ref: 00007FF6D09F58A2
PeekNamedPipe.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6D09F56B4), ref: 00007FF6D09F58EE

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: File$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 2780335769-0
Opcode ID: 6aefb500db5e0848cb3e1a230f039049599ff649377a7022c72adab745f1037c
Instruction ID: 30a54adffc7c7f0eb82b717744c2bcf03f5ef93c92b1d75e893926abf2994bba
Opcode Fuzzy Hash: 6aefb500db5e0848cb3e1a230f039049599ff649377a7022c72adab745f1037c
Instruction Fuzzy Hash: A8516F22E186419AF714DF71D4503BD2BA5AB48BACF145436EF0D9B78EDF38D4A18700

Function 00007FF6D09F5628 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D09F5655
CreateFileW.KERNELBASE ref: 00007FF6D09F5694
CloseHandle.KERNEL32 ref: 00007FF6D09F56C9

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: 8f3d5377b4ca72f71b0fe910297a4b2920b1cd85568e136600ee028e7f718979
Instruction ID: 8207ddf213b62286ef31a54824ffda3cd2178eed9a6a339f252017f985c09197
Opcode Fuzzy Hash: 8f3d5377b4ca72f71b0fe910297a4b2920b1cd85568e136600ee028e7f718979
Instruction Fuzzy Hash: 2D419322D1C78193E7149B21951036D6B64FB943A8F10A336F76C87BDADF6CA4F08740

Function 00007FF6D09ECC3C Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6D09ECE0C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF6D09ECE20

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF6D09ECC60
__scrt_release_startup_lock.LIBCMT ref: 00007FF6D09ECCCE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF6D09ECD21

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
Instruction ID: a7d2a048248f6d508b3a0be5e0e02a06281e700e388e7283e36ccbb0fbdee2f2
Opcode Fuzzy Hash: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
Instruction Fuzzy Hash: 0A313961E0E24661FA18AB75A9113BD1681BF4138CF446437E98ECF3DFDE6DAD668200

Function 00007FF6D09F9A30 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF6D09F9A2C), ref: 00007FF6D09F9A41
TerminateProcess.KERNEL32(?,?,?,00007FF6D09F9A2C), ref: 00007FF6D09F9A4C
ExitProcess.KERNEL32 ref: 00007FF6D09F9A5B

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 148d460979eed4a43ebbf671c65dc2dc638c0d89c9c01e8e00358d5495882c84
Instruction ID: e1ae70ad34663d1561b70430dd2396f237f42718ba5e08eb2f43c049d46746ae
Opcode Fuzzy Hash: 148d460979eed4a43ebbf671c65dc2dc638c0d89c9c01e8e00358d5495882c84
Instruction Fuzzy Hash: 6BD09E21F1C70A62EB1C6B715D5907C16596F88705F58243BD80B8A39FDD6CE86D4300

Function 00007FF6D09F013C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D09F0180
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D09F0277

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction ID: 3ba98800e2438041b7089719095d91e17a7ccc7fd5bc68e8dde435f04594deaf
Opcode Fuzzy Hash: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction Fuzzy Hash: 8E51FB61B0D241A6EB249A2594006BE699DAFC4BACF185736FD7D8B7CFCE7CD4218600

Function 00007FF6D09FC134 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,?,?,?,00007FF6D09FC2CD), ref: 00007FF6D09FC180
GetLastError.KERNEL32(?,?,?,?,?,00007FF6D09FC2CD), ref: 00007FF6D09FC18A

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
Instruction ID: d238907b49e4411a3c4a032298d3ac7898e4209dda65b92951ff635e8a1ea88f
Opcode Fuzzy Hash: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
Instruction Fuzzy Hash: 6C11046271CA8191DB208B25A90016D6765BB41FF8F645332FE7D8BBDECE3CD0218700

Function 00007FF6D09F5924 Relevance: 3.0, APIs: 2, Instructions: 40timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6D09F5839), ref: 00007FF6D09F5957
SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6D09F5839), ref: 00007FF6D09F596D

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: Time$System$FileLocalSpecific
String ID:
API String ID: 1707611234-0
Opcode ID: 497c6f3b45805196ef8f930e068bad9451f3f50de380bc241881b145e929bf5b
Instruction ID: a5b93ad69268bfce2b881984fa370ace040262f6737f1d786f25e13e6d9dfb40
Opcode Fuzzy Hash: 497c6f3b45805196ef8f930e068bad9451f3f50de380bc241881b145e929bf5b
Instruction Fuzzy Hash: A011823260C602D1EA588B15A41103EBB64FB84775FA02237F7ADC9ADDEF6CD465DB00

Function 00007FF6D09FA948 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF6D0A02D22,?,?,?,00007FF6D0A02D5F,?,?,00000000,00007FF6D0A03225,?,?,?,00007FF6D0A03157), ref: 00007FF6D09FA95E
GetLastError.KERNEL32(?,?,?,00007FF6D0A02D22,?,?,?,00007FF6D0A02D5F,?,?,00000000,00007FF6D0A03225,?,?,?,00007FF6D0A03157), ref: 00007FF6D09FA968

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
Instruction ID: dd7bf146064888b7608054038573339a08dc338c7418316f5e111c5f3e2432f6
Opcode Fuzzy Hash: 46e6024f15a2f57ad5ff64688e0fe3cec5898f8577aba2f63b046adc8766ef53
Instruction Fuzzy Hash: 11E08651F1D20662FF185BF2544517D1A546FC4704F485037E81DCA39BDD2C68B58710

Function 00007FF6D09FAB58 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,00007FF6D09FA9D5,?,?,00000000,00007FF6D09FAA8A), ref: 00007FF6D09FABC6
GetLastError.KERNEL32(?,?,?,00007FF6D09FA9D5,?,?,00000000,00007FF6D09FAA8A), ref: 00007FF6D09FABD0

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
Instruction ID: 10f73f27735533cba41b578d87d61c40df1ef3133d5472388822586f5c16af7b
Opcode Fuzzy Hash: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
Instruction Fuzzy Hash: 2521C951F1C64261FAA4576194543BD1A8A9FC4798F186237F92ECF7DFCE6CA4614300

Function 00007FF6D09FBEAC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D09FBED4

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
Instruction ID: 9d1a119f948d68553afad26f395d4f1d26af57d6bf199e851f100e1bc2ac7e36
Opcode Fuzzy Hash: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
Instruction Fuzzy Hash: 0D41E57291824193EA34DE19E84017D7BA8EB59798F142132F79ECB7DACF6CE412CB50

Function 00007FF6D09E7F90 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF6D09E803A

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: aaa7b9ff11bb4346a21cc87fb8eff4a238e48d36b47c5124ab7cd44ae98a1b97
Instruction ID: 3d69f418cd18ee3511b5fbbee8e612212737a8d7e2ccf49ce56dac2ca010f38a
Opcode Fuzzy Hash: aaa7b9ff11bb4346a21cc87fb8eff4a238e48d36b47c5124ab7cd44ae98a1b97
Instruction Fuzzy Hash: 4A21E621B1A69166FA109A6265043FF9645FF85BD8F886432EE1CCF78BCE7DE465C300

Function 00007FF6D09FB93C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D09FB9C2

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c2d01373d3233558d420055387ebca2c39d1ce99b2c1a08127fa32cb0ba5fec2
Instruction ID: fb763d096184f6096609c56f848b234e4a8721d18e35551d90ff92ee6913cb1f
Opcode Fuzzy Hash: c2d01373d3233558d420055387ebca2c39d1ce99b2c1a08127fa32cb0ba5fec2
Instruction Fuzzy Hash: AD316562A18602A5F7515F55844137C2E98BF80BACF562137FB1D8B3DBCEBCE4A18711

Function 00007FF6D09F9961 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6D09F998F

Part of subcall function 00007FF6D09F9A88: GetModuleHandleExW.KERNEL32 ref: 00007FF6D09F9AAD
Part of subcall function 00007FF6D09F9A88: GetProcAddress.KERNEL32 ref: 00007FF6D09F9AC3
Part of subcall function 00007FF6D09F9A88: FreeLibrary.KERNEL32 ref: 00007FF6D09F9AEA

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 42808d7c08696a35870eb95595f0ae95ff90971c005bfc8769c42bb91e99b0de
Instruction ID: 8675644bb67ae835c2af952eb623b1d951ddc7237a84e19c3f491455113bc2df
Opcode Fuzzy Hash: 42808d7c08696a35870eb95595f0ae95ff90971c005bfc8769c42bb91e99b0de
Instruction Fuzzy Hash: 24218D72A0474599EB248F74C4802EC3BA8EB4471CF44563BE75C8ABCADFB8D5A4C740

Function 00007FF6D09F5F94 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D09F5EF9

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction ID: 9e8442953db5231287fcba82469c70d4002c69b23ab76ef105012a4dc08d40ec
Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction Fuzzy Hash: EA117B31A1C64152EA609F51940027D6A68BF85B98F455433FB8CDFB9FCF7DD5604740

Function 00007FF6D0A06354 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D0A06377

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
Instruction ID: 434e2f71a0c8881e63c46c6014e0400c33827d7d5b3eac8177101545670b31b0
Opcode Fuzzy Hash: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
Instruction Fuzzy Hash: 0A21AF33A1CA4696EB648F19D44137D76A0BB84B98F18423AE65DCB7DEDF3DD4218B00

Function 00007FF6D09F03BC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D09F0410

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction ID: 5325004799101a7b6e3388f10bea015e248ed98fc6802a3f9c7ecdb748000561
Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction Fuzzy Hash: 4F018221A0874550E904DB5259000ADAA99AF85FE8F485632FF6C9BBEFDE3CD4214300

Function 00007FF6D09F7EFC Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D09F7F3A

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: eb4e03bbc0b04cbc85d5aa4284f536322b5632f0a5d263bd1b62b358e696f9c3
Instruction ID: 0ac7ffadda9cbd4bc3b5a681f70f1376822896dad8c4e8b9ae193989944980f6
Opcode Fuzzy Hash: eb4e03bbc0b04cbc85d5aa4284f536322b5632f0a5d263bd1b62b358e696f9c3
Instruction Fuzzy Hash: 17018021E1D64370FA645B62654117DA998AF447D8F986637FA2CCA7CFDF2CE4B18200

Function 00007FF6D09F8238 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D09F8251

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3541b91b086c77dfe17527b78ee7977ece0d5fdea915d925a3ffaee66e22a6c2
Instruction ID: a28ff57cc0811e68eb3f6b0547429786628e47736d3ca5d9b3ac3d9b8f22bb51
Opcode Fuzzy Hash: 3541b91b086c77dfe17527b78ee7977ece0d5fdea915d925a3ffaee66e22a6c2
Instruction Fuzzy Hash: 98E08CA0F9C602A7FA913AA804821BE1C288F95388F402033F9188E3CBDD2C78645321

Function 00007FF6D09FEB98 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FF6D09FB32A,?,?,?,00007FF6D09F4F11,?,?,?,?,00007FF6D09FA48A), ref: 00007FF6D09FEBED

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 0190c006dd090f1dc8136ef035d08a675b61e1fdbed98732a32380f018d60316
Instruction ID: 9b835dfc070e16cfd5bbeeda1acce39f72b1e0853bbc837d3a74069c65981a41
Opcode Fuzzy Hash: 0190c006dd090f1dc8136ef035d08a675b61e1fdbed98732a32380f018d60316
Instruction Fuzzy Hash: C8F06D55F19247A1FE6896A798512BC0A885F89B89F4C6533E90FCE3DFED1CE4A04210

Function 00007FF6D09FD5FC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF6D09F0C90,?,?,?,00007FF6D09F22FA,?,?,?,?,?,00007FF6D09F3AE9), ref: 00007FF6D09FD63A

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
Instruction ID: 6d0ff445d41f350033e12147ef29b67f42d042f3b87a66b90b452c3b07a2b65c
Opcode Fuzzy Hash: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
Instruction Fuzzy Hash: E7F05E11F1E206A5FE645772580127C19994F857A8F182732FC2ECD3CBDD2CA4A08210

Non-executed Functions

Function 00007FF6D09E76C0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FF6D09E76D7
GetLastError.KERNEL32 ref: 00007FF6D09E76E9
GetProcAddress.KERNEL32 ref: 00007FF6D09E7725
GetLastError.KERNEL32 ref: 00007FF6D09E7737
GetProcAddress.KERNEL32 ref: 00007FF6D09E7750
GetLastError.KERNEL32 ref: 00007FF6D09E7762
GetProcAddress.KERNEL32 ref: 00007FF6D09E777B
GetLastError.KERNEL32 ref: 00007FF6D09E778D
GetProcAddress.KERNEL32 ref: 00007FF6D09E77A9
GetLastError.KERNEL32 ref: 00007FF6D09E77BB
GetProcAddress.KERNEL32 ref: 00007FF6D09E77D7
GetLastError.KERNEL32 ref: 00007FF6D09E77E9
GetProcAddress.KERNEL32 ref: 00007FF6D09E7805
GetLastError.KERNEL32 ref: 00007FF6D09E7817
GetProcAddress.KERNEL32 ref: 00007FF6D09E7833
GetLastError.KERNEL32 ref: 00007FF6D09E7845
GetProcAddress.KERNEL32 ref: 00007FF6D09E7861
GetLastError.KERNEL32 ref: 00007FF6D09E7873

Strings

Tcl_GetString, xrefs: 00007FF6D09E7AAD, 00007FF6D09E7ACF
Tcl_DoOneEvent, xrefs: 00007FF6D09E7771, 00007FF6D09E7793
Tcl_MutexLock, xrefs: 00007FF6D09E78B3, 00007FF6D09E78D5
Tcl_Alloc, xrefs: 00007FF6D09E7C1D, 00007FF6D09E7C3F
Tcl_SetVar2Ex, xrefs: 00007FF6D09E7B37, 00007FF6D09E7B59
Tcl_FinalizeThread, xrefs: 00007FF6D09E77CD, 00007FF6D09E77EF
Tcl_Finalize, xrefs: 00007FF6D09E779F, 00007FF6D09E77C1
GetProcAddress, xrefs: 00007FF6D09E76FF
Tcl_GetVar2, xrefs: 00007FF6D09E7A23, 00007FF6D09E7A45
Tk_GetNumMainWindows, xrefs: 00007FF6D09E7CA7, 00007FF6D09E7CC9
Tcl_ThreadQueueEvent, xrefs: 00007FF6D09E79C7, 00007FF6D09E79E9
Tcl_JoinThread, xrefs: 00007FF6D09E7885, 00007FF6D09E78A7
Tcl_EvalEx, xrefs: 00007FF6D09E7BC1, 00007FF6D09E7BE3
Failed to get address for %hs, xrefs: 00007FF6D09E76F8
Tcl_CreateObjCommand, xrefs: 00007FF6D09E7A7F, 00007FF6D09E7AA1
Tcl_NewByteArrayObj, xrefs: 00007FF6D09E7B09, 00007FF6D09E7B2B
Tcl_FindExecutable, xrefs: 00007FF6D09E7746, 00007FF6D09E7768
Tcl_ConditionWait, xrefs: 00007FF6D09E7999, 00007FF6D09E79BB
Tcl_MutexFinalize, xrefs: 00007FF6D09E790F, 00007FF6D09E7931
Tcl_Init, xrefs: 00007FF6D09E76D0, 00007FF6D09E76EF
Tcl_Free, xrefs: 00007FF6D09E7C4B, 00007FF6D09E7C6D
Tcl_CreateInterp, xrefs: 00007FF6D09E771B, 00007FF6D09E773D
Tcl_GetObjResult, xrefs: 00007FF6D09E7B65, 00007FF6D09E7B87
Tcl_NewStringObj, xrefs: 00007FF6D09E7ADB, 00007FF6D09E7AFD
Tcl_ConditionNotify, xrefs: 00007FF6D09E796B, 00007FF6D09E798D
Tcl_ConditionFinalize, xrefs: 00007FF6D09E793D, 00007FF6D09E795F
Tcl_MutexUnlock, xrefs: 00007FF6D09E78E1, 00007FF6D09E7903
Tk_Init, xrefs: 00007FF6D09E7C79, 00007FF6D09E7C9B
Tcl_GetCurrentThread, xrefs: 00007FF6D09E7857, 00007FF6D09E7879
Tcl_DeleteInterp, xrefs: 00007FF6D09E77FB, 00007FF6D09E781D
Tcl_SetVar2, xrefs: 00007FF6D09E7A51, 00007FF6D09E7A73
Tcl_CreateThread, xrefs: 00007FF6D09E7829, 00007FF6D09E784B
Tcl_ThreadAlert, xrefs: 00007FF6D09E79F5, 00007FF6D09E7A17
Tcl_EvalObjv, xrefs: 00007FF6D09E7BEF, 00007FF6D09E7C11
Tcl_EvalFile, xrefs: 00007FF6D09E7B93, 00007FF6D09E7BB5

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
API String ID: 199729137-3427451314
Opcode ID: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
Instruction ID: f85d3dd4cba74a3b22ae46ed69f3d01e76b3df4dfb1e6a7d1d0a6f9d7cb98fe5
Opcode Fuzzy Hash: 939c8a0ebf27c7f5789cd4a10996167767bc86255d761b2ba34a42bc6fc861e3
Instruction Fuzzy Hash: F502C926D1EB0BB0EA1C9F56A91057D2361BF14748F486437E42EC636EEF3CB5798202

Function 00007FF6D0A040AC Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF6D0A040FA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D0A04766
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D0A048DC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D0A04B9A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D0A04DBA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D0A04FF7
memcpy_s.LIBCPMT ref: 00007FF6D0A050D2
memcpy_s.LIBCPMT ref: 00007FF6D0A0517D
memcpy_s.LIBCPMT ref: 00007FF6D0A0524C

Strings

1#SNAN, xrefs: 00007FF6D0A0420A
1#INF, xrefs: 00007FF6D0A04223
1#QNAN, xrefs: 00007FF6D0A04213
1#IND, xrefs: 00007FF6D0A041E7

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 7da0388417e7c773b0aab48e07e342724827a26e5879d16e5decf6c79e081c8c
Instruction ID: b37052e6fba0b46de8f219b8fe39704531d91b4dd97a574ed03805e9fba0c4b4
Opcode Fuzzy Hash: 7da0388417e7c773b0aab48e07e342724827a26e5879d16e5decf6c79e081c8c
Instruction Fuzzy Hash: 0BB2C8B3A1C2879BE7698E66D4407FD37A1FB54384F485136DA0997B8EDF38A910CB40

Function 00007FF6D09EACAD Relevance: 12.0, Strings: 9, Instructions: 744COMMON

Download Yara Rule

Strings

invalid distances set, xrefs: 00007FF6D09EB1A0
invalid literal/length code, xrefs: 00007FF6D09EB3E2
invalid code -- missing end-of-block, xrefs: 00007FF6D09EB0C6
invalid literal/lengths set, xrefs: 00007FF6D09EB133
invalid code lengths set, xrefs: 00007FF6D09EAE2D
invalid distance code, xrefs: 00007FF6D09EB5B4
too many length or distance symbols, xrefs: 00007FF6D09EAE46
invalid bit length repeat, xrefs: 00007FF6D09EB099
invalid distance too far back, xrefs: 00007FF6D09EB670

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
API String ID: 0-2665694366
Opcode ID: 55880860ec2df9374ed9e05eb7c1f9660e2769407a38999da05ffb99d6c3dc89
Instruction ID: 763c93d6e758f3739f6b879ecc1fb33d6edadf0916261e8ac548f2797044366a
Opcode Fuzzy Hash: 55880860ec2df9374ed9e05eb7c1f9660e2769407a38999da05ffb99d6c3dc89
Instruction Fuzzy Hash: C95203B2A156A69BD7A48F14C458BBE3BA9FB44344F01513AE64ACB785DF3CEC50CB40

Function 00007FF6D09ED12C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF6D09ED148
RtlCaptureContext.KERNEL32 ref: 00007FF6D09ED175
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6D09ED18F
RtlVirtualUnwind.KERNEL32 ref: 00007FF6D09ED1D0
IsDebuggerPresent.KERNEL32 ref: 00007FF6D09ED224
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6D09ED241
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6D09ED24C

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
Instruction ID: e5a7d78acf47d4cca3ef3b37770b90c310aa98331337032952107d72e9e517ea
Opcode Fuzzy Hash: 357b26123f7cc0566be18cabbec560c6351d8abd4e8582c9dfa9d4018571b442
Instruction Fuzzy Hash: 7E315072A19B8596EB648F61E8803EE7360FB88748F04403BDA4E87B9DDF78D558C710

Function 00007FF6D09FA614 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF6D09FA68D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6D09FA6A5
RtlVirtualUnwind.KERNEL32 ref: 00007FF6D09FA6E0
IsDebuggerPresent.KERNEL32 ref: 00007FF6D09FA719
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6D09FA723
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6D09FA72E

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
Instruction ID: 01164f76643cf04e6cf64f917570bbe30e5708b341468d211e4cf37bca445bea
Opcode Fuzzy Hash: ae2d74aaff6e8c1310ec24f87c3395aa5518f909cdba62f6f822c67f0a9cc142
Instruction Fuzzy Hash: 5F319F36A18B8596DB24CF25E8402EE73A4FB88758F540136EA8D87B5EDF3CD565CB00

Function 00007FF6D0A01874 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D0A018C0
FindFirstFileExW.KERNEL32 ref: 00007FF6D0A019CA

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: ee5daded1920a45b930385d49f4c9fb7106de6f00b6358014c2482279c1420ad
Instruction ID: eee2bf2a92199a3e160dcd84e6d79879ddad396efa7426140bc5b3183f58a0b0
Opcode Fuzzy Hash: ee5daded1920a45b930385d49f4c9fb7106de6f00b6358014c2482279c1420ad
Instruction Fuzzy Hash: 1BB1C263B1D68A51EA689B2395101FD6390EB85BE4F485133EE4D87B9EEF3CE461C300

Function 00007FF6D09ED010 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6D09ED03C
GetCurrentThreadId.KERNEL32 ref: 00007FF6D09ED04A
GetCurrentProcessId.KERNEL32 ref: 00007FF6D09ED056
QueryPerformanceCounter.KERNEL32 ref: 00007FF6D09ED066

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
Instruction ID: 3a7d4d4bf6b9b338870fd84e2a599ffd5de31d547e94989f60c08c71a2b24dbc
Opcode Fuzzy Hash: 884c9866f0db1ea4ea3e8c559fd458021c8c8106c035f87ab540984eb8a2d97e
Instruction Fuzzy Hash: 7A115E22B58F059AEB00CF61E8542BD33A4FB1D758F080E32DA2D867A9DF7CD5648340

Function 00007FF6D0A03C10 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF6D0A03C76
memcpy_s.LIBCPMT ref: 00007FF6D0A03CA1

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction ID: b678ffac5585db0ada48477211a31cb98b239b161ff4d5f9e8c272166f496b97
Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
Instruction Fuzzy Hash: E7C1C173A1C28A97E738CF16E04466EB795F784B84F488136DB4A9774DDE3DE8118B40

Function 00007FF6D09EA474 Relevance: 4.1, Strings: 3, Instructions: 398COMMON

Download Yara Rule

Strings

, xrefs: 00007FF6D09EA55B
unknown header flags set, xrefs: 00007FF6D09EA4C5
header crc mismatch, xrefs: 00007FF6D09EA921

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID:
String ID: $header crc mismatch$unknown header flags set
API String ID: 0-1127688429
Opcode ID: fcf6ea83c7a46010d3591867e81b0f53761d3f113121264a3729654d2d1b513f
Instruction ID: 9454cb163d682d2b30417878264c9a8951568fc4406f262721145388b2b1a7a8
Opcode Fuzzy Hash: fcf6ea83c7a46010d3591867e81b0f53761d3f113121264a3729654d2d1b513f
Instruction Fuzzy Hash: 8EF1A6B2A093D59BE7A58B14C088B7E3AA9FF45748F055536DA49CB3A6CF38EC50C740

Function 00007FF6D0A09728 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF6D0A09977
RaiseException.KERNEL32 ref: 00007FF6D0A09988

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: a4cc0e8a2f7e024105bf8074fef1866164229a93701b52dcf00f6f20498becf3
Instruction ID: a5366a0c85b51fe04bdf309e645dbe72de7194d224010b074c78aaa71628ca76
Opcode Fuzzy Hash: a4cc0e8a2f7e024105bf8074fef1866164229a93701b52dcf00f6f20498becf3
Instruction Fuzzy Hash: B4B15F73618B898BE719CF2AC84536C77A0F744B88F188926DA5D837ADCF79D461C700

Function 00007FF6D09F39A4 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF6D09F3D54
, xrefs: 00007FF6D09F3B12

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: e57f1980f4491aea9eb328a1e81193c2bccc9a7e68d1918bb9b7207cf9600634
Instruction ID: 9b3493ec31f820574b1219ce54487d2c6596b1831031305c483ba341ecff186f
Opcode Fuzzy Hash: e57f1980f4491aea9eb328a1e81193c2bccc9a7e68d1918bb9b7207cf9600634
Instruction Fuzzy Hash: 0DE18732A0864695DB68CE26815013D3BA8FF45B4CF14A177EE4E8B7DADF2DE861C740

Function 00007FF6D09EA2DB Relevance: 2.7, Strings: 2, Instructions: 216COMMON

Download Yara Rule

Strings

invalid window size, xrefs: 00007FF6D09EA442
incorrect header check, xrefs: 00007FF6D09EA45B

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID:
String ID: incorrect header check$invalid window size
API String ID: 0-900081337
Opcode ID: 7e7bac63e97a7e962ac1d8bc37368dc0e110af78d4507200a91f80e7c7b94e68
Instruction ID: ac13b207a9cc6ee6b77070eb5c853ed010ba844b54a2b9ff33e6e69488fdcaf1
Opcode Fuzzy Hash: 7e7bac63e97a7e962ac1d8bc37368dc0e110af78d4507200a91f80e7c7b94e68
Instruction Fuzzy Hash: FF91B9B2A092C697E7A48B14C448B7E3A99FF44358F115136DA49CA7DADF38ED50CB40

Function 00007FF6D09FDEF0 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

gfff, xrefs: 00007FF6D09FE07A
e+000, xrefs: 00007FF6D09FDFFD

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: c8a24eaff8c968987b4d031b15ae93849e98bcf9eddb8930961e84febef9b5bc
Instruction ID: af64a2d453d322f6fad8c1b609df2582b827b895997f5b769da4a4e78deb5fae
Opcode Fuzzy Hash: c8a24eaff8c968987b4d031b15ae93849e98bcf9eddb8930961e84febef9b5bc
Instruction Fuzzy Hash: 8D517762F2C2C556E7258E35980076D6F95E744B98F4CA232EB988BBCACF7DD4108701

Function 00007FF6D09FDA5C Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF6D09FDD9E

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
Instruction ID: dbabfc7e7f31951160b6d53f24e22668e87749af86468799291307bb9021bb25
Opcode Fuzzy Hash: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
Instruction Fuzzy Hash: 96A15962E0A7C956EB21CF25A4007AD7B9AEB50788F059132EE8D8B7CADE3DD511C701

Function 00007FF6D09F8794 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

TMP, xrefs: 00007FF6D09F87B3

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: TMP
API String ID: 3215553584-3125297090
Opcode ID: 09cdd7cf7fc9e7e425d724a32e8c9d3bd5c12dba7606eca5b930980d9b4d1239
Instruction ID: 760f22206c66d5e653fe1085dc5dcd2cf090b288e51aee9d77cefa2a690d8ee9
Opcode Fuzzy Hash: 09cdd7cf7fc9e7e425d724a32e8c9d3bd5c12dba7606eca5b930980d9b4d1239
Instruction Fuzzy Hash: BD519511F4860261FA989627590117F5A98EF84BDCF586436ED1ECB79FEE7CE4714200

Function 00007FF6D0A03480 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF6D0A03484

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 1f9e0516fd534d967cb731c121838b59470578846d262458ea046ba55ab40ebf
Instruction ID: e9971f578c57b038da3a4c4ef837641a58b07469304f6b8759ea122b736fe775
Opcode Fuzzy Hash: 1f9e0516fd534d967cb731c121838b59470578846d262458ea046ba55ab40ebf
Instruction Fuzzy Hash: 36B09222E2BA06E2EA0C6B226C8226C22A47F58700F9C013AC00C8433AEE2C20F55700

Function 00007FF6D09F35A0 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eca4e5ff3e7205525bf20f3b63783aa462e3e7adb0228d62bb7e98ab9f5e9bb
Instruction ID: 98d0bdfdb4b38cbb241117ea08d053fda2095891c7225332005a66f832f6514a
Opcode Fuzzy Hash: 5eca4e5ff3e7205525bf20f3b63783aa462e3e7adb0228d62bb7e98ab9f5e9bb
Instruction Fuzzy Hash: E2D1B962A08642A5EB68CE25804127D2BA8EF05B4CF14A277ED0DCB7DEDF7DD865C740

Function 00007FF6D09E9800 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e75d751cc15dfd510e55d83c6141b0e8cb11d18cbed01e0c543b372a0114c593
Instruction ID: 9e38c9f18e357d8601d0a12dded826f2781e9863f072bee9c00e404d18ed7b5d
Opcode Fuzzy Hash: e75d751cc15dfd510e55d83c6141b0e8cb11d18cbed01e0c543b372a0114c593
Instruction Fuzzy Hash: D8C1BF722181E08BD289EB29E46947A73D1F78930EB95506BEF87877C6CB3CA514DB10

Function 00007FF6D09F2C10 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa73bfa000bc8cd66a05f12d530b76a597660d7bda6a6781f52cf2f49ffced0b
Instruction ID: c514f05ecd695e2c36723be593c2a472dac5369b18015b22746a11ed686b8b6c
Opcode Fuzzy Hash: aa73bfa000bc8cd66a05f12d530b76a597660d7bda6a6781f52cf2f49ffced0b
Instruction Fuzzy Hash: CCB19D72918B8596E764CF29C05027C3FA8EB49F4CF256136EA4E8B39ACF39D461C741

Function 00007FF6D09FE570 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9611c2e0762efa78d7f6da3d8515592aa8d86601c49200b7335873453b670326
Instruction ID: 217b6324b885023d060a94899628814894b87fc5f9eeef7041dec22fa4602669
Opcode Fuzzy Hash: 9611c2e0762efa78d7f6da3d8515592aa8d86601c49200b7335873453b670326
Instruction Fuzzy Hash: 6381D372A0878556EB74CF19944037E6E95FB55798F145236EA8D8BB8EDF3CE4208B00

Function 00007FF6D0A06418 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 21aaab296e2e64a79b20cf98ea2699a9ab0529386423cc159892306e5cd43e00
Instruction ID: 97f773fb86b6c4aa68681e280c1befcc780d30d20e47452508f5ab05bb886c98
Opcode Fuzzy Hash: 21aaab296e2e64a79b20cf98ea2699a9ab0529386423cc159892306e5cd43e00
Instruction Fuzzy Hash: 8B61E923E1C25666F76C8A7A945267D6680AF40768F1C423FE61DC77CFDE6EE8208700

Function 00007FF6D09F2164 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction ID: f45874384e44c1415b16ee81b36cc1cc75a323cf5467760f30415b8453ca8e4b
Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction Fuzzy Hash: 18519876A1865191E7248B29C44037C3BA5EB54F5CF246132DE5D8B79ACF3AE863C740

Function 00007FF6D09F1944 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction ID: b872ec14779c73f6f314310c5c98cae9f5e63e179a7e53ea5199a1c48831d559
Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction Fuzzy Hash: F1519636A1565191E7248B29D05023C3BB4EB44F5CF246136EA8D9B79ECF7AE863C7C0

Function 00007FF6D09F1D54 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction ID: 5e2beabc7f03a6cb954a06af970d8da95fe0aabe68b3dd5fa6212f615b82da8f
Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction Fuzzy Hash: B0518B76A1865192E7248B19C04037C3BB4EB55B5CF245136EE4D9B7DACF3AE863C780

Function 00007FF6D09F1B50 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction ID: 576154b454237bf109a40397193eee9779b590b22f0488b45997e77f0771aa1b
Opcode Fuzzy Hash: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
Instruction Fuzzy Hash: B1519636A18651D5E7248F29C05023C2BB5EB45B5CF246132EE4C9B79EDF3AE863C780

Function 00007FF6D09F1F60 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction ID: dd63e1ba6ba61e26be09e650a854f9349c8e67a7d09bf44691cb2884bff5e806
Opcode Fuzzy Hash: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
Instruction Fuzzy Hash: B451873671865195E7248B29C04033C3BA4EB45B5CF285132EE4D9B79ECF3AE863C780

Function 00007FF6D09F1740 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction ID: e199d47c8a7d1c81079de2327799e338a4ba936e9a0cba01c5d8de63bcdf6589
Opcode Fuzzy Hash: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
Instruction Fuzzy Hash: 8E516776A1465195E7248B29C04023C3BB5EB45B5CF246132DE4D9B79ECF3AE863D7C0

Function 00007FF6D09F5D30 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction ID: 19a314aa7250e66667ad86feea898145758a19df2210243f985ab15c5aff6724
Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
Instruction Fuzzy Hash: E8419662C4F74A35E9998918050C6BC1E889F127B8D5872B6FF9D9F3DBCD0D66A7C100

Function 00007FF6D09F9EA0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 1c7003d4bfacf113f63307708dabd17e5ede6cda44dccf6aa27d02a6b9ea0481
Instruction ID: 8fe17498757f839c9a6e375f372d3ea7910279e5ce3101ab76e20e35df1e90d0
Opcode Fuzzy Hash: 1c7003d4bfacf113f63307708dabd17e5ede6cda44dccf6aa27d02a6b9ea0481
Instruction Fuzzy Hash: 8B412263714A5592EF08CF2AE9141ADB7A5BB48FD4B09A033EE0DDBB59DE7CD4528300

Function 00007FF6D09F80E4 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b8cddb4ee5dd57f1c7573491c8f445712dd312cb7e9e547cfd0f9c072f4c0c7
Instruction ID: 3498394fc173d736e4bf41a9d6b1a4fcc6fb2fc00007905e9d6b97df348d24e3
Opcode Fuzzy Hash: 2b8cddb4ee5dd57f1c7573491c8f445712dd312cb7e9e547cfd0f9c072f4c0c7
Instruction Fuzzy Hash: 7231D232B1CB4241E7A49F26644017E6AD8EB84BD4F14523AFA5D97BDADF3CE0228704

Function 00007FF6D0A09570 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d3ac10822f6242d2b374fc0e1218152d8e80c351f0dfcd4fab21387456caa74
Instruction ID: 43b8fd4a6674c615d1ae0f715206080dad25256034e6f9b6440237297166957b
Opcode Fuzzy Hash: 5d3ac10822f6242d2b374fc0e1218152d8e80c351f0dfcd4fab21387456caa74
Instruction Fuzzy Hash: 61F044737186959ADBACCF6AA80262977D0F708380F44943AD58DC7B18DE3CD1619F04

Function 00007FF6D09ED30C Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c3909751b2697c6481bc0460501d6177e5cf72f77169ad8285d6e0cd944102a
Instruction ID: b443afdfac9f47b445e3c39417198e183872a18b56f4d5c648f3245677d4e471
Opcode Fuzzy Hash: 3c3909751b2697c6481bc0460501d6177e5cf72f77169ad8285d6e0cd944102a
Instruction Fuzzy Hash: 0DA00122D1E80AE0E6488B01A9900692220BB69348B842033E00DD52AADE2CA8249201

Function 00007FF6D09E5830 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00007FF6D09E64CF,?,00007FF6D09E336E), ref: 00007FF6D09E5840
GetLastError.KERNEL32(?,00007FF6D09E64CF,?,00007FF6D09E336E), ref: 00007FF6D09E5852
GetProcAddress.KERNEL32(?,00007FF6D09E64CF,?,00007FF6D09E336E), ref: 00007FF6D09E5889
GetLastError.KERNEL32(?,00007FF6D09E64CF,?,00007FF6D09E336E), ref: 00007FF6D09E589B
GetProcAddress.KERNEL32(?,00007FF6D09E64CF,?,00007FF6D09E336E), ref: 00007FF6D09E58B4
GetLastError.KERNEL32(?,00007FF6D09E64CF,?,00007FF6D09E336E), ref: 00007FF6D09E58C6
GetProcAddress.KERNEL32(?,00007FF6D09E64CF,?,00007FF6D09E336E), ref: 00007FF6D09E58DF
GetLastError.KERNEL32(?,00007FF6D09E64CF,?,00007FF6D09E336E), ref: 00007FF6D09E58F1
GetProcAddress.KERNEL32(?,00007FF6D09E64CF,?,00007FF6D09E336E), ref: 00007FF6D09E590D
GetLastError.KERNEL32(?,00007FF6D09E64CF,?,00007FF6D09E336E), ref: 00007FF6D09E591F
GetProcAddress.KERNEL32(?,00007FF6D09E64CF,?,00007FF6D09E336E), ref: 00007FF6D09E593B
GetLastError.KERNEL32(?,00007FF6D09E64CF,?,00007FF6D09E336E), ref: 00007FF6D09E594D
GetProcAddress.KERNEL32(?,00007FF6D09E64CF,?,00007FF6D09E336E), ref: 00007FF6D09E5969
GetLastError.KERNEL32(?,00007FF6D09E64CF,?,00007FF6D09E336E), ref: 00007FF6D09E597B
GetProcAddress.KERNEL32(?,00007FF6D09E64CF,?,00007FF6D09E336E), ref: 00007FF6D09E5997
GetLastError.KERNEL32(?,00007FF6D09E64CF,?,00007FF6D09E336E), ref: 00007FF6D09E59A9
GetProcAddress.KERNEL32(?,00007FF6D09E64CF,?,00007FF6D09E336E), ref: 00007FF6D09E59C5
GetLastError.KERNEL32(?,00007FF6D09E64CF,?,00007FF6D09E336E), ref: 00007FF6D09E59D7

Strings

Py_ExitStatusException, xrefs: 00007FF6D09E58AA, 00007FF6D09E58CC
PyUnicode_DecodeFSDefault, xrefs: 00007FF6D09E5F1F, 00007FF6D09E5F41
PyObject_CallFunctionObjArgs, xrefs: 00007FF6D09E5D25, 00007FF6D09E5D47
PyImport_AddModule, xrefs: 00007FF6D09E5BE3, 00007FF6D09E5C05
PyPreConfig_InitIsolatedConfig, xrefs: 00007FF6D09E5DDD, 00007FF6D09E5DFF
PyUnicode_Join, xrefs: 00007FF6D09E5FA9, 00007FF6D09E5FCB
PySys_GetObject, xrefs: 00007FF6D09E5E67, 00007FF6D09E5E89
Py_IsInitialized, xrefs: 00007FF6D09E5931, 00007FF6D09E5953
PyUnicode_Decode, xrefs: 00007FF6D09E5EF1, 00007FF6D09E5F13
PyConfig_Read, xrefs: 00007FF6D09E59E9, 00007FF6D09E5A0B
PyObject_SetAttrString, xrefs: 00007FF6D09E5D81, 00007FF6D09E5DA3
PyConfig_SetBytesString, xrefs: 00007FF6D09E5A17, 00007FF6D09E5A39
GetProcAddress, xrefs: 00007FF6D09E5868
PyConfig_Clear, xrefs: 00007FF6D09E598D, 00007FF6D09E59AF
Py_InitializeFromConfig, xrefs: 00007FF6D09E5903, 00007FF6D09E5925
PyStatus_Exception, xrefs: 00007FF6D09E5E39, 00007FF6D09E5E5B
Failed to get address for %hs, xrefs: 00007FF6D09E5861
PyConfig_InitIsolatedConfig, xrefs: 00007FF6D09E59BB, 00007FF6D09E59DD
PyModule_GetDict, xrefs: 00007FF6D09E5CC9, 00007FF6D09E5CEB
PyUnicode_FromFormat, xrefs: 00007FF6D09E5F4D, 00007FF6D09E5F6F
Py_DecodeLocale, xrefs: 00007FF6D09E587F, 00007FF6D09E58A1
PyMarshal_ReadObjectFromString, xrefs: 00007FF6D09E5C6D, 00007FF6D09E5C8F
PyImport_ImportModule, xrefs: 00007FF6D09E5C3F, 00007FF6D09E5C61
PyErr_Clear, xrefs: 00007FF6D09E5AA1, 00007FF6D09E5AC3
PyConfig_SetWideStringList, xrefs: 00007FF6D09E5A73, 00007FF6D09E5A95
PyErr_Print, xrefs: 00007FF6D09E5B59, 00007FF6D09E5B7B
PyRun_SimpleStringFlags, xrefs: 00007FF6D09E5E0B, 00007FF6D09E5E2D
PyUnicode_FromString, xrefs: 00007FF6D09E5F7B, 00007FF6D09E5F9D
PyErr_Fetch, xrefs: 00007FF6D09E5ACF, 00007FF6D09E5AF1
Py_Finalize, xrefs: 00007FF6D09E58D5, 00007FF6D09E58F7
PyErr_Restore, xrefs: 00007FF6D09E5B87, 00007FF6D09E5BA9
PyErr_NormalizeException, xrefs: 00007FF6D09E5AFD, 00007FF6D09E5B1F
PyConfig_SetString, xrefs: 00007FF6D09E5A45, 00007FF6D09E5A67
PyImport_ExecCodeModule, xrefs: 00007FF6D09E5C11, 00007FF6D09E5C33
PyUnicode_Replace, xrefs: 00007FF6D09E5FD7, 00007FF6D09E5FF9
Py_DecRef, xrefs: 00007FF6D09E5836, 00007FF6D09E5858
PyErr_Occurred, xrefs: 00007FF6D09E5B2B, 00007FF6D09E5B4D
PyMem_RawFree, xrefs: 00007FF6D09E5C9B, 00007FF6D09E5CBD
PyObject_GetAttrString, xrefs: 00007FF6D09E5D53, 00007FF6D09E5D75
PyObject_CallFunction, xrefs: 00007FF6D09E5CF7, 00007FF6D09E5D19
PyUnicode_AsUTF8, xrefs: 00007FF6D09E5EC3, 00007FF6D09E5EE5
PySys_SetObject, xrefs: 00007FF6D09E5E95, 00007FF6D09E5EB7
PyEval_EvalCode, xrefs: 00007FF6D09E5BB5, 00007FF6D09E5BD7
Py_PreInitialize, xrefs: 00007FF6D09E595F, 00007FF6D09E5981
PyObject_Str, xrefs: 00007FF6D09E5DAF, 00007FF6D09E5DD1

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: AddressErrorLastProc
String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
API String ID: 199729137-653951865
Opcode ID: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
Instruction ID: 8b30f166ee3875d84d8d9d4d2ea7cf86673d01466349087cd806e2f8a5776fbc
Opcode Fuzzy Hash: a72b1b0889ffc37889110ad0e4f068dcb4eb8b0bbe2e77bf2d8672c26fae6e03
Instruction Fuzzy Hash: 0222AA6691EB0BB1FA18DF56A85057D22A0BF14755F496037C81EC63AFFF3CA9788200

Function 00007FF6D09E81D0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6D09E9390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6D09E45F4,00000000,00007FF6D09E1985), ref: 00007FF6D09E93C9

ExpandEnvironmentStringsW.KERNEL32(?,00007FF6D09E86B7,?,?,00000000,00007FF6D09E3CBB), ref: 00007FF6D09E822C

Part of subcall function 00007FF6D09E2810: MessageBoxW.USER32 ref: 00007FF6D09E28EA

Strings

LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF6D09E8203
%.*s, xrefs: 00007FF6D09E830C
LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF6D09E8373
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF6D09E829D
LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF6D09E82D9
CreateDirectory, xrefs: 00007FF6D09E837C
\, xrefs: 00007FF6D09E8261
LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF6D09E8240

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: 9187bed43bf71c5340eadf58a1920dd2feb36a2730cc38c17813087cef3183ed
Instruction ID: 9705a7f41a3778bbe20a72b0e9e0d87a4b2783617791c49f8b6f252c7d71e208
Opcode Fuzzy Hash: 9187bed43bf71c5340eadf58a1920dd2feb36a2730cc38c17813087cef3183ed
Instruction Fuzzy Hash: 3251B922A2E64271FA549B65D9512BF6350FF44788F446433E61ECA7DFEE7CE8248300

Function 00007FF6D09E2180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF6D09E21AB
SelectObject.GDI32 ref: 00007FF6D09E21F2
DrawTextW.USER32 ref: 00007FF6D09E2215
SelectObject.GDI32 ref: 00007FF6D09E222B
ReleaseDC.USER32 ref: 00007FF6D09E223B
MoveWindow.USER32 ref: 00007FF6D09E228B
MoveWindow.USER32 ref: 00007FF6D09E22CB
MoveWindow.USER32 ref: 00007FF6D09E231E
MoveWindow.USER32 ref: 00007FF6D09E2366

Strings

P%, xrefs: 00007FF6D09E21FF

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction ID: b1addf4061d0eb3cda5b0457c4acc114c4cd96d2f3579ae798734626181f88cc
Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction Fuzzy Hash: A05129266187A186D6389F22E4181BEB7A1F798B61F004132EFDE8379ADF3CD155CB10

Function 00007FF6D09E80C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowLongPtrW.USER32 ref: 00007FF6D09E80FF
GetWindowLongPtrW.USER32 ref: 00007FF6D09E817F
ShutdownBlockReasonCreate.USER32 ref: 00007FF6D09E8192
GetLastError.KERNEL32 ref: 00007FF6D09E819C
SetWindowLongPtrW.USER32 ref: 00007FF6D09E81B3

Strings

Needs to remove its temporary files., xrefs: 00007FF6D09E8185

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: LongWindow$BlockCreateErrorLastReasonShutdown
String ID: Needs to remove its temporary files.
API String ID: 3975851968-2863640275
Opcode ID: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
Instruction ID: 59050b9f57aab5cb76b3963ba2b780087d204e742b0c56bb176720d3029d2755
Opcode Fuzzy Hash: fca9629812ae98fc4dea80e51924cd1fa5b6a95a0379263e815d251d6ca0a567
Instruction Fuzzy Hash: 6C210722B1DA46A1E7458BBBE95417E6250FF88B94F0C5233DA2DC73DEDE2CD9618300

Function 00007FF6D09F6290 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D09F62D3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D09F66C0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D09F695C

Strings

-, xrefs: 00007FF6D09F6369
:, xrefs: 00007FF6D09F648C
f, xrefs: 00007FF6D09F63F5
p, xrefs: 00007FF6D09F63FD
p, xrefs: 00007FF6D09F6385

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: -$:$f$p$p
API String ID: 3215553584-2013873522
Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction ID: 93bf2863a7451f37dd87cc806eb78b9aa8d4fdca1bef1a578f42f4b12263e55c
Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
Instruction Fuzzy Hash: 69129362E0C343A6FB205A14D15427E7A69FB90758F94513BF689CA7CEDF3CE5A08B00

Function 00007FF6D09F0FC8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D09F1008
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D09F13D0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D09F166F

Strings

p, xrefs: 00007FF6D09F10AD
f, xrefs: 00007FF6D09F10A0
p, xrefs: 00007FF6D09F1112
f, xrefs: 00007FF6D09F110A
f, xrefs: 00007FF6D09F1255

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction ID: f0b21b7929651b5454ab6f70b9ff06c158c708ca9e312cc6b83c079d9327b605
Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
Instruction Fuzzy Hash: 36129661E1C143A6FB245A14E05467D7AB9FB80758F845037F69A8BBCDDF7CE4A08B80

Function 00007FF6D09E1050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to open archive file!, xrefs: 00007FF6D09E1098
fread, xrefs: 00007FF6D09E11FD
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6D09E11F6
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF6D09E1108
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6D09E10CC
malloc, xrefs: 00007FF6D09E110F
fseek, xrefs: 00007FF6D09E10D3

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: b86492fec82845683ed30ee17fa4372ac3c9e67344e1de42683d38f875b626aa
Instruction ID: 1cffdf1a5980c737c337fbdb2fc56015da774ca7f201d3a5dc52d21146064a48
Opcode Fuzzy Hash: b86492fec82845683ed30ee17fa4372ac3c9e67344e1de42683d38f875b626aa
Instruction Fuzzy Hash: 27418222B1D652A2EA14DB12A9006BD6794FF44BC8F446433EE0CCB79FDE3CE9258740

Function 00007FF6D09E1470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON

Download Yara Rule

Strings

Failed to extract %s: failed to open archive file!, xrefs: 00007FF6D09E149F
fread, xrefs: 00007FF6D09E15E6
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6D09E15DF
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF6D09E1518
Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6D09E14DE
malloc, xrefs: 00007FF6D09E151F
fseek, xrefs: 00007FF6D09E14E5

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 0668517533cd0d68b5080e8717ca13fde84679c12f5f15204a3f6509b4669e23
Instruction ID: 6091c37d81cf057244d10fe1457fce88128514ce4b171ec3fb90f57ae6fca4ed
Opcode Fuzzy Hash: 0668517533cd0d68b5080e8717ca13fde84679c12f5f15204a3f6509b4669e23
Instruction Fuzzy Hash: 80419D32A19642A6EB00DB2295005BD6394FF84788F846533FE0DCBB9FDE3CE9658700

Function 00007FF6D09EEA08 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF6D09EEA65

Part of subcall function 00007FF6D09EF9BC: __GetUnwindTryBlock.LIBCMT ref: 00007FF6D09EF9FF
Part of subcall function 00007FF6D09EF9BC: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF6D09EFA24

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF6D09EEB3D
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF6D09EED8B
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6D09EEE98

Strings

csm, xrefs: 00007FF6D09EEAE6
csm, xrefs: 00007FF6D09EEA7F
csm, xrefs: 00007FF6D09EEB60

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
Instruction ID: 7fa0935ef7fd96ed2e520c11019f7cf75e732627331a2ae481c8b77e65ed6183
Opcode Fuzzy Hash: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
Instruction Fuzzy Hash: 6AD17F32A0974196EB209B65D4403AD77A0FB4578CF142136EE8DDBB9BDF38E8A5C740

Function 00007FF6D09E2C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF6D09E3706,?,00007FF6D09E3804), ref: 00007FF6D09E2C9E
FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF6D09E3706,?,00007FF6D09E3804), ref: 00007FF6D09E2D63
MessageBoxW.USER32 ref: 00007FF6D09E2D99

Strings

<FormatMessageW failed.>, xrefs: 00007FF6D09E2D70
[PYI-%d:ERROR] , xrefs: 00007FF6D09E2CA6
%ls: , xrefs: 00007FF6D09E2D22
Error, xrefs: 00007FF6D09E2D8C

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: Message$CurrentFormatProcess
String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
API String ID: 3940978338-251083826
Opcode ID: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
Instruction ID: ea6596965dca7444fcfcfdaa2173a0191a02c772ff81d898f15e9c601b7254af
Opcode Fuzzy Hash: c67c27f58c2af476bbbd059d0433c12e6f67668a4e3ecf6e42cf1bc8669f0b6b
Instruction Fuzzy Hash: 8231C533708B4162E6249B26A9102AE6695BF88B98F410137EF4DD775EDE3CD956C300

Function 00007FF6D09EDCC8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF6D09EDF7A,?,?,?,00007FF6D09EDC6C,?,?,?,00007FF6D09ED869), ref: 00007FF6D09EDD4D
GetLastError.KERNEL32(?,?,?,00007FF6D09EDF7A,?,?,?,00007FF6D09EDC6C,?,?,?,00007FF6D09ED869), ref: 00007FF6D09EDD5B
LoadLibraryExW.KERNEL32(?,?,?,00007FF6D09EDF7A,?,?,?,00007FF6D09EDC6C,?,?,?,00007FF6D09ED869), ref: 00007FF6D09EDD85
FreeLibrary.KERNEL32(?,?,?,00007FF6D09EDF7A,?,?,?,00007FF6D09EDC6C,?,?,?,00007FF6D09ED869), ref: 00007FF6D09EDDF3
GetProcAddress.KERNEL32(?,?,?,00007FF6D09EDF7A,?,?,?,00007FF6D09EDC6C,?,?,?,00007FF6D09ED869), ref: 00007FF6D09EDDFF

Strings

api-ms-, xrefs: 00007FF6D09EDD6D

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
Instruction ID: b7bf6773f2ec1f8ed645f9ae670963ddb35f3c3bea4438a34c998c43714e1be4
Opcode Fuzzy Hash: 276526191d17588ee9fa22b972cdf0953455baf5c8a53fb276b347519b5968a9
Instruction Fuzzy Hash: 20318521F1B642A1EE159B0698006BD2394FF44BA8F595537DD1DCF7CADF3CE8A48200

Function 00007FF6D09E6360 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON

Download Yara Rule

Strings

LoadLibrary, xrefs: 00007FF6D09E64AE
Path of Python shared library (%s) and its name (%s) exceed buffer size (%d), xrefs: 00007FF6D09E6456
Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d), xrefs: 00007FF6D09E63C7
Failed to load Python DLL '%ls'., xrefs: 00007FF6D09E64A7
ucrtbase.dll, xrefs: 00007FF6D09E63DD
Path of ucrtbase.dll (%s) and its name exceed buffer size (%d), xrefs: 00007FF6D09E6407

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
API String ID: 2050909247-2434346643
Opcode ID: 2df6df0904ecf2e68063807813f252f2c523520ae69ca8fe89000ee1ae80a761
Instruction ID: a8dff007917e73dbdc5ece4918793b2b4433f85c2bee3ee8dd48ab968a4dca4e
Opcode Fuzzy Hash: 2df6df0904ecf2e68063807813f252f2c523520ae69ca8fe89000ee1ae80a761
Instruction Fuzzy Hash: B5415E22A1D686A1EA15DB21E4152ED6321FB44388F801137DA5CCB7DFEE3CE925C740

Function 00007FF6D09E2A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF6D09E351A,?,00000000,00007FF6D09E3F23), ref: 00007FF6D09E2AA0

Strings

WARNING, xrefs: 00007FF6D09E2AAF
0, xrefs: 00007FF6D09E2B16
Warning [ANSI Fallback], xrefs: 00007FF6D09E2B0F
Warning, xrefs: 00007FF6D09E2B1E
[PYI-%d:%s] , xrefs: 00007FF6D09E2AA8

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: CurrentProcess
String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-2900015858
Opcode ID: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
Instruction ID: 8a4296999e819ec093ef64a3a1c21c82667b22c57bebad7c2d181498867ec7d6
Opcode Fuzzy Hash: d3ff72078d09a899d0ca032b5bdbc8691629937d026b54217f09319e947088a3
Instruction Fuzzy Hash: A2219F32A1978162E6209B51B8407EA6394BB88784F441137FE8CC775EDF7CD6658640

Function 00007FF6D09FB150 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6D09FB15F
FlsGetValue.KERNEL32 ref: 00007FF6D09FB174
FlsSetValue.KERNEL32 ref: 00007FF6D09FB195
FlsSetValue.KERNEL32 ref: 00007FF6D09FB1C2
FlsSetValue.KERNEL32 ref: 00007FF6D09FB1D3
FlsSetValue.KERNEL32 ref: 00007FF6D09FB1E4
SetLastError.KERNEL32 ref: 00007FF6D09FB1FF

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: a42b9cf7ed1ffe71ebcf97f5a72f2c90d2921d4b6bb9ef7954fc9d2fe8c6feaf
Instruction ID: 15fcbea05dcd9f4d7a8612b5dcccbe4772ff1cbbe8b4a1dd11fc4a22a4dd6d21
Opcode Fuzzy Hash: a42b9cf7ed1ffe71ebcf97f5a72f2c90d2921d4b6bb9ef7954fc9d2fe8c6feaf
Instruction Fuzzy Hash: 10217F61B0C64271FA589722966517D194A5F447B8F186736FA3ECA7CFDD2CB4604301

Function 00007FF6D0A07D6C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF6D0A07D9D
GetLastError.KERNEL32 ref: 00007FF6D0A07DA9
CloseHandle.KERNEL32 ref: 00007FF6D0A07DC1
CreateFileW.KERNEL32 ref: 00007FF6D0A07DEC
WriteConsoleW.KERNEL32 ref: 00007FF6D0A07E0B

Strings

CONOUT$, xrefs: 00007FF6D0A07DCD

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
Instruction ID: 3dbc5ef78b77da8940ee4bac26d4f29f9d1125e8e752490e6fc524030deb7bd7
Opcode Fuzzy Hash: 3755c2f75cb97972cd4ab37a7e27d28fd0bf6f95a56d27d10542fc75f089f0eb
Instruction Fuzzy Hash: 7C119032B2CA4596E7548B13E85432D62A0FB8CBE4F080236EA5DC77ADDF3CD8248740

Function 00007FF6D09E8ED0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,FFFFFFFF,00000000,00007FF6D09E3FB1), ref: 00007FF6D09E8EFD
K32EnumProcessModules.KERNEL32(?,FFFFFFFF,00000000,00007FF6D09E3FB1), ref: 00007FF6D09E8F5A

Part of subcall function 00007FF6D09E9390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6D09E45F4,00000000,00007FF6D09E1985), ref: 00007FF6D09E93C9

K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF6D09E3FB1), ref: 00007FF6D09E8FE5
K32GetModuleFileNameExW.KERNEL32(?,FFFFFFFF,00000000,00007FF6D09E3FB1), ref: 00007FF6D09E9044
FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF6D09E3FB1), ref: 00007FF6D09E9055
FreeLibrary.KERNEL32(?,FFFFFFFF,00000000,00007FF6D09E3FB1), ref: 00007FF6D09E906A

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
String ID:
API String ID: 3462794448-0
Opcode ID: 0184f5a771bb2c28f933eba3e4018dda16e38d059dd6d010c17659477659ba58
Instruction ID: 02127241bff8875a8f4b45c1a5473ae7bdc9df0de9cef3e4c3d5b2daad1abd2f
Opcode Fuzzy Hash: 0184f5a771bb2c28f933eba3e4018dda16e38d059dd6d010c17659477659ba58
Instruction Fuzzy Hash: 6941F962A1A68191EA309B22A5002BE7394FB84BD9F442136DF9DDB78FDE7CD911C700

Function 00007FF6D09FB2C8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF6D09F4F11,?,?,?,?,00007FF6D09FA48A,?,?,?,?,00007FF6D09F718F), ref: 00007FF6D09FB2D7
FlsSetValue.KERNEL32(?,?,?,00007FF6D09F4F11,?,?,?,?,00007FF6D09FA48A,?,?,?,?,00007FF6D09F718F), ref: 00007FF6D09FB30D
FlsSetValue.KERNEL32(?,?,?,00007FF6D09F4F11,?,?,?,?,00007FF6D09FA48A,?,?,?,?,00007FF6D09F718F), ref: 00007FF6D09FB33A
FlsSetValue.KERNEL32(?,?,?,00007FF6D09F4F11,?,?,?,?,00007FF6D09FA48A,?,?,?,?,00007FF6D09F718F), ref: 00007FF6D09FB34B
FlsSetValue.KERNEL32(?,?,?,00007FF6D09F4F11,?,?,?,?,00007FF6D09FA48A,?,?,?,?,00007FF6D09F718F), ref: 00007FF6D09FB35C
SetLastError.KERNEL32(?,?,?,00007FF6D09F4F11,?,?,?,?,00007FF6D09FA48A,?,?,?,?,00007FF6D09F718F), ref: 00007FF6D09FB377

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 1c08c83365d44066401784e1b70b71c7670d14ff4fb682678828c33d1612b477
Instruction ID: 79f9256ce0655b43d73965ba3e7a0687869c6bd3e959a1b94f87ad5059dc8aef
Opcode Fuzzy Hash: 1c08c83365d44066401784e1b70b71c7670d14ff4fb682678828c33d1612b477
Instruction Fuzzy Hash: CB11AE21A4D602B2FA589B22965017D194A9F447B8F186336F93ECB7DFDE6CA4204301

Function 00007FF6D09E2910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF6D09E1B6A), ref: 00007FF6D09E295E

Strings

%s: %s, xrefs: 00007FF6D09E29E8
[PYI-%d:ERROR] , xrefs: 00007FF6D09E2966
Error [ANSI Fallback], xrefs: 00007FF6D09E29FF
Error, xrefs: 00007FF6D09E2A0E

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: CurrentProcess
String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
API String ID: 2050909247-2962405886
Opcode ID: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
Instruction ID: 7bcff18e78f6017ab2fe2fb3234da30ccf820198a66694040399eafdfb3cdc71
Opcode Fuzzy Hash: b3354eec44a94607d33eb4f3788ab89374ba031f66333e1b118589dca889f3f3
Instruction Fuzzy Hash: 0631F433B1968562E7209761A9402EF6694BF887D8F441133FE8DC774EEF7CE9668200

Function 00007FF6D09E2390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6D09E23C8
DialogBoxIndirectParamW.USER32 ref: 00007FF6D09E248E
DeleteObject.GDI32 ref: 00007FF6D09E24C1
DestroyIcon.USER32 ref: 00007FF6D09E24D3

Strings

Unhandled exception in script, xrefs: 00007FF6D09E23F8

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
String ID: Unhandled exception in script
API String ID: 3081866767-2699770090
Opcode ID: 851ce5d4a208b56cb63585478e484d0f9d6918564d04618497f061aba15d8534
Instruction ID: 8376154b6bd52b46599601127c2c6f70c85eccf0d2ef8c4aff60935f81ca09e7
Opcode Fuzzy Hash: 851ce5d4a208b56cb63585478e484d0f9d6918564d04618497f061aba15d8534
Instruction Fuzzy Hash: E6318F72619A8299EB24DB21E8552FE6360FF88788F440136FA4D8BB5EDF7CD1118700

Function 00007FF6D09E2B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF6D09E918F,?,00007FF6D09E3C55), ref: 00007FF6D09E2BA0
MessageBoxW.USER32 ref: 00007FF6D09E2C2A

Strings

[PYI-%d:%ls] , xrefs: 00007FF6D09E2BA8
WARNING, xrefs: 00007FF6D09E2BAF
Warning, xrefs: 00007FF6D09E2C1D

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: CurrentMessageProcess
String ID: WARNING$Warning$[PYI-%d:%ls]
API String ID: 1672936522-3797743490
Opcode ID: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
Instruction ID: 43ced5edfa14db7df243e92a3dff2ff2c6430a8a157f625dbfcab8e7a7d16307
Opcode Fuzzy Hash: 4a0b6e8ebe13cae449087f655af1d2523953ec7fd560ce9a50e7097f48d063a1
Instruction Fuzzy Hash: 6021BC62719B41A2E7209B15B8407EE63A4FB88784F441137EA8D9B75EDF3CE626C740

Function 00007FF6D09E2710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF6D09E1B99), ref: 00007FF6D09E2760

Strings

Error [ANSI Fallback], xrefs: 00007FF6D09E27CF
ERROR, xrefs: 00007FF6D09E276F
Error, xrefs: 00007FF6D09E27DE
[PYI-%d:%s] , xrefs: 00007FF6D09E2768

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: CurrentProcess
String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
API String ID: 2050909247-1591803126
Opcode ID: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
Instruction ID: cf4669c6af3e9947633eebd759520dfe2f399eaf443ee449c534e11b0ab4fa35
Opcode Fuzzy Hash: a4fe537d534c2fb53088f6f6b76b448a80ccad2508d4dc842b27f1a8247accfc
Instruction Fuzzy Hash: C9219F72A1978162E620DB51B8407EAA394BB88784F441133FA8CC775EDF7CE5558740

Function 00007FF6D09F9A88 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF6D09F9AAD
GetProcAddress.KERNEL32 ref: 00007FF6D09F9AC3
FreeLibrary.KERNEL32 ref: 00007FF6D09F9AEA

Strings

CorExitProcess, xrefs: 00007FF6D09F9ABC
mscoree.dll, xrefs: 00007FF6D09F9AA4

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
Instruction ID: f0872e34bb8dba97d4f3fdf2f9db042a671e53cb0cbc5a0dcc0794338fc34556
Opcode Fuzzy Hash: b239dd027a539e56a716c05e535b4da9cb8e2339e08a4dc57142401ef2416000
Instruction Fuzzy Hash: 5FF0C222B1C70AA1EB188B21E49437E2320EF45764F581237D66E8A7EECF2CD064C300

Function 00007FF6D0A09368 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF6D0A09390
_set_statfp.LIBCMT ref: 00007FF6D0A093AB
_set_statfp.LIBCMT ref: 00007FF6D0A093C7
_set_statfp.LIBCMT ref: 00007FF6D0A09403

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction ID: 70dbb5a2c53e880f7de336122c23bc92104d90855399a68364f3f88247270264
Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
Instruction Fuzzy Hash: 48116323E5CA0E61F65C1157E4A137D1050AF59370E0C063AFA6E9A3DFCEECA4724501

Function 00007FF6D09FB390 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF6D09FA5A3,?,?,00000000,00007FF6D09FA83E,?,?,?,?,?,00007FF6D09FA7CA), ref: 00007FF6D09FB3AF
FlsSetValue.KERNEL32(?,?,?,00007FF6D09FA5A3,?,?,00000000,00007FF6D09FA83E,?,?,?,?,?,00007FF6D09FA7CA), ref: 00007FF6D09FB3CE
FlsSetValue.KERNEL32(?,?,?,00007FF6D09FA5A3,?,?,00000000,00007FF6D09FA83E,?,?,?,?,?,00007FF6D09FA7CA), ref: 00007FF6D09FB3F6
FlsSetValue.KERNEL32(?,?,?,00007FF6D09FA5A3,?,?,00000000,00007FF6D09FA83E,?,?,?,?,?,00007FF6D09FA7CA), ref: 00007FF6D09FB407
FlsSetValue.KERNEL32(?,?,?,00007FF6D09FA5A3,?,?,00000000,00007FF6D09FA83E,?,?,?,?,?,00007FF6D09FA7CA), ref: 00007FF6D09FB418

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 44f6b3e63c936746b9124b5af5da9c753e88c88086b63197a25bc1506e4861c0
Instruction ID: 5a5ef16a25136bf42af45f8d320437d0e8103fbbe850b1530745d3e129650968
Opcode Fuzzy Hash: 44f6b3e63c936746b9124b5af5da9c753e88c88086b63197a25bc1506e4861c0
Instruction Fuzzy Hash: 72117FA0F0960261FA589B26965117D29495F447B8F4CA336FA3DCEBDFDE2CB8618201

Function 00007FF6D09FB224 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF6D09FB235
FlsSetValue.KERNEL32 ref: 00007FF6D09FB254
FlsSetValue.KERNEL32 ref: 00007FF6D09FB27C
FlsSetValue.KERNEL32 ref: 00007FF6D09FB28D
FlsSetValue.KERNEL32 ref: 00007FF6D09FB29E

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 92671db20a050c4f2636db97a8291f7b9cbb2c044339a59ef12305351f814945
Instruction ID: 3963ebe4b975e9383235a0ebb2bb431550efa829053cfd9e1ac6d31604d4631e
Opcode Fuzzy Hash: 92671db20a050c4f2636db97a8291f7b9cbb2c044339a59ef12305351f814945
Instruction Fuzzy Hash: 551118A0E0860771F958A76244611BD194A5FA533CF18A736FA3ECE7DFDD2CB8604201

Function 00007FF6D09F5FA0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D09F5FDC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D09F6106
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D09F61BC

Strings

verbose, xrefs: 00007FF6D09F5FB0

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: verbose
API String ID: 3215553584-579935070
Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction ID: ef2dcf37f5c8937a5b2822fd73e70f2a6544f1be9fa4216c8be8f2b0c764c579
Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
Instruction Fuzzy Hash: 7991B232A0C74691F7618E25D4503BD3AA9AB40B9CF54523BEA5DCB3DBDE3DE8658300

Function 00007FF6D09FFBC8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D09FFEA7

Part of subcall function 00007FF6D09F7A3C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D09F7A59

Strings

UTF-8, xrefs: 00007FF6D09FFE26
ccs, xrefs: 00007FF6D09FFDE2
UTF-16LEUNICODE, xrefs: 00007FF6D09FFE45

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
Instruction ID: 2bea2921b75b775e3f2fd1d963305011231b5df4e7802b8a3261d78f84429480
Opcode Fuzzy Hash: 7089664b0a027e884898b454f5d4d61e653d4f3baae8c024cbe23c99275e4c13
Instruction Fuzzy Hash: B8818072D08252A5E7745E2A816027C2EA8AF11B8CF556037EA49DF3DFDF2DE9219301

Function 00007FF6D09ED648 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6D09ED673
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF6D09ED70A
RtlUnwindEx.KERNEL32 ref: 00007FF6D09ED764

Strings

csm, xrefs: 00007FF6D09ED6F1

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
Instruction ID: d574c5a5451644f72ac83315770e20ed2ecd0ea6891655ffd6e9ab0843e8e930
Opcode Fuzzy Hash: 4bd751ab4a757734da5bac4c310991cbc8ef63d187f18c7a3c34a87046479a0f
Instruction Fuzzy Hash: E1516B62E1B602AAEB148B15E444A7C6391FB44B98F149136DA4ECB78ADF7DEC61C700

Function 00007FF6D09EF288 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6D09EF2B0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF6D09EF398

Strings

csm, xrefs: 00007FF6D09EF2D2
csm, xrefs: 00007FF6D09EF3EA

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
Instruction ID: f037b34b7f8199cd276e4fbaf628226e2005f5c2fc81c1bf56fc648e37350061
Opcode Fuzzy Hash: b828653c103bc27f8420a51a056d9897bfd6e6497fd7c081c32eb92dd3ed2bbb
Instruction Fuzzy Hash: E0517032A09642E6EB648A23906426D7790FB55B88F146137DA5DCBBDEDF3CEC60C701

Function 00007FF6D09EEED8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF6D09EEF37
_CallSETranslator.LIBVCRUNTIME ref: 00007FF6D09EEF83

Strings

MOC, xrefs: 00007FF6D09EEF4B
RCC, xrefs: 00007FF6D09EEF53

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
Instruction ID: 0e68eafdede0457537b381c373633cb75aecd4ee8f707cd93eb40d06587eb9de
Opcode Fuzzy Hash: 1c81a5d02d7979dd4dad50f55436adaf5051385037e661534b2c2f58034018d3
Instruction Fuzzy Hash: 9861703290DB85D5EB209B15E4403AEB7A0FB85798F045626EB9C8779EDF7CD5A0CB00

Function 00007FF6D09E2810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32 ref: 00007FF6D09E28EA

Strings

ERROR, xrefs: 00007FF6D09E286F
[PYI-%d:%ls] , xrefs: 00007FF6D09E2868
Error, xrefs: 00007FF6D09E28DD

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: Message
String ID: ERROR$Error$[PYI-%d:%ls]
API String ID: 2030045667-255084403
Opcode ID: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
Instruction ID: d445ff630d417e8a71fd01fabd1af836d976bb4effb8e4e55036c3e34a108479
Opcode Fuzzy Hash: 035b7a672ed8def45fe49a9c290554376ffedfd07499b26c39d849b73b89d90e
Instruction Fuzzy Hash: F021EC72B18B41A2E7208B15B8403EE63A4FB88784F401133EA8D9775EDE3CE666C300

Function 00007FF6D09FC5A0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF6D09FC61F
WriteFile.KERNEL32 ref: 00007FF6D09FC8E7
WriteFile.KERNEL32 ref: 00007FF6D09FC92D
GetLastError.KERNEL32 ref: 00007FF6D09FC9E3

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
Instruction ID: 975dec4020716f0e0318b6af3153c8855497d875db011d06fd68e37e5f8b0e28
Opcode Fuzzy Hash: 04e310725d937c0b27e7ac1e6c46040fced781be2c4963351fe3137ba04acc33
Instruction Fuzzy Hash: 14D102B2B18A8199E710CF65C5402AC3BB5FB5479CB149236EE5DDBB8ADE38D467C300

Function 00007FF6D09E20C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00007FF6D09E20F4
SetWindowLongPtrW.USER32 ref: 00007FF6D09E2116
GetWindowLongPtrW.USER32 ref: 00007FF6D09E2140
InvalidateRect.USER32 ref: 00007FF6D09E2160

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: LongWindow$DialogInvalidateRect
String ID:
API String ID: 1956198572-0
Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction ID: 034b76fa4c155da30588fa5257f26a18e3a59c50ad111b78117c8b2c3f3ba714
Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
Instruction Fuzzy Hash: E211A921E1C14692F654976AE5442BD5251FB84784F585033DB49CBB9FCD2DDAA58200

Function 00007FF6D0A05B1C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6D0A01760: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D0A01793

_get_daylight.LIBCMT ref: 00007FF6D0A05C34
_get_daylight.LIBCMT ref: 00007FF6D0A05C45

Strings

?, xrefs: 00007FF6D0A05BC5

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 21862b7f5a6063227688de7d7fc5fbfc7fa1fb1d7946118fe9e576ba790fa6aa
Instruction ID: 6e7449029d034ddc019011165d01aaeceba8ada4a395aeb6b7b05460717e7937
Opcode Fuzzy Hash: 21862b7f5a6063227688de7d7fc5fbfc7fa1fb1d7946118fe9e576ba790fa6aa
Instruction Fuzzy Hash: B241D823A1C38A66F7689737944137E6654EB81BA4F184236EE5C86BDEDE3CE4618700

Function 00007FF6D09F9014 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D09F9046

Part of subcall function 00007FF6D09FA948: RtlFreeHeap.NTDLL(?,?,?,00007FF6D0A02D22,?,?,?,00007FF6D0A02D5F,?,?,00000000,00007FF6D0A03225,?,?,?,00007FF6D0A03157), ref: 00007FF6D09FA95E
Part of subcall function 00007FF6D09FA948: GetLastError.KERNEL32(?,?,?,00007FF6D0A02D22,?,?,?,00007FF6D0A02D5F,?,?,00000000,00007FF6D0A03225,?,?,?,00007FF6D0A03157), ref: 00007FF6D09FA968

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF6D09ECBA5), ref: 00007FF6D09F9064

Strings

C:\Users\user\Desktop\wp-s2.exe, xrefs: 00007FF6D09F9052

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\wp-s2.exe
API String ID: 3580290477-590426878
Opcode ID: 136b352ca89953b7aac46d199a587659114d0cf60bae53edf27061cb20026a80
Instruction ID: 1bd7f629281579f9cc912acfa36cec65210be1d6ca3e3485ffbd75f14c835963
Opcode Fuzzy Hash: 136b352ca89953b7aac46d199a587659114d0cf60bae53edf27061cb20026a80
Instruction Fuzzy Hash: 8B417132A0CA02A5EB159F2594400BD6B98EB457D8B596037FD4D8BB9ADE7CE4A18300

Function 00007FF6D09FCC38 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF6D09FCD4F
GetLastError.KERNEL32 ref: 00007FF6D09FCD71

Strings

U, xrefs: 00007FF6D09FCCFB

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
Instruction ID: d2a5e62d5ee55c6b8be9ea0e7dba3dfd8985deae8e724121ef1a195a6d4380d4
Opcode Fuzzy Hash: 4f5d94246872f2193e537bc66f33c90add5f7e97f4787e66017fcfb3b1ebd6d4
Instruction Fuzzy Hash: EA41B362A18A4591DB20CF25E4443AE6BA4FB88788F449136EE8DC7799DF3CD412C740

Function 00007FF6D09FF5B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32 ref: 00007FF6D09FF5F8
GetCurrentDirectoryW.KERNEL32 ref: 00007FF6D09FF64A

Strings

:, xrefs: 00007FF6D09FF60E

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: 9aa1b1c0966d0181e71a7442aa19fd9d8a3a06258be719e39fc35e3b215e25b0
Instruction ID: d7a1a42d17a2deb127ee479aa456f20680e5d8a61eaa8a8419235bff7d27aa74
Opcode Fuzzy Hash: 9aa1b1c0966d0181e71a7442aa19fd9d8a3a06258be719e39fc35e3b215e25b0
Instruction Fuzzy Hash: E9212562A0824591EB208B12D05426D37A5FF88B48F858036EA8CCB78ECF7CE964C740

Function 00007FF6D09EFD48 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF6D09EFD98
RaiseException.KERNEL32 ref: 00007FF6D09EFDD9

Strings

csm, xrefs: 00007FF6D09EFDC6

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
Instruction ID: 13a41ce7a4095354807cab8f1bc5f3075c9567ff969f47be065488bb92688e14
Opcode Fuzzy Hash: b596af9f6a60738c50b353da5cbad86497326ffe12a5eabfdc94c01c9dae4a3e
Instruction Fuzzy Hash: 03115132619B8592DB118F16E40025D77E4FB88B88F184232DB8D8B75DDF3CC9618B00

Function 00007FF6D0A0073C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D0A0076C
GetDriveTypeW.KERNEL32 ref: 00007FF6D0A007AC

Strings

:, xrefs: 00007FF6D0A00795

Memory Dump Source

Source File: 00000000.00000002.2100369578.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000000.00000002.2100323166.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100453442.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100604334.00007FF6D0A22000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2100684836.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: DriveType_invalid_parameter_noinfo
String ID: :
API String ID: 2595371189-336475711
Opcode ID: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
Instruction ID: 196d6eda9cfea82efff299ff2e8e523d7f97fa97f82248046108580a104b3fb5
Opcode Fuzzy Hash: 68237dfdc7112287ec82a3b365f776b5c9f6f856de5878160eaa1a8f91e0357f
Instruction Fuzzy Hash: 14018F6291C607A6F724AF61946167E27A0EF88748F881037E64DC678EDF2CE5258B14

Analysis Process: wp-s2.exePID: 6752, Parent PID: 6524COMMON

Execution Graph

Execution Coverage:	22.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	416
Total number of Limit Nodes:	13

Executed Functions

Function 00007FF6D09E1000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 511
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

pyi-runtime-tmpdir, xrefs: 00007FF6D09E3B68
Could not load PyInstaller's embedded PKG archive from the executable (%s), xrefs: 00007FF6D09E3971
Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s, xrefs: 00007FF6D09E3B32
Could not create temporary directory!, xrefs: 00007FF6D09E3CBF
pyi-disable-windowed-traceback, xrefs: 00007FF6D09E3BB2
Failed to load Tcl/Tk shared libraries for splash screen!, xrefs: 00007FF6D09E3EBB
Failed to convert DLL search path!, xrefs: 00007FF6D09E3DDC
Path exceeds PYI_PATH_MAX limit., xrefs: 00007FF6D09E3D12
_PYI_APPLICATION_HOME_DIR not set for onefile child process!, xrefs: 00007FF6D09E3D35
Could not side-load PyInstaller's PKG archive from external file (%s), xrefs: 00007FF6D09E39DE
Py_GIL_DISABLED, xrefs: 00007FF6D09E3AF4
PYINSTALLER_RESET_ENVIRONMENT, xrefs: 00007FF6D09E3882, 00007FF6D09E38AF
_PYI_APPLICATION_HOME_DIR, xrefs: 00007FF6D09E3A0B, 00007FF6D09E3CD4, 00007FF6D09E3F6B
pyi-contents-directory, xrefs: 00007FF6D09E3B8D
Failed to load splash screen resources!, xrefs: 00007FF6D09E3E85
Failed to start splash screen!, xrefs: 00007FF6D09E3ED4
Failed to remove temporary directory: %s, xrefs: 00007FF6D09E3FCF
pyi-python-flag, xrefs: 00007FF6D09E3AD6
VCRUNTIME140.dll, xrefs: 00007FF6D09E3DB1
_PYI_SPLASH_IPC, xrefs: 00007FF6D09E3A23, 00007FF6D09E3EF5
pkg, xrefs: 00007FF6D09E39BE
PYINSTALLER_STRICT_UNPACK_MODE, xrefs: 00007FF6D09E3BE8
PYINSTALLER_SUPPRESS_SPLASH_SCREEN, xrefs: 00007FF6D09E3E0A
MEI, xrefs: 00007FF6D09E3933
_PYI_PARENT_PROCESS_LEVEL, xrefs: 00007FF6D09E3A17, 00007FF6D09E3A2F, 00007FF6D09E3A9B
_PYI_ARCHIVE_FILE, xrefs: 00007FF6D09E38D2, 00007FF6D09E39FF
Failed to initialize security descriptor for temporary directory!, xrefs: 00007FF6D09E3C61
Failed to unpack splash screen dependencies from PKG archive!, xrefs: 00007FF6D09E3EA6

Memory Dump Source

Source File: 00000001.00000002.2085594471.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000001.00000002.2085569640.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085629189.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085707438.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: ErrorFileLastModuleName
String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag$pyi-runtime-tmpdir
API String ID: 2776309574-4232158417
Opcode ID: d52c1960cc45de78c26c9f57622ace5a14626686e839aa839f1fc42fe00fc1f1
Instruction ID: a6592dbe3827e356133bab30d7f88d9f2a4431c85bc425dbf9a034c6d1eec82a
Opcode Fuzzy Hash: d52c1960cc45de78c26c9f57622ace5a14626686e839aa839f1fc42fe00fc1f1
Instruction Fuzzy Hash: 1C326D22A0E686B1EA19D721D5582BD2651BF44788F84A037DA5DCB3DFDF2CE974C300

Function 00007FF6D0A06964 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6D0A06698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D0A066D9
Part of subcall function 00007FF6D0A06698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D0A06757
Part of subcall function 00007FF6D0A06698: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D0A067A8

CreateFileW.KERNEL32 ref: 00007FF6D0A06A6A
CreateFileW.KERNEL32 ref: 00007FF6D0A06ABA
GetLastError.KERNEL32 ref: 00007FF6D0A06AEA
GetFileType.KERNEL32 ref: 00007FF6D0A06AFF
GetLastError.KERNEL32 ref: 00007FF6D0A06B09
CloseHandle.KERNEL32 ref: 00007FF6D0A06B3C
CloseHandle.KERNEL32 ref: 00007FF6D0A06C9F
CreateFileW.KERNEL32 ref: 00007FF6D0A06CD4
GetLastError.KERNEL32 ref: 00007FF6D0A06CE3

Memory Dump Source

Source File: 00000001.00000002.2085594471.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000001.00000002.2085569640.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085629189.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085707438.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
Instruction ID: 164288afb55d3a770f19b57e4f06bf6d42ae9702afe0eadfec71595e560aba31
Opcode Fuzzy Hash: baaa1bd2bfcf3e8d87424e6061cd652f961a4b3dae6ad7eaae94581ee29caa63
Instruction Fuzzy Hash: 66C1B133B28A4595EB14CF6AC4912AD3765F749B98F05523ADE2E9B79ECF38D061C300

Function 00007FF6D09E9280 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32 ref: 00007FF6D09E92B3
FindClose.KERNEL32 ref: 00007FF6D09E92C2

Memory Dump Source

Source File: 00000001.00000002.2085594471.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000001.00000002.2085569640.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085629189.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085707438.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
Instruction ID: 0a9c964f69650bd0d8743b18a6d3717ae02265dabd5718434ec87261d38c95a2
Opcode Fuzzy Hash: 3849ca1beccae91a12aeced599bc73bdbec409d6dd090ca7d2ec6d5d284a4285
Instruction Fuzzy Hash: 36F0C832A1D74196FB608B60B49876E7390BB84328F041337DA7D867D9DF7CD469CA00

Function 00007FF6D09E1950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6D09E7F90: _fread_nolock.LIBCMT ref: 00007FF6D09E803A

_fread_nolock.LIBCMT ref: 00007FF6D09E1A1B

Part of subcall function 00007FF6D09E2910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF6D09E1B6A), ref: 00007FF6D09E295E

Strings

fseek, xrefs: 00007FF6D09E19F5
Failed to seek to cookie position!, xrefs: 00007FF6D09E19EE
malloc, xrefs: 00007FF6D09E1B22
MEI, xrefs: 00007FF6D09E1991
Could not allocate memory for archive structure!, xrefs: 00007FF6D09E1A61
Error on file., xrefs: 00007FF6D09E1B8D
Could not read full TOC!, xrefs: 00007FF6D09E1B55
calloc, xrefs: 00007FF6D09E1A68
fread, xrefs: 00007FF6D09E1A32, 00007FF6D09E1B5C
Could not allocate buffer for TOC!, xrefs: 00007FF6D09E1B1B
Failed to read cookie!, xrefs: 00007FF6D09E1A2B

Memory Dump Source

Source File: 00000001.00000002.2085594471.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000001.00000002.2085569640.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085629189.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085707438.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: _fread_nolock$CurrentProcess
String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
API String ID: 2397952137-3497178890
Opcode ID: ee3080450604db9b79bcaf6ea9780d01564dfb64de786eed8711188a6f6cabc7
Instruction ID: 3b6ab2d8e24f5d1667d40138e1b6b8dce6d1b3c827b625028375aa5aaed2ee66
Opcode Fuzzy Hash: ee3080450604db9b79bcaf6ea9780d01564dfb64de786eed8711188a6f6cabc7
Instruction Fuzzy Hash: E881B371A1D686A6EB14DB15D0412BD2390FF88788F545433E98DCB79FDE3CE9658700

Function 00007FF6D09E1470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: failed to seek to the entry's data!, xrefs: 00007FF6D09E14DE
Failed to extract %s: failed to allocate data buffer (%u bytes)!, xrefs: 00007FF6D09E1518
fseek, xrefs: 00007FF6D09E14E5
Failed to extract %s: failed to open archive file!, xrefs: 00007FF6D09E149F
malloc, xrefs: 00007FF6D09E151F
Failed to extract %s: failed to read data chunk!, xrefs: 00007FF6D09E15DF
fread, xrefs: 00007FF6D09E15E6

Memory Dump Source

Source File: 00000001.00000002.2085594471.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000001.00000002.2085569640.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085629189.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085707438.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
API String ID: 2050909247-3659356012
Opcode ID: 3b379cfcfb123380b7207fe9b70de138e86c6d94a3f87720caf8569e0a5fbbd0
Instruction ID: 6091c37d81cf057244d10fe1457fce88128514ce4b171ec3fb90f57ae6fca4ed
Opcode Fuzzy Hash: 3b379cfcfb123380b7207fe9b70de138e86c6d94a3f87720caf8569e0a5fbbd0
Instruction Fuzzy Hash: 80419D32A19642A6EB00DB2295005BD6394FF84788F846533FE0DCBB9FDE3CE9658700

Function 00007FF6D09E1210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to extract %s: decompression resulted in return code %d!, xrefs: 00007FF6D09E141E
Failed to extract %s: inflateInit() failed with return code %d!, xrefs: 00007FF6D09E1276
malloc, xrefs: 00007FF6D09E12C1, 00007FF6D09E12F6
Failed to extract %s: failed to allocate temporary input buffer!, xrefs: 00007FF6D09E12BA
Failed to extract %s: failed to allocate temporary output buffer!, xrefs: 00007FF6D09E12EF
1.3.1, xrefs: 00007FF6D09E1249

Memory Dump Source

Source File: 00000001.00000002.2085594471.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000001.00000002.2085569640.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085629189.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085707438.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: CurrentProcess
String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
API String ID: 2050909247-2813020118
Opcode ID: 9b2da8e32cee601306ebcebf5d16e93c03482fa50eddd1a53150bf2cf71a648a
Instruction ID: 260760d33eb09f9417d8b0b525b0475f77f359b53f13aae4cd8130d4d30d18da
Opcode Fuzzy Hash: 9b2da8e32cee601306ebcebf5d16e93c03482fa50eddd1a53150bf2cf71a648a
Instruction Fuzzy Hash: 4851C632A0E642A5E6249B12A4403BE6691FF84798F446137ED4DCB7DFEE3CE961C700

Function 00007FF6D09E36B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,00007FF6D09E3804), ref: 00007FF6D09E36E1
GetLastError.KERNEL32(?,00007FF6D09E3804), ref: 00007FF6D09E36EB

Part of subcall function 00007FF6D09E2C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF6D09E3706,?,00007FF6D09E3804), ref: 00007FF6D09E2C9E
Part of subcall function 00007FF6D09E2C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF6D09E3706,?,00007FF6D09E3804), ref: 00007FF6D09E2D63
Part of subcall function 00007FF6D09E2C50: MessageBoxW.USER32 ref: 00007FF6D09E2D99

Strings

\\?\, xrefs: 00007FF6D09E375A
Failed to obtain executable path., xrefs: 00007FF6D09E36F3
Failed to convert executable path to UTF-8., xrefs: 00007FF6D09E3790
GetModuleFileNameW, xrefs: 00007FF6D09E36FA
Failed to resolve full path to executable %ls., xrefs: 00007FF6D09E3739

Memory Dump Source

Source File: 00000001.00000002.2085594471.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000001.00000002.2085569640.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085629189.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085707438.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
API String ID: 3187769757-2863816727
Opcode ID: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
Instruction ID: 3b16a2486419b671d8efc8867afbb449ba1c1740344d1d912b63513927b24d8f
Opcode Fuzzy Hash: 7a7bb6314ef99d1ea6b5a99dff4d55fbb7227be169d5ba9e119ffda366a0a745
Instruction Fuzzy Hash: 7C2197A1B2D64271FA24D721E8143BE2250BF48358F445133E65DCA7DFEE6CE925C300

Function 00007FF6D09FBA5C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D09FBE89

Memory Dump Source

Source File: 00000001.00000002.2085594471.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000001.00000002.2085569640.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085629189.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085707438.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c3f57b6cd1f658b3a1cfdd45bc75f21d2f6c8be166295f0eb40444005b392bd6
Instruction ID: d0f5e870961ecdb69b579d92d072ece4f6c29e809a174e55abb5730ca3738a0b
Opcode Fuzzy Hash: c3f57b6cd1f658b3a1cfdd45bc75f21d2f6c8be166295f0eb40444005b392bd6
Instruction Fuzzy Hash: 54C1E2A2A1C686A1E7608F1590402BD2F58FB81B88F596133FB4D8B7DBCE7CE4658701

Function 00007FF6D09E6360 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Failed to load Python DLL '%ls'., xrefs: 00007FF6D09E64A7
LoadLibrary, xrefs: 00007FF6D09E64AE
Path of ucrtbase.dll (%s) and its name exceed buffer size (%d), xrefs: 00007FF6D09E6407
Path of Python shared library (%s) and its name (%s) exceed buffer size (%d), xrefs: 00007FF6D09E6456
Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d), xrefs: 00007FF6D09E63C7
ucrtbase.dll, xrefs: 00007FF6D09E63DD

Memory Dump Source

Source File: 00000001.00000002.2085594471.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000001.00000002.2085569640.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085629189.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085707438.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: CurrentProcess
String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
API String ID: 2050909247-2434346643
Opcode ID: 111e0a7e53993944da2df5d9c96cd3a7cea32e86f931b773c4ccd6a62d35c348
Instruction ID: a8dff007917e73dbdc5ece4918793b2b4433f85c2bee3ee8dd48ab968a4dca4e
Opcode Fuzzy Hash: 111e0a7e53993944da2df5d9c96cd3a7cea32e86f931b773c4ccd6a62d35c348
Instruction Fuzzy Hash: B5415E22A1D686A1EA15DB21E4152ED6321FB44388F801137DA5CCB7DFEE3CE925C740

Function 00007FF6D09F5628 Relevance: 6.1, APIs: 4, Instructions: 90
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D09F5655
CreateFileW.KERNEL32 ref: 00007FF6D09F5694
CloseHandle.KERNEL32 ref: 00007FF6D09F56C9

Memory Dump Source

Source File: 00000001.00000002.2085594471.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000001.00000002.2085569640.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085629189.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085707438.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: CloseCreateFileHandle_invalid_parameter_noinfo
String ID:
API String ID: 1279662727-0
Opcode ID: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
Instruction ID: 8207ddf213b62286ef31a54824ffda3cd2178eed9a6a339f252017f985c09197
Opcode Fuzzy Hash: b1746a8a916bbf96797ffba89da9809a683c49b2a7b1d8f7dd6efe5c63c8eb6a
Instruction Fuzzy Hash: 2D419322D1C78193E7149B21951036D6B64FB943A8F10A336F76C87BDADF6CA4F08740

Function 00007FF6D09ECC3C Relevance: 4.6, APIs: 3, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6D09ECE0C: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF6D09ECE20

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF6D09ECC60
__scrt_release_startup_lock.LIBCMT ref: 00007FF6D09ECCCE
__scrt_get_show_window_mode.LIBCMT ref: 00007FF6D09ECD21

Memory Dump Source

Source File: 00000001.00000002.2085594471.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000001.00000002.2085569640.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085629189.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085707438.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
Instruction ID: a7d2a048248f6d508b3a0be5e0e02a06281e700e388e7283e36ccbb0fbdee2f2
Opcode Fuzzy Hash: b3dd18574e8b698ea28c35ed35ed65a6730a16d6ac14c38d0a8ba428da0d66bc
Instruction Fuzzy Hash: 0A313961E0E24661FA18AB75A9113BD1681BF4138CF446437E98ECF3DFDE6DAD668200

Function 00007FF6D09F013C Relevance: 3.2, APIs: 2, Instructions: 177
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D09F0180
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D09F0277

Memory Dump Source

Source File: 00000001.00000002.2085594471.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000001.00000002.2085569640.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085629189.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085707438.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction ID: 3ba98800e2438041b7089719095d91e17a7ccc7fd5bc68e8dde435f04594deaf
Opcode Fuzzy Hash: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
Instruction Fuzzy Hash: 8E51FB61B0D241A6EB249A2594006BE699DAFC4BACF185736FD7D8B7CFCE7CD4218600

Function 00007FF6D09FC134 Relevance: 3.0, APIs: 2, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNEL32(?,?,?,?,?,00007FF6D09FC2CD), ref: 00007FF6D09FC180
GetLastError.KERNEL32(?,?,?,?,?,00007FF6D09FC2CD), ref: 00007FF6D09FC18A

Memory Dump Source

Source File: 00000001.00000002.2085594471.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000001.00000002.2085569640.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085629189.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085707438.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
Instruction ID: d238907b49e4411a3c4a032298d3ac7898e4209dda65b92951ff635e8a1ea88f
Opcode Fuzzy Hash: 7d52f85de62641260209e8dbb28c5e1251e01e8bf24b4306ce9dcd9badf2c9c6
Instruction Fuzzy Hash: 6C11046271CA8191DB208B25A90016D6765BB41FF8F645332FE7D8BBDECE3CD0218700

Function 00007FF6D09FAB58 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,00007FF6D09FA9D5,?,?,00000000,00007FF6D09FAA8A), ref: 00007FF6D09FABC6
GetLastError.KERNEL32(?,?,?,00007FF6D09FA9D5,?,?,00000000,00007FF6D09FAA8A), ref: 00007FF6D09FABD0

Memory Dump Source

Source File: 00000001.00000002.2085594471.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000001.00000002.2085569640.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085629189.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085707438.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
Instruction ID: 10f73f27735533cba41b578d87d61c40df1ef3133d5472388822586f5c16af7b
Opcode Fuzzy Hash: ae1e15d82824e1a5fac1c7302ca2ff5641fe0b0e43db7728cd9339717749910c
Instruction Fuzzy Hash: 2521C951F1C64261FAA4576194543BD1A8A9FC4798F186237F92ECF7DFCE6CA4614300

Function 00007FF6D09FBEAC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D09FBED4

Memory Dump Source

Source File: 00000001.00000002.2085594471.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000001.00000002.2085569640.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085629189.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085707438.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
Instruction ID: 9d1a119f948d68553afad26f395d4f1d26af57d6bf199e851f100e1bc2ac7e36
Opcode Fuzzy Hash: 5a303e376ae32d58fd1e52f1ac99a64fdc1cf63549abbe0bdd4da132c2ec767e
Instruction Fuzzy Hash: 0D41E57291824193EA34DE19E84017D7BA8EB59798F142132F79ECB7DACF6CE412CB50

Function 00007FF6D09E7F90 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF6D09E803A

Memory Dump Source

Source File: 00000001.00000002.2085594471.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000001.00000002.2085569640.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085629189.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085707438.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: 09e0edd5bfc77bffd2ce204413b85077ed061b6568614956a0855b02b1706b89
Instruction ID: 3d69f418cd18ee3511b5fbbee8e612212737a8d7e2ccf49ce56dac2ca010f38a
Opcode Fuzzy Hash: 09e0edd5bfc77bffd2ce204413b85077ed061b6568614956a0855b02b1706b89
Instruction Fuzzy Hash: 4A21E621B1A69166FA109A6265043FF9645FF85BD8F886432EE1CCF78BCE7DE465C300

Function 00007FF6D09FB93C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D09FB9C2

Memory Dump Source

Source File: 00000001.00000002.2085594471.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000001.00000002.2085569640.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085629189.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085707438.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c2d01373d3233558d420055387ebca2c39d1ce99b2c1a08127fa32cb0ba5fec2
Instruction ID: fb763d096184f6096609c56f848b234e4a8721d18e35551d90ff92ee6913cb1f
Opcode Fuzzy Hash: c2d01373d3233558d420055387ebca2c39d1ce99b2c1a08127fa32cb0ba5fec2
Instruction Fuzzy Hash: AD316562A18602A5F7515F55844137C2E98BF80BACF562137FB1D8B3DBCEBCE4A18711

Function 00007FF6D09F5F94 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D09F5EF9

Memory Dump Source

Source File: 00000001.00000002.2085594471.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000001.00000002.2085569640.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085629189.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085707438.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction ID: 9e8442953db5231287fcba82469c70d4002c69b23ab76ef105012a4dc08d40ec
Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
Instruction Fuzzy Hash: EA117B31A1C64152EA609F51940027D6A68BF85B98F455433FB8CDFB9FCF7DD5604740

Function 00007FF6D0A06354 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D0A06377

Memory Dump Source

Source File: 00000001.00000002.2085594471.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000001.00000002.2085569640.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085629189.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085707438.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
Instruction ID: 434e2f71a0c8881e63c46c6014e0400c33827d7d5b3eac8177101545670b31b0
Opcode Fuzzy Hash: 3765a10cee1e255344ee37f065f4be71d58868c9c9e645b3056c9746d3493235
Instruction Fuzzy Hash: 0A21AF33A1CA4696EB648F19D44137D76A0BB84B98F18423AE65DCB7DEDF3DD4218B00

Function 00007FF6D09F03BC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6D09F0410

Memory Dump Source

Source File: 00000001.00000002.2085594471.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000001.00000002.2085569640.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085629189.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085707438.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction ID: 5325004799101a7b6e3388f10bea015e248ed98fc6802a3f9c7ecdb748000561
Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
Instruction Fuzzy Hash: 4F018221A0874550E904DB5259000ADAA99AF85FE8F485632FF6C9BBEFDE3CD4214300

Function 00007FF6D09E8E80 Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6D09E9390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6D09E45F4,00000000,00007FF6D09E1985), ref: 00007FF6D09E93C9

LoadLibraryExW.KERNEL32(?,00007FF6D09E6476,?,00007FF6D09E336E), ref: 00007FF6D09E8EA2

Memory Dump Source

Source File: 00000001.00000002.2085594471.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000001.00000002.2085569640.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085629189.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085707438.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: ByteCharLibraryLoadMultiWide
String ID:
API String ID: 2592636585-0
Opcode ID: 3eee33850ff877a76f59ec51b6af72cd7d073a691558276a485592abc3036afa
Instruction ID: 39177696b6e1259e9dc9199519993a6d4b587581c53f57d56c27a9f5c9ab4295
Opcode Fuzzy Hash: 3eee33850ff877a76f59ec51b6af72cd7d073a691558276a485592abc3036afa
Instruction Fuzzy Hash: 23D0C201F3924552EA48A77BBA4663E5251AF89BC4F88E037EE1D87B4FDC3CC0614B00

Function 00007FF6D09FD5FC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF6D09F0C90,?,?,?,00007FF6D09F22FA,?,?,?,?,?,00007FF6D09F3AE9), ref: 00007FF6D09FD63A

Memory Dump Source

Source File: 00000001.00000002.2085594471.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000001.00000002.2085569640.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085629189.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085707438.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
Instruction ID: 6d0ff445d41f350033e12147ef29b67f42d042f3b87a66b90b452c3b07a2b65c
Opcode Fuzzy Hash: 510c613edcbd96140e332c46b5608733b20d975e117422ad796dc4540c81bb80
Instruction Fuzzy Hash: E7F05E11F1E206A5FE645772580127C19994F857A8F182732FC2ECD3CBDD2CA4A08210

Non-executed Functions

Function 00007FF6D09E89E0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257synchronizationwindowregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6D09E9390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6D09E45F4,00000000,00007FF6D09E1985), ref: 00007FF6D09E93C9

SetConsoleCtrlHandler.KERNEL32(?,?,FFFFFFFF,00007FF6D09E3F7F), ref: 00007FF6D09E8A3B
GetStartupInfoW.KERNEL32(?,FFFFFFFF,00007FF6D09E3F7F), ref: 00007FF6D09E8A56

Part of subcall function 00007FF6D09FA47C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D09FA490

Part of subcall function 00007FF6D09F871C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D09F8783

GetCommandLineW.KERNEL32(?,FFFFFFFF,00007FF6D09E3F7F), ref: 00007FF6D09E8AE6
CreateProcessW.KERNEL32 ref: 00007FF6D09E8B1E
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6D09E3F7F), ref: 00007FF6D09E8B28

Part of subcall function 00007FF6D09E2C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF6D09E3706,?,00007FF6D09E3804), ref: 00007FF6D09E2C9E
Part of subcall function 00007FF6D09E2C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF6D09E3706,?,00007FF6D09E3804), ref: 00007FF6D09E2D63
Part of subcall function 00007FF6D09E2C50: MessageBoxW.USER32 ref: 00007FF6D09E2D99

RegisterClassW.USER32 ref: 00007FF6D09E8B80
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6D09E3F7F), ref: 00007FF6D09E8B8B
CreateWindowExW.USER32 ref: 00007FF6D09E8BD5
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6D09E3F7F), ref: 00007FF6D09E8BE7
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF6D09E3F7F), ref: 00007FF6D09E8C02
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6D09E3F7F), ref: 00007FF6D09E8C15
PeekMessageW.USER32 ref: 00007FF6D09E8C39
TranslateMessage.USER32 ref: 00007FF6D09E8C47
DispatchMessageW.USER32(?,FFFFFFFF,00007FF6D09E3F7F), ref: 00007FF6D09E8C51
PeekMessageW.USER32 ref: 00007FF6D09E8C6C
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF6D09E3F7F), ref: 00007FF6D09E8C7E
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF6D09E3F7F), ref: 00007FF6D09E8C99
TerminateProcess.KERNEL32(?,FFFFFFFF,00007FF6D09E3F7F), ref: 00007FF6D09E8CAF
GetLastError.KERNEL32(?,FFFFFFFF,00007FF6D09E3F7F), ref: 00007FF6D09E8CB9
WaitForSingleObject.KERNEL32(?,FFFFFFFF,00007FF6D09E3F7F), ref: 00007FF6D09E8CC7
DestroyWindow.USER32(?,FFFFFFFF,00007FF6D09E3F7F), ref: 00007FF6D09E8E04
GetExitCodeProcess.KERNEL32 ref: 00007FF6D09E8E19
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF6D09E3F7F), ref: 00007FF6D09E8E22
CloseHandle.KERNEL32(?,FFFFFFFF,00007FF6D09E3F7F), ref: 00007FF6D09E8E2F

Strings

Failed to create child process!, xrefs: 00007FF6D09E8B30
PyInstallerOnefileHiddenWindow, xrefs: 00007FF6D09E8B54
PyInstaller Onefile Hidden Window, xrefs: 00007FF6D09E8B95
CreateProcessW, xrefs: 00007FF6D09E8B37

Memory Dump Source

Source File: 00000001.00000002.2085594471.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000001.00000002.2085569640.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085629189.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085707438.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
API String ID: 3832162212-3165540532
Opcode ID: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
Instruction ID: 1c041c2bf00e6a7509045843fe90a2af158539d2eb8f2e2fdb29c652ec2e9437
Opcode Fuzzy Hash: 99838be411f58a84d89697932930ae4644c798f1dd42cd928399edbb9bf0e48e
Instruction Fuzzy Hash: C5D1D132A19A86A6E7148F75E8502AE3760FF84758F141237DA5DC6BAECF3CD564C700

Function 00007FF6D09E81D0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6D09E9390: MultiByteToWideChar.KERNEL32(?,?,?,00007FF6D09E45F4,00000000,00007FF6D09E1985), ref: 00007FF6D09E93C9

ExpandEnvironmentStringsW.KERNEL32(?,00007FF6D09E86B7,?,?,00000000,00007FF6D09E3CBB), ref: 00007FF6D09E822C

Part of subcall function 00007FF6D09E2810: MessageBoxW.USER32 ref: 00007FF6D09E28EA

Strings

LOADER: failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF6D09E82D9
\, xrefs: 00007FF6D09E8261
LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!, xrefs: 00007FF6D09E829D
CreateDirectory, xrefs: 00007FF6D09E837C
%.*s, xrefs: 00007FF6D09E830C
LOADER: failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF6D09E8203
LOADER: failed to create runtime-tmpdir path %ls!, xrefs: 00007FF6D09E8373
LOADER: failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF6D09E8240

Memory Dump Source

Source File: 00000001.00000002.2085594471.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000001.00000002.2085569640.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085629189.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085707438.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
API String ID: 1662231829-930877121
Opcode ID: 34679b23be2e6a85bad270fe565fa16c5e09c528fb77942a9d4832d630ea4d55
Instruction ID: 9705a7f41a3778bbe20a72b0e9e0d87a4b2783617791c49f8b6f252c7d71e208
Opcode Fuzzy Hash: 34679b23be2e6a85bad270fe565fa16c5e09c528fb77942a9d4832d630ea4d55
Instruction Fuzzy Hash: 3251B922A2E64271FA549B65D9512BF6350FF44788F446433E61ECA7DFEE7CE8248300

Function 00007FF6D09E2180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00007FF6D09E21AB
SelectObject.GDI32 ref: 00007FF6D09E21F2
DrawTextW.USER32 ref: 00007FF6D09E2215
SelectObject.GDI32 ref: 00007FF6D09E222B
ReleaseDC.USER32 ref: 00007FF6D09E223B
MoveWindow.USER32 ref: 00007FF6D09E228B
MoveWindow.USER32 ref: 00007FF6D09E22CB
MoveWindow.USER32 ref: 00007FF6D09E231E
MoveWindow.USER32 ref: 00007FF6D09E2366

Strings

P%, xrefs: 00007FF6D09E21FF

Memory Dump Source

Source File: 00000001.00000002.2085594471.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000001.00000002.2085569640.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085629189.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085707438.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: MoveWindow$ObjectSelect$DrawReleaseText
String ID: P%
API String ID: 2147705588-2959514604
Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction ID: b1addf4061d0eb3cda5b0457c4acc114c4cd96d2f3579ae798734626181f88cc
Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
Instruction Fuzzy Hash: A05129266187A186D6389F22E4181BEB7A1F798B61F004132EFDE8379ADF3CD155CB10

Function 00007FF6D09EEA08 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF6D09EEA65

Part of subcall function 00007FF6D09EF9BC: __GetUnwindTryBlock.LIBCMT ref: 00007FF6D09EF9FF
Part of subcall function 00007FF6D09EF9BC: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF6D09EFA24

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF6D09EEB3D
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF6D09EED8B
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6D09EEE98

Strings

csm, xrefs: 00007FF6D09EEA7F
csm, xrefs: 00007FF6D09EEAE6
csm, xrefs: 00007FF6D09EEB60

Memory Dump Source

Source File: 00000001.00000002.2085594471.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000001.00000002.2085569640.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085629189.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085707438.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
Instruction ID: 7fa0935ef7fd96ed2e520c11019f7cf75e732627331a2ae481c8b77e65ed6183
Opcode Fuzzy Hash: aab7c7e636ea8a2572919ef13f94062ff4905efd63cd4babadd9079b892b9703
Instruction Fuzzy Hash: 6AD17F32A0974196EB209B65D4403AD77A0FB4578CF142136EE8DDBB9BDF38E8A5C740

Function 00007FF6D09FB150 Relevance: 10.6, APIs: 7, Instructions: 62COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6D09FB15F
FlsGetValue.KERNEL32 ref: 00007FF6D09FB174
FlsSetValue.KERNEL32 ref: 00007FF6D09FB195
FlsSetValue.KERNEL32 ref: 00007FF6D09FB1C2
FlsSetValue.KERNEL32 ref: 00007FF6D09FB1D3
FlsSetValue.KERNEL32 ref: 00007FF6D09FB1E4
SetLastError.KERNEL32 ref: 00007FF6D09FB1FF

Memory Dump Source

Source File: 00000001.00000002.2085594471.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000001.00000002.2085569640.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085629189.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085707438.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: bd40692f84e3da01acd5c9e715af8932c2ff4b5b564443a413d720313231dc09
Instruction ID: 15fcbea05dcd9f4d7a8612b5dcccbe4772ff1cbbe8b4a1dd11fc4a22a4dd6d21
Opcode Fuzzy Hash: bd40692f84e3da01acd5c9e715af8932c2ff4b5b564443a413d720313231dc09
Instruction Fuzzy Hash: 10217F61B0C64271FA589722966517D194A5F447B8F186736FA3ECA7CFDD2CB4604301

Function 00007FF6D09FB224 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF6D09FB235
FlsSetValue.KERNEL32 ref: 00007FF6D09FB254
FlsSetValue.KERNEL32 ref: 00007FF6D09FB27C
FlsSetValue.KERNEL32 ref: 00007FF6D09FB28D
FlsSetValue.KERNEL32 ref: 00007FF6D09FB29E

Memory Dump Source

Source File: 00000001.00000002.2085594471.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000001.00000002.2085569640.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085629189.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085707438.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: cf61fb6c00b1796c5bed08ecf7b6551a73a14dc995a044f45feadad5ae41d3ad
Instruction ID: 3963ebe4b975e9383235a0ebb2bb431550efa829053cfd9e1ac6d31604d4631e
Opcode Fuzzy Hash: cf61fb6c00b1796c5bed08ecf7b6551a73a14dc995a044f45feadad5ae41d3ad
Instruction Fuzzy Hash: 551118A0E0860771F958A76244611BD194A5FA533CF18A736FA3ECE7DFDD2CB8604201

Function 00007FF6D09FF98C Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF6D09FFA7C
_get_daylight.LIBCMT ref: 00007FF6D09FFA8D
_get_daylight.LIBCMT ref: 00007FF6D09FFA9E
_isindst.LIBCMT ref: 00007FF6D09FFB69

Memory Dump Source

Source File: 00000001.00000002.2085594471.00007FF6D09E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6D09E0000, based on PE: true

Associated: 00000001.00000002.2085569640.00007FF6D09E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085629189.00007FF6D0A0B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085658768.00007FF6D0A21000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2085707438.00007FF6D0A24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7ff6d09e0000_wp-s2.jbxd

Similarity

API ID: _get_daylight$_isindst
String ID:
API String ID: 4170891091-0
Opcode ID: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
Instruction ID: 576ccc30c3309e7820e50b6d768e5ed48d0bd775ca8cc0cf793c7e93b20b9a58
Opcode Fuzzy Hash: 873197461a12b50781dd6dd2a54ab0b7f590f407db75148e336b6c99fa373a01
Instruction Fuzzy Hash: A751F773F0411196EB18CF65D9616BC2B69AF4435DF501236ED1D9ABDEDF3CA4128700

Source: wp-s2.exe, 00000001.00000002.2083678251.000001B81F1C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.../back.jpeg
Source: wp-s2.exe, 00000000.00000003.1747633937.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1740872836.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digi
Source: wp-s2.exe, 00000000.00000003.1704282045.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredID
Source: wp-s2.exe, 00000000.00000003.1717401705.000001D2961B1000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1695666686.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1716926948.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1697798406.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1697273457.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1719480565.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1698741421.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718025414.000001D2961B1000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1716792661.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718862315.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1717538177.000001D2961B1000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1717803010.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1704773732.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1691739148.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1694229514.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1698906239.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718524179.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1704282045.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1692963511.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1717172660.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718025414.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: wp-s2.exe, 00000000.00000003.1744869654.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1747633937.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1738961170.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739924950.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1740078161.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1740872836.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1740181136.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1744214545.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1745691225.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739421344.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1747354150.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739600157.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1741028108.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1743974562.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1742512200.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1742512200.000001D2961B2000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739775823.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: wp-s2.exe, 00000000.00000003.1695666686.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1716926948.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1697798406.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1697273457.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1719480565.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1698741421.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1716792661.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718862315.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1717803010.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1704773732.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1691739148.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1694229514.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1698906239.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718524179.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1704282045.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1692963511.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1717172660.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718025414.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1717538177.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1699513790.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1719838444.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: wp-s2.exe, 00000000.00000003.1717401705.000001D2961B1000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1695666686.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1716926948.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1697798406.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1697273457.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1719480565.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1698741421.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718025414.000001D2961B1000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1716792661.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718862315.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1717538177.000001D2961B1000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1717803010.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1704773732.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1691739148.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1694229514.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1698906239.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718524179.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1704282045.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1692963511.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1717172660.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718025414.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: wp-s2.exe, 00000000.00000003.1744869654.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1747633937.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1738961170.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739924950.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1740078161.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1740872836.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1740181136.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1744214545.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1742512200.000001D2961AC000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1745691225.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739421344.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1747354150.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739600157.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1741028108.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1743974562.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1742512200.000001D2961B2000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739775823.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: wp-s2.exe, 00000000.00000003.1744869654.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1747633937.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1738961170.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739924950.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1740078161.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1740872836.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1740181136.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1744214545.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1745691225.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739421344.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1747354150.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739600157.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1741028108.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1743974562.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1742512200.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739775823.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: wp-s2.exe, 00000000.00000003.1744869654.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1747633937.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1738961170.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739924950.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1740078161.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1740872836.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1740181136.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1744214545.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1742512200.000001D2961AC000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1745691225.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739421344.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1747354150.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739600157.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1741028108.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1743974562.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1742512200.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739775823.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: wp-s2.exe, 00000001.00000003.1760589925.000001B81EC7C000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1765860509.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1781570040.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1762017406.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1760937335.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: wp-s2.exe, 00000001.00000003.1781570040.000001B81EE1D000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EE1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: wp-s2.exe, 00000001.00000002.2081888920.000001B81E310000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1781570040.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: wp-s2.exe, 00000001.00000002.2082080905.000001B81E782000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl
Source: wp-s2.exe, 00000001.00000003.1781570040.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crlr
Source: wp-s2.exe, 00000001.00000003.1781570040.000001B81EE1D000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EE1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl
Source: wp-s2.exe, 00000001.00000002.2082516614.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1786232962.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl
Source: wp-s2.exe, 00000001.00000002.2082516614.000001B81EBA5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1781570040.000001B81EBA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: wp-s2.exe, 00000001.00000002.2082516614.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1786232962.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: wp-s2.exe, 00000001.00000002.2082516614.000001B81EBA5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1781570040.000001B81EBA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: wp-s2.exe, 00000001.00000002.2082516614.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1786232962.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: wp-s2.exe, 00000001.00000003.1781570040.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: wp-s2.exe, 00000000.00000003.1744869654.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1747633937.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1738961170.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739924950.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1740078161.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1740872836.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1740181136.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1744214545.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1745691225.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739421344.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1747354150.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739600157.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1741028108.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1743974562.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1742512200.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1742512200.000001D2961B2000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739775823.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: wp-s2.exe, 00000000.00000003.1695666686.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1716926948.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1697798406.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1697273457.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1719480565.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1698741421.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1716792661.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718862315.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1717803010.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1704773732.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1691739148.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1694229514.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1698906239.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718524179.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1704282045.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1692963511.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1717172660.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718025414.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1717538177.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1699513790.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1719838444.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: wp-s2.exe, 00000000.00000003.1717401705.000001D2961B1000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1695666686.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1716926948.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1697798406.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1697273457.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1719480565.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1698741421.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718025414.000001D2961B1000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1716792661.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718862315.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1717538177.000001D2961B1000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1717803010.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1704773732.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1691739148.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1694229514.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1698906239.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718524179.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1704282045.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1692963511.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1717172660.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718025414.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: wp-s2.exe, 00000000.00000003.1744869654.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1747633937.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1738961170.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739924950.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1740078161.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1740872836.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1740181136.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1744214545.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1742512200.000001D2961AC000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1745691225.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739421344.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1747354150.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739600157.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1741028108.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1743974562.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1742512200.000001D2961B2000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739775823.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: wp-s2.exe, 00000000.00000003.1744869654.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1747633937.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1738961170.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739924950.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1740078161.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1740872836.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1740181136.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1744214545.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1745691225.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739421344.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1747354150.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739600157.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1741028108.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1743974562.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1742512200.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739775823.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: wp-s2.exe, 00000000.00000003.1739775823.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: wp-s2.exe, 00000000.00000003.1695666686.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1716926948.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1697798406.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1697273457.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1719480565.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1698741421.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1716792661.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718862315.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1717803010.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1704773732.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1691739148.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1694229514.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1698906239.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718524179.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1704282045.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1692963511.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1717172660.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718025414.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1717538177.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1699513790.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1719838444.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: wp-s2.exe, 00000000.00000003.1718192942.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl
Source: wp-s2.exe, 00000000.00000003.1717401705.000001D2961B1000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1695666686.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1716926948.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1697798406.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1697273457.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1719480565.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1698741421.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718025414.000001D2961B1000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1716792661.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718862315.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1717538177.000001D2961B1000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1717803010.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1704773732.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1691739148.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1694229514.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1698906239.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718524179.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1704282045.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1692963511.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1717172660.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718025414.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: wp-s2.exe, 00000000.00000003.1717401705.000001D2961B1000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1695666686.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1716926948.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1697798406.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1697273457.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1719480565.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1698741421.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718025414.000001D2961B1000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1716792661.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718862315.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1717538177.000001D2961B1000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1717803010.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1704773732.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1691739148.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1694229514.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1698906239.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718524179.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1704282045.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1692963511.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1717172660.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718025414.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: wp-s2.exe, 00000000.00000003.1744869654.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1747633937.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1738961170.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739924950.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1740078161.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1740872836.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1740181136.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1744214545.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1742512200.000001D2961AC000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1745691225.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739421344.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1747354150.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739600157.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1741028108.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1743974562.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1742512200.000001D2961B2000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739775823.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: wp-s2.exe, 00000000.00000003.1695666686.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1716926948.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1697798406.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1697273457.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1719480565.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1698741421.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1716792661.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718862315.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1717803010.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1704773732.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1691739148.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1694229514.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1698906239.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718524179.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1704282045.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1692963511.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1717172660.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718025414.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1717538177.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1699513790.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1719838444.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: wp-s2.exe, 00000000.00000003.1717401705.000001D2961B1000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1695666686.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1716926948.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1697798406.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1697273457.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1719480565.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1698741421.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718025414.000001D2961B1000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1716792661.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718862315.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1717538177.000001D2961B1000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1717803010.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1704773732.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1691739148.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1694229514.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1698906239.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718524179.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1704282045.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1692963511.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1717172660.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718025414.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: wp-s2.exe, 00000001.00000003.1759279653.000001B81ECE8000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2083678251.000001B81F1C0000.00000004.00001000.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1759279653.000001B81ED43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: wp-s2.exe, 00000001.00000002.2083815498.000001B81F3B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://goo.gl/zeJZl.
Source: wp-s2.exe, 00000001.00000002.2082080905.000001B81E782000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: wp-s2.exe, 00000001.00000002.2081888920.000001B81E310000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1760549875.000001B81E3D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: wp-s2.exe, 00000001.00000002.2082516614.000001B81EBFC000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1781570040.000001B81EBFC000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1760937335.000001B81EC02000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1759396614.000001B81EC02000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EAA1000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1765860509.000001B81EBFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: wp-s2.exe, 00000001.00000002.2083678251.000001B81F1C0000.00000004.00001000.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mail.python.org/pipermail/python-dev/2012-June/120787.html.
Source: wp-s2.exe, 00000001.00000002.2082516614.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1786232962.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es
Source: wp-s2.exe, 00000001.00000003.1781570040.000001B81EE1D000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EE1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: wp-s2.exe, 00000000.00000003.1744869654.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1747633937.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1738961170.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739924950.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1740078161.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1740872836.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1740181136.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1744214545.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1742512200.000001D2961AC000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1745691225.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739421344.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1747354150.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739600157.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1741028108.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1743974562.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1742512200.000001D2961B2000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739775823.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: wp-s2.exe, 00000000.00000003.1744869654.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1747633937.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1738961170.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739924950.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1740078161.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1740872836.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1740181136.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1744214545.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1742512200.000001D2961AC000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1745691225.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739421344.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1747354150.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739600157.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1741028108.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1743974562.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1742512200.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739775823.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: wp-s2.exe, 00000000.00000003.1744869654.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1717401705.000001D2961B1000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1695666686.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1747633937.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1738961170.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1716926948.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1697798406.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739924950.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1697273457.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1719480565.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1740078161.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1740872836.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1698741421.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718025414.000001D2961B1000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1716792661.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1740181136.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718862315.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1717538177.000001D2961B1000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1717803010.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1704773732.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1691739148.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: wp-s2.exe, 00000000.00000003.1695666686.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1716926948.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1697798406.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1697273457.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1719480565.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1698741421.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1716792661.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718862315.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1717803010.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1704773732.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1691739148.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1694229514.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1698906239.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718524179.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1704282045.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1692963511.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1717172660.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718025414.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1717538177.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1699513790.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1719838444.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: wp-s2.exe, 00000000.00000003.1717401705.000001D2961B1000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1695666686.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1716926948.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1697798406.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1697273457.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1719480565.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1698741421.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718025414.000001D2961B1000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1716792661.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718862315.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1717538177.000001D2961B1000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1717803010.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1704773732.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1691739148.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1694229514.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1698906239.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718524179.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1704282045.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1692963511.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1717172660.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718025414.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: wp-s2.exe, 00000000.00000003.1744869654.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1747633937.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1738961170.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739924950.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1740078161.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1740872836.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1740181136.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1744214545.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1745691225.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739421344.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1747354150.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739600157.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1741028108.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1743974562.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1742512200.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739775823.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: wp-s2.exe, 00000001.00000002.2082080905.000001B81E782000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: wp-s2.exe, 00000001.00000003.1781570040.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/Y
Source: wp-s2.exe, 00000001.00000002.2083573190.000001B81F090000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: wp-s2.exe, 00000001.00000002.2082516614.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1781570040.000001B81EE1D000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1786232962.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EE1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: wp-s2.exe, 00000001.00000002.2082516614.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1786232962.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl
Source: wp-s2.exe, 00000001.00000003.1781570040.000001B81EE1D000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EE1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: wp-s2.exe, 00000001.00000002.2082516614.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1786232962.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crlsj
Source: wp-s2.exe, 00000001.00000002.2082516614.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1786232962.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm
Source: wp-s2.exe, 00000001.00000003.1781570040.000001B81EE1D000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EE1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: wp-s2.exe, 00000001.00000002.2082516614.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1781570040.000001B81EE1D000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1786232962.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EE1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es00
Source: wp-s2.exe, 00000001.00000002.2087013621.00007FFDF9A2A000.00000002.00000001.01000000.0000001E.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: wp-s2.exe, 00000001.00000003.1781570040.000001B81EE1D000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2081888920.000001B81E310000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EE1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/
Source: wp-s2.exe, 00000001.00000002.2081888920.000001B81E310000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: wp-s2.exe, 00000001.00000003.1781570040.000001B81EE1D000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EE1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/K$
Source: wp-s2.exe, 00000001.00000002.2087013621.00007FFDF9A2A000.00000002.00000001.01000000.0000001E.sdmp	String found in binary or memory: http://www.color.org)
Source: wp-s2.exe, 00000000.00000003.1744869654.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1747633937.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1738961170.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739924950.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1740078161.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1740872836.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1740181136.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1744214545.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1742512200.000001D2961AC000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1745691225.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739421344.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1747354150.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739600157.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1741028108.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1743974562.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1742512200.000001D2961B2000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1739775823.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: wp-s2.exe, 00000001.00000003.1781570040.000001B81EE1D000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1781570040.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EE1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: wp-s2.exe, 00000001.00000002.2082080905.000001B81E650000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: wp-s2.exe, 00000001.00000002.2082516614.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1786232962.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: wp-s2.exe, 00000001.00000002.2082516614.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1786232962.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: wp-s2.exe, 00000001.00000002.2082516614.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1786232962.000001B81EDBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cpsJ
Source: wp-s2.exe, 00000001.00000003.1760937335.000001B81ECC7000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1759279653.000001B81ECE8000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1783712261.000001B81ECB6000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1759396614.000001B81ECC7000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81ECB6000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1765860509.000001B81ECB6000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1759279653.000001B81ED43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwwsearch.sf.net/):
Source: wp-s2.exe, 00000001.00000002.2081888920.000001B81E310000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1760549875.000001B81E3D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
Source: wp-s2.exe, 00000001.00000002.2081983260.000001B81E550000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/howto/mro.html.
Source: wp-s2.exe, 00000001.00000002.2081660537.000001B81E110000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
Source: wp-s2.exe, 00000001.00000002.2081660537.000001B81E110000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
Source: wp-s2.exe, 00000001.00000002.2081660537.000001B81E194000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
Source: wp-s2.exe, 00000001.00000002.2081660537.000001B81E110000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
Source: wp-s2.exe, 00000001.00000002.2081660537.000001B81E194000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
Source: wp-s2.exe, 00000001.00000002.2081660537.000001B81E110000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
Source: wp-s2.exe, 00000001.00000002.2081660537.000001B81E110000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
Source: wp-s2.exe, 00000001.00000002.2081660537.000001B81E110000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
Source: wp-s2.exe, 00000001.00000002.2081888920.000001B81E310000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
Source: wp-s2.exe, 00000001.00000002.2083312157.000001B81EE70000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: wp-s2.exe, 00000001.00000003.1760589925.000001B81EC7C000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1765860509.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1781570040.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1762017406.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1760937335.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: wp-s2.exe, 00000001.00000002.2081888920.000001B81E310000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: wp-s2.exe, 00000001.00000002.2084943619.000001B81FBF4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/giampaolo/psutil/issues/875.
Source: wp-s2.exe, 00000001.00000002.2083815498.000001B81F344000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/psf/requests/pull/6710
Source: wp-s2.exe, 00000001.00000002.2081660537.000001B81E194000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: wp-s2.exe, 00000001.00000002.2081888920.000001B81E310000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: wp-s2.exe, 00000001.00000002.2081888920.000001B81E310000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: wp-s2.exe, 00000001.00000003.1754622319.000001B81E803000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1754674201.000001B81E7FC000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1756150289.000001B81E7BC000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1758008751.000001B81E78C000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082080905.000001B81E782000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1757204060.000001B81E78C000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1755225796.000001B81E7BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/issues/86361.
Source: wp-s2.exe, 00000001.00000002.2082426797.000001B81E950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/importlib_metadata/wiki/Development-Methodology
Source: wp-s2.exe, 00000001.00000002.2081888920.000001B81E310000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: wp-s2.exe, 00000001.00000002.2082516614.000001B81EBFC000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1781570040.000001B81EBFC000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1760937335.000001B81EC02000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2083312157.000001B81EE70000.00000004.00001000.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1759396614.000001B81EC02000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1765860509.000001B81EBFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: wp-s2.exe, 00000001.00000003.1760589925.000001B81EC7C000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1761764389.000001B81ECA7000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1781570040.000001B81EB46000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EB46000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1760937335.000001B81EB46000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1760937335.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: wp-s2.exe, 00000001.00000002.2083573190.000001B81F090000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: wp-s2.exe, 00000001.00000002.2083573190.000001B81F090000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/3290
Source: wp-s2.exe, 00000001.00000002.2082516614.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: wp-s2.exe, 00000001.00000003.1760589925.000001B81EC7C000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1765860509.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082080905.000001B81E650000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1781570040.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1762017406.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1760937335.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: wp-s2.exe, 00000001.00000003.1760937335.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: wp-s2.exe, 00000001.00000003.1760589925.000001B81EC7C000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1765860509.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1781570040.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1762017406.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1760937335.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: wp-s2.exe, 00000001.00000002.2082516614.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: wp-s2.exe, 00000001.00000002.2083678251.000001B81F1C0000.00000004.00001000.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/get
Source: wp-s2.exe, 00000001.00000003.1756636619.000001B81E6CE000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1757583955.000001B81E754000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1756150289.000001B81E754000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1758008751.000001B81E754000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082080905.000001B81E73E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/post
Source: wp-s2.exe, 00000001.00000002.2082516614.000001B81EAA1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: wp-s2.exe, 00000001.00000003.1762895106.000001B81ED79000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1783712261.000001B81ED6D000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1760839874.000001B81ED58000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1760907838.000001B81ED5D000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81ED68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mahler:8092/site-updates.py
Source: wp-s2.exe, 00000001.00000002.2082426797.000001B81E950000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://nodejs.org/dist/v22.11.0/node-v22.11.0-win-x64.zip
Source: wp-s2.exe, 00000001.00000002.2083573190.000001B81F090000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/core-metadata/#core-metadata
Source: wp-s2.exe, 00000001.00000002.2082080905.000001B81E782000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/entry-points/#file-format
Source: wp-s2.exe, 00000001.00000002.2082080905.000001B81E782000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/recording-installed-packages/#the-record-file
Source: wp-s2.exe, 00000001.00000002.2083478692.000001B81EF90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: wp-s2.exe, 00000001.00000002.2082321401.000001B81E850000.00000004.00001000.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1756150289.000001B81E7BC000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1750070545.000001B81E311000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1757204060.000001B81E78C000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1755225796.000001B81E7BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://peps.python.org/pep-0205/
Source: wp-s2.exe, 00000001.00000002.2091458277.00007FFDFB888000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://peps.python.org/pep-0263/
Source: wp-s2.exe, 00000001.00000002.2083815498.000001B81F344000.00000004.00001000.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1756636619.000001B81E6CE000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1757583955.000001B81E754000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1756150289.000001B81E754000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1758008751.000001B81E754000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082080905.000001B81E73E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://requests.readthedocs.io
Source: wp-s2.exe, 00000001.00000002.2084943619.000001B81FBF4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/4457745#4457745.
Source: wp-s2.exe, 00000001.00000003.1762017406.000001B81EBA5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1759396614.000001B81EBA5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EBA5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1781570040.000001B81EBA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: wp-s2.exe, 00000001.00000002.2082080905.000001B81E650000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1757135082.000001B81EB76000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1757135082.000001B81EB97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7231#section-4.3.6)
Source: wp-s2.exe, 00000001.00000003.1760589925.000001B81EC7C000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1765860509.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1781570040.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1762017406.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1760937335.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: wp-s2.exe, 00000001.00000002.2083478692.000001B81EF90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: wp-s2.exe, 00000001.00000002.2083478692.000001B81EF90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: wp-s2.exe, 00000000.00000003.1717401705.000001D2961B1000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1695666686.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1716926948.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1697798406.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1697273457.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1719480565.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1698741421.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718025414.000001D2961B1000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1716792661.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718862315.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1717538177.000001D2961B1000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1717803010.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1704773732.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1691739148.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1694229514.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1698906239.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718524179.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1704282045.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1692963511.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1717172660.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000000.00000003.1718025414.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: wp-s2.exe, 00000000.00000003.1744214545.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2089805565.00007FFDFAC24000.00000002.00000001.01000000.00000014.sdmp, wp-s2.exe, 00000001.00000002.2093031370.00007FFE013D0000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: wp-s2.exe, 00000001.00000003.1756636619.000001B81E6CE000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1757583955.000001B81E754000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1756150289.000001B81E754000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1758008751.000001B81E754000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082080905.000001B81E73E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org
Source: wp-s2.exe, 00000001.00000003.1762895106.000001B81ED79000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1783712261.000001B81ED6D000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1760839874.000001B81ED58000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1760907838.000001B81ED5D000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81ED68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/
Source: wp-s2.exe, 00000001.00000002.2091458277.00007FFDFB888000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: https://www.python.org/psf/license/)
Source: wp-s2.exe, 00000001.00000003.1760589925.000001B81EC7C000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1765860509.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082080905.000001B81E650000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1781570040.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1762017406.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1760937335.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
Source: wp-s2.exe, 00000001.00000003.1781570040.000001B81EE1D000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EE1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/
Source: wp-s2.exe, 00000001.00000003.1781570040.000001B81EE1D000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EE1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m
Source: wp-s2.exe, 00000001.00000003.1760589925.000001B81EC7C000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1765860509.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082080905.000001B81E650000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1781570040.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1762017406.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000003.1760937335.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2082516614.000001B81EC52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443

Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 0_2_00007FF6D09E89E0	0_2_00007FF6D09E89E0
Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 0_2_00007FF6D0A06964	0_2_00007FF6D0A06964
Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 0_2_00007FF6D0A05C00	0_2_00007FF6D0A05C00
Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 0_2_00007FF6D09E1000	0_2_00007FF6D09E1000
Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 0_2_00007FF6D0A008C8	0_2_00007FF6D0A008C8
Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 0_2_00007FF6D09F2164	0_2_00007FF6D09F2164
Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 0_2_00007FF6D09F1944	0_2_00007FF6D09F1944
Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 0_2_00007FF6D09F39A4	0_2_00007FF6D09F39A4
Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 0_2_00007FF6D09EA2DB	0_2_00007FF6D09EA2DB
Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 0_2_00007FF6D09FDA5C	0_2_00007FF6D09FDA5C
Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 0_2_00007FF6D0A008C8	0_2_00007FF6D0A008C8
Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 0_2_00007FF6D0A06418	0_2_00007FF6D0A06418
Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 0_2_00007FF6D09F2C10	0_2_00007FF6D09F2C10
Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 0_2_00007FF6D0A03C10	0_2_00007FF6D0A03C10
Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 0_2_00007FF6D09F1B50	0_2_00007FF6D09F1B50
Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 0_2_00007FF6D09F5D30	0_2_00007FF6D09F5D30
Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 0_2_00007FF6D09EA474	0_2_00007FF6D09EA474
Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 0_2_00007FF6D09EACAD	0_2_00007FF6D09EACAD
Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 0_2_00007FF6D09FE570	0_2_00007FF6D09FE570
Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 0_2_00007FF6D09F1D54	0_2_00007FF6D09F1D54
Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 0_2_00007FF6D09F35A0	0_2_00007FF6D09F35A0
Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 0_2_00007FF6D09FDEF0	0_2_00007FF6D09FDEF0
Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 0_2_00007FF6D0A09728	0_2_00007FF6D0A09728
Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 0_2_00007FF6D09F9EA0	0_2_00007FF6D09F9EA0
Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 0_2_00007FF6D0A05E7C	0_2_00007FF6D0A05E7C
Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 0_2_00007FF6D09E9800	0_2_00007FF6D09E9800
Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 0_2_00007FF6D09F1F60	0_2_00007FF6D09F1F60
Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 0_2_00007FF6D09F1740	0_2_00007FF6D09F1740
Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 0_2_00007FF6D09F8794	0_2_00007FF6D09F8794
Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 0_2_00007FF6D09F80E4	0_2_00007FF6D09F80E4
Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 0_2_00007FF6D0A01874	0_2_00007FF6D0A01874
Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 0_2_00007FF6D0A040AC	0_2_00007FF6D0A040AC
Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 1_2_00007FF6D0A06964	1_2_00007FF6D0A06964
Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 1_2_00007FF6D09E1000	1_2_00007FF6D09E1000
Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 1_2_00007FF6D09E89E0	1_2_00007FF6D09E89E0
Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 1_2_00007FF6D09F2164	1_2_00007FF6D09F2164
Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 1_2_00007FF6D09F1944	1_2_00007FF6D09F1944
Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 1_2_00007FF6D09F39A4	1_2_00007FF6D09F39A4
Source: C:\Users\user\Desktop\wp-s2.exe	Code function: 1_2_00007FF6D09EA2DB	1_2_00007FF6D09EA2DB

Source: wp-s2.exe, 00000000.00000003.1744869654.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepython3.dll. vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1695666686.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5Network.dll( vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1747633937.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1738961170.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1716926948.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqicns.dll( vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1739924950.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1697273457.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5QmlModels.dll( vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1719480565.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqwindows.dll( vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1740078161.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1740872836.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1698741421.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5Svg.dll( vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1716792661.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqgif.dll( vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1740181136.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1718862315.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqoffscreen.dll( vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1717803010.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqtiff.dll( vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1704773732.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1691739148.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5Core.dll( vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1694229514.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5Gui.dll( vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1698906239.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5WebSockets.dll( vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1718524179.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqminimal.dll( vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1744214545.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1704282045.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1704282045.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibEGL.dll. vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1692963511.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5DBus.dll( vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1717172660.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqjpeg.dll( vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1718025414.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqwbmp.dll( vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1717538177.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqtga.dll( vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1719838444.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqxdgdesktopportal.dll( vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1717040182.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqico.dll( vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1716509121.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqtuiotouchplugin.dll( vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1739421344.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1747354150.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1700785114.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1739600157.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1719961624.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqwindowsvistastyle.dll( vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1701014707.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1741028108.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_wmi.pyd. vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1690791747.000001D2961A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsvcp140.dllT vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1719137863.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqwebgl.dll( vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1738003483.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1716671349.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqsvgicon.dll( vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1738782073.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1696311204.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQt5Qml.dll( vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1718192942.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqwebp.dll( vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1691042886.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsvcp140_1.dllT vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1717401705.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqsvg.dll( vs wp-s2.exe
Source: wp-s2.exe, 00000000.00000003.1739775823.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs wp-s2.exe
Source: wp-s2.exe	Binary or memory string: OriginalFilename vs wp-s2.exe
Source: wp-s2.exe, 00000001.00000002.2094578869.00007FFE1152A000.00000002.00000001.01000000.00000013.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs wp-s2.exe
Source: wp-s2.exe, 00000001.00000002.2087828503.00007FFDFA1F3000.00000002.00000001.01000000.0000001D.sdmp	Binary or memory string: OriginalFilenameQt5Widgets.dll( vs wp-s2.exe
Source: wp-s2.exe, 00000001.00000002.2095582327.00007FFE12E19000.00000002.00000001.01000000.0000000F.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs wp-s2.exe
Source: wp-s2.exe, 00000001.00000002.2095910612.00007FFE13312000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs wp-s2.exe
Source: wp-s2.exe, 00000001.00000002.2085998704.00007FFDF93AB000.00000002.00000001.01000000.00000020.sdmp	Binary or memory string: OriginalFilenameqwindows.dll( vs wp-s2.exe
Source: wp-s2.exe, 00000001.00000002.2093882249.00007FFE0EB62000.00000002.00000001.01000000.00000021.sdmp	Binary or memory string: OriginalFilenameqwindowsvistastyle.dll( vs wp-s2.exe
Source: wp-s2.exe, 00000001.00000002.2081582775.000001B81E0B0000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenamepython3.dll. vs wp-s2.exe
Source: wp-s2.exe, 00000001.00000002.2095692010.00007FFE130C6000.00000002.00000001.01000000.0000000E.sdmp	Binary or memory string: OriginalFilenamemsvcp140_1.dllT vs wp-s2.exe
Source: wp-s2.exe, 00000001.00000002.2095805735.00007FFE1321E000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs wp-s2.exe
Source: wp-s2.exe, 00000001.00000002.2093293184.00007FFE0146F000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: OriginalFilenamemsvcp140.dllT vs wp-s2.exe
Source: wp-s2.exe, 00000001.00000002.2094863635.00007FFE11BB6000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs wp-s2.exe
Source: wp-s2.exe, 00000001.00000002.2092558523.00007FFDFBAC0000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamepython313.dll. vs wp-s2.exe
Source: wp-s2.exe, 00000001.00000002.2092828879.00007FFE0082C000.00000002.00000001.01000000.0000001A.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs wp-s2.exe
Source: wp-s2.exe, 00000001.00000002.2089805565.00007FFDFAC24000.00000002.00000001.01000000.00000014.sdmp	Binary or memory string: OriginalFilenamelibcryptoH vs wp-s2.exe
Source: wp-s2.exe, 00000001.00000002.2095013627.00007FFE11EB3000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs wp-s2.exe
Source: wp-s2.exe, 00000001.00000002.2095236631.00007FFE120CD000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs wp-s2.exe
Source: wp-s2.exe, 00000001.00000002.2090562181.00007FFDFB190000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: OriginalFilenameQt5Core.dll( vs wp-s2.exe
Source: wp-s2.exe, 00000001.00000002.2093031370.00007FFE013D0000.00000002.00000001.01000000.00000015.sdmp	Binary or memory string: OriginalFilenamelibsslH vs wp-s2.exe
Source: wp-s2.exe, 00000001.00000002.2095343615.00007FFE126C6000.00000002.00000001.01000000.00000012.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs wp-s2.exe
Source: wp-s2.exe, 00000001.00000002.2095473571.00007FFE126F3000.00000002.00000001.01000000.0000000A.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs wp-s2.exe
Source: wp-s2.exe, 00000001.00000002.2081407541.000001B81C7D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameD3D10Warp.dllj% vs wp-s2.exe
Source: wp-s2.exe, 00000001.00000002.2087287876.00007FFDF9CA9000.00000002.00000001.01000000.0000001E.sdmp	Binary or memory string: OriginalFilenameQt5Gui.dll( vs wp-s2.exe
Source: wp-s2.exe, 00000001.00000002.2096125200.00007FFE1A46A000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs wp-s2.exe

Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: fothk
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA
Source: VCRUNTIME140.dll0.0.dr	Static PE information: section name: _RDATA
Source: opengl32sw.dll.0.dr	Static PE information: section name: _RDATA
Source: qtuiotouchplugin.dll.0.dr	Static PE information: section name: .qtmetad
Source: qsvgicon.dll.0.dr	Static PE information: section name: .qtmetad
Source: MSVCP140.dll.0.dr	Static PE information: section name: .didat
Source: Qt5Core.dll.0.dr	Static PE information: section name: .qtmimed
Source: libcrypto-3.dll.0.dr	Static PE information: section name: .00cfg
Source: qgif.dll.0.dr	Static PE information: section name: .qtmetad
Source: qicns.dll.0.dr	Static PE information: section name: .qtmetad
Source: qico.dll.0.dr	Static PE information: section name: .qtmetad
Source: qjpeg.dll.0.dr	Static PE information: section name: .qtmetad
Source: qsvg.dll.0.dr	Static PE information: section name: .qtmetad
Source: qtga.dll.0.dr	Static PE information: section name: .qtmetad
Source: qtiff.dll.0.dr	Static PE information: section name: .qtmetad
Source: qwbmp.dll.0.dr	Static PE information: section name: .qtmetad
Source: qwebp.dll.0.dr	Static PE information: section name: .qtmetad
Source: qminimal.dll.0.dr	Static PE information: section name: .qtmetad
Source: libssl-3.dll.0.dr	Static PE information: section name: .00cfg
Source: python313.dll.0.dr	Static PE information: section name: PyRuntim
Source: qoffscreen.dll.0.dr	Static PE information: section name: .qtmetad
Source: qwebgl.dll.0.dr	Static PE information: section name: .qtmetad
Source: qwindows.dll.0.dr	Static PE information: section name: .qtmetad
Source: qxdgdesktopportal.dll.0.dr	Static PE information: section name: .qtmetad
Source: qwindowsvistastyle.dll.0.dr	Static PE information: section name: .qtmetad

Source:	Binary string: C:\Users\qt\work\qt\qtsvg\plugins\iconengines\qsvgicon.pdb source: wp-s2.exe, 00000000.00000003.1716671349.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtsvg\plugins\imageformats\qsvg.pdb source: wp-s2.exe, 00000000.00000003.1717401705.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\generic\qtuiotouchplugin.pdb source: wp-s2.exe, 00000000.00000003.1716509121.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: wp-s2.exe, 00000001.00000002.2093179483.00007FFE01435000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qico.pdb source: wp-s2.exe, 00000000.00000003.1717040182.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG"OpenSSL 3.0.15 3 Sep 20243.0.15built on: Wed Sep 4 15:52:04 2024 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"CPUINFO: N/Anot availableget_and_lock..\s\crypto\ex_data.cossl_crypto_get_ex_new_index_exossl_crypto_new_ex_data_exCRYPTO_dup_ex_dataCRYPTO_set_ex_dataOPENSSL_WIN32_UTF8..\s\crypto\getenv.ccompiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG";CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificC:\Program Files\Common Files\SSLC:\Program Files\OpenSSL\lib\ossl-modules.dllCPUINFO: ..\s\crypto\init.cOPENSSL_init_cryptoOPENSSL_atexit..\s\crypto\initthread.c..\s\crypto\mem_sec.cassertion failed: (bit & 1) == 0assertion failed: list >= 0 && list < sh.freelist_sizeassertion failed: ((ptr - sh.arena) & ((sh.arena_size >> list) - 1)) == 0assertion failed: bit > 0 && bit < sh.bittable_sizeassertion failed: TESTBIT(table, bit)assertion failed: !TESTBIT(table, bit)assertion failed: WITHIN_FREELIST(list)assertion failed: WITHIN_ARENA(ptr)assertion failed: temp->next == NULL \|\| WITHIN_ARENA(temp->next)assertion failed: (char *)temp->next->p_next == listassertion failed: WITHIN_FREELIST(temp2->p_next) \|\| WITHIN_ARENA(temp2->p_next)assertion failed: size > 0assertion failed: (size & (size - 1)) == 0assertion failed: (minsize & (minsize - 1)) == 0assertion failed: sh.freelist != NULLassertion failed: sh.bittable != NULLassertion failed: sh.bitmalloc != NULLassertion failed: !sh_testbit(temp, slist, sh.bitmalloc)assertion failed: temp != sh.freelist[slist]assertion failed: sh.freelist[slist] == tempassertion failed: temp-(sh.arena_size >> slist) == sh_find_my_buddy(temp, slist)assertion failed: sh_testbit(chunk, list, sh.bittable)assertion failed: WITHIN_ARENA(chunk)assertion failed: sh_testbit(ptr, list, sh.bittable)assertion failed: ptr == sh_find_my_buddy(buddy, list)assertion failed: ptr != NULLassertion failed: !sh_testbit(ptr, list, sh.bitmalloc)assertion failed: sh.freelist[list] == ptr/0123456789ABCDEFCRYPTO_memdup..\s\crypto\o_str.chexstr2buf_sepossl_hexstr2buf_sepbuf2hexstr_sepossl_buf2hexstr_sep..\s\crypto\packet.cwpacket_intern_init_lenWPACKET_start_sub_packet_len__..\s\crypto\param_build.cparam_pushparam_push_numOSSL_PARAM_BLD_push_BN_padNegative big numbers are unsupported for OSSL_PARAMOSSL_PARAM_BLD_push_utf8_stringOSSL_PARAM_BLD_push_utf8_ptrOSSL_PARAM_BLD_push_octet_stringOSSL_PARAM_BLD_p
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -D"OPENSSL_BUILDING_OPENSSL" -D"OPENSSL_SYS_WIN32" -D"WIN32_LEAN_AND_MEAN" -D"UNICODE" -D"_UNICODE" -D"_CRT_SECURE_NO_DEPRECATE" -D"_WINSOCK_DEPRECATED_NO_WARNINGS" -D"NDEBUG" source: wp-s2.exe, 00000001.00000002.2089508974.00007FFDFAAE2000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: wp-s2.exe, 00000000.00000003.1738003483.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2096082906.00007FFE1A464000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: wp-s2.exe, 00000000.00000003.1701014707.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2095539658.00007FFE12E15000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: wp-s2.exe, 00000000.00000003.1738782073.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\styles\qwindowsvistastyle.pdb%% source: wp-s2.exe, 00000001.00000002.2093601265.00007FFE0EB57000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\styles\qwindowsvistastyle.pdb source: wp-s2.exe, 00000001.00000002.2093601265.00007FFE0EB57000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: wp-s2.exe, 00000001.00000002.2095760829.00007FFE13213000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: wp-s2.exe, 00000000.00000003.1739775823.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2095195470.00007FFE120C6000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qico.pdb source: wp-s2.exe, 00000000.00000003.1717040182.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\generic\qtuiotouchplugin.pdb source: wp-s2.exe, 00000000.00000003.1716509121.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdbT source: wp-s2.exe, 00000001.00000002.2090128814.00007FFDFB0B6000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Gui.pdb source: wp-s2.exe, 00000001.00000002.2087013621.00007FFDF9A2A000.00000002.00000001.01000000.0000001E.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: wp-s2.exe, 00000000.00000003.1739924950.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2095410985.00007FFE126EB000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: wp-s2.exe, 00000000.00000003.1738961170.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2095869665.00007FFE1330D000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: wp-s2.exe, 00000000.00000003.1740181136.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2094967647.00007FFE11EA9000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python313.pdb source: wp-s2.exe, 00000001.00000002.2091458277.00007FFDFB888000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: wp-s2.exe, 00000000.00000003.1738782073.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: wp-s2.exe, 00000000.00000003.1700785114.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qtiff.pdbBB source: wp-s2.exe, 00000000.00000003.1717803010.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\platformthemes\qxdgdesktopportal.pdb source: wp-s2.exe, 00000000.00000003.1719838444.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: wp-s2.exe, 00000000.00000003.1747633937.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2092647545.00007FFE00827000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: d:\agent\_work\1\s\\binaries\amd64ret\bin\amd64\\msvcp140_1.amd64.pdb source: wp-s2.exe, 00000000.00000003.1691042886.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2095651317.00007FFE130C3000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb\| source: wp-s2.exe, 00000001.00000002.2089508974.00007FFDFAB7A000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdbDD source: wp-s2.exe, 00000001.00000002.2092970035.00007FFE01395000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdb source: wp-s2.exe, 00000001.00000002.2090128814.00007FFDFB0B6000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qtiff.pdb source: wp-s2.exe, 00000000.00000003.1717803010.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qgif.pdb source: wp-s2.exe, 00000000.00000003.1716792661.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb(('GCTL source: wp-s2.exe, 00000000.00000003.1741028108.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qtga.pdb source: wp-s2.exe, 00000000.00000003.1717538177.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: wp-s2.exe, 00000000.00000003.1738003483.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2096082906.00007FFE1A464000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: D:\a\1\b\libcrypto-3.pdb source: wp-s2.exe, 00000001.00000002.2089508974.00007FFDFAB7A000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qicns.pdb source: wp-s2.exe, 00000000.00000003.1716926948.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\select.pdb source: wp-s2.exe, 00000000.00000003.1747354150.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2095303412.00007FFE126C3000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: wp-s2.exe, 00000000.00000003.1739924950.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2095410985.00007FFE126EB000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: wp-s2.exe, 00000000.00000003.1740078161.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2094786013.00007FFE11BB3000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_wmi.pdb source: wp-s2.exe, 00000000.00000003.1741028108.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Widgets.pdb source: wp-s2.exe, 00000001.00000002.2087602644.00007FFDFA02A000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\plugins\platforms\qwindows.pdb source: wp-s2.exe, 00000001.00000002.2085851674.00007FFDF9344000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\python3.pdb source: wp-s2.exe, 00000000.00000003.1744869654.000001D2961A5000.00000004.00000020.00020000.00000000.sdmp, wp-s2.exe, 00000001.00000002.2081582775.000001B81E0B0000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qwbmp.pdb source: wp-s2.exe, 00000000.00000003.1718025414.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtbase\lib\libEGL.pdb source: wp-s2.exe, 00000000.00000003.1704282045.000001D2961A4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\b\libssl-3.pdb source: wp-s2.exe, 00000001.00000002.2092970035.00007FFE01395000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: wp-s2.exe, 00000001.00000002.2094441421.00007FFE1150E000.00000002.00000001.01000000.00000013.sdmp

Source: C:\Users\user\Desktop\wp-s2.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6996:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5936:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6752

Source: C:\Users\user\Desktop\wp-s2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Section loaded: libffi-8.dll	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Section loaded: qt5core.dll	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Section loaded: msvcp140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Section loaded: libcrypto-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Section loaded: libssl-3.dll	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Section loaded: qt5widgets.dll	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Section loaded: qt5gui.dll	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Section loaded: qt5gui.dll	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wp-s2.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: esscli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior

Source: wp-s2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: wp-s2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: wp-s2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: wp-s2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: wp-s2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: wp-s2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: wp-s2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: wp-s2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: wp-s2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: wp-s2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: wp-s2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\opengl32sw.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\imageformats\qico.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5Qml.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\sip.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\iconengines\qsvgicon.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\charset_normalizer\md.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\platforms\qoffscreen.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5WebSockets.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\imageformats\qjpeg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\QtGui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\charset_normalizer\md__mypyc.cp313-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\generic\qtuiotouchplugin.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\psutil\_psutil_windows.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\styles\qwindowsvistastyle.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\QtWidgets.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5Core.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\QtCore.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\imageformats\qtiff.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\imageformats\qwebp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\platforms\qwebgl.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\libEGL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\_wmi.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\MSVCP140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5Widgets.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\imageformats\qgif.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5DBus.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\MSVCP140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\libffi-8.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5QmlModels.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5Network.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5Quick.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\imageformats\qtga.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\platforms\qwindows.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\imageformats\qwbmp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\platformthemes\qxdgdesktopportal.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\libcrypto-3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\imageformats\qsvg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\python313.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5Svg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\imageformats\qicns.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\plugins\platforms\qminimal.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5Gui.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wp-s2.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI65242\libssl-3.dll	Jump to dropped file

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report wp-s2.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_wp-s2.exe_2b6876b9d34de520d6e735f39948ec398686c89_c328f930_b0376b47-ba39-491c-9596-7ac4d71d83ae\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD2C0.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD5DE.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD60D.tmp.xml

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\MSVCP140.dll

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\MSVCP140_1.dll

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5Core.dll

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5DBus.dll

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5Gui.dll

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5Network.dll

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5Qml.dll

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5QmlModels.dll

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5Quick.dll

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5Svg.dll

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5WebSockets.dll

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\Qt5Widgets.dll

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\VCRUNTIME140.dll

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\VCRUNTIME140_1.dll

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\d3dcompiler_47.dll

C:\Users\user\AppData\Local\Temp\_MEI65242\PyQt5\Qt5\bin\libEGL.dll

Windows Analysis Report
wp-s2.exe

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre